Update third-party rules as of 2025-11-14 (#1213)

octo-sts[bot] · github-actions[bot] · web-flow · commit b4df3a73d66b · 2025-11-14T07:15:00.000-06:00
Co-authored-by: Update third-party rules &lt;41898282+github-actions[bot]@users.noreply.github.com&gt;
diff --git a/third_party/yara/JPCERT/RELEASE b/third_party/yara/JPCERT/RELEASE
@@ -1 +1 @@
-1b8b09eff1eaccd062993a31469158fdb5c34a06
+9315b430b0dbbb0db4da9196373ec8e26a538608
diff --git a/third_party/yara/JPCERT/contagiousinterview.yara b/third_party/yara/JPCERT/contagiousinterview.yara
@@ -0,0 +1,34 @@
+rule Lazarus_OtterCookie_downloader {
+   meta:
+      description = "OtterCookie downloader"
+      author = "JPCERT/CC Incident Response Group"
+      created_date = "2025-04-02"
+      updated_date = "2025-04-02"
+      hash = "62f796ddbbd7670d7a58ecfde9a5440e4e07ca7c7fa23e6a164746ef7c55fce2"
+      hash = "4ca9ff33010f1f48b3a59c603fc7491071414fb4c6101215aab8b4b88a6b5cbf"
+
+   strings:
+      $str1 = { 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 20 3d 20 20 7b 20 64 6f 6d 61 69 6e 2c 20 73 75 62 64 6f 6d 61 69 6e 2c 20 69 64 20 7d }
+      $str2 = "const domain =" ascii
+      $str3 = "const subdomain =" ascii
+
+   condition:
+      all of them
+}
+
+rule Lazarus_OtterCookie_js {
+   meta:
+      description = "OtterCookie downloader js"
+      author = "JPCERT/CC Incident Response Group"
+      created_date = "2025-04-02"
+      updated_date = "2025-04-02"
+      hash = "71d2fd0c71b44331e08f11a254e7acc2cec3067dbd8f4848d5ef11e5a59ea253"
+
+   strings:
+      $str1 = "const GET_RPCNODE_URL = `${domain}/${subdomain}/${id}`;" ascii
+      $str2 = "axios.get(GET_RPCNODE_URL)" ascii
+      $str3 = "catch(err=>eval(err.response.data));" ascii
+
+   condition:
+      all of them
+}
diff --git a/third_party/yara/JPCERT/getrdoor.yara b/third_party/yara/JPCERT/getrdoor.yara
@@ -0,0 +1,19 @@
+rule malware_GETRdoor {
+    meta:
+        description = "ELF backdoor targeting FortiGate"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "9da731d152c57e90cc95bc58aa55c0873005a747fda0d45529e964bdbc9dc18c"
+        created_date = "2025-11-14"
+        updated_date = "2025-11-14"
+
+    strings:
+        $s1 = "do_upload: file open failed" ascii
+        $s2 = "/bin/snifferd" ascii
+        $s3 = "tcp[(tcp[12]>>2):%d] = 0x%s" ascii
+        $s4 = {00 34 37 34 35 35 34 35 32 00} // 47455452
+        $s5 = "diagnose debug crashlog clear" ascii
+        $s6 = {00 0A 30 78 30 30 30 30 00} // \n0x0000
+
+    condition:
+        3 of them
+}
diff --git a/third_party/yara/JPCERT/pangolin8rat.yara b/third_party/yara/JPCERT/pangolin8rat.yara
@@ -1,7 +1,7 @@
 
 rule malware_Pangolin8RAT {
     meta:
-        description = "Hunt GobLoaderScript"
+        description = "Hunt Pangolin8RAT"
         author = "JPCERT/CC Incident Response Group"
         hash = "F95441B1CD6399887E99DBE6AA0CEB0CA907E8175192E71F8F1A4CCA49E8FC82"
 
diff --git a/third_party/yara/JPCERT/stonemite.yara b/third_party/yara/JPCERT/stonemite.yara
@@ -0,0 +1,16 @@
+rule malware_STONEMITE {
+    meta:
+        description = "STONEMITE RAT"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "da1b52f8f3d2f99abf17790a2eb932f7db3c70bb71af89a5eff2e59540c9f78c"
+        created_date = "2025-11-14"
+        updated_date = "2025-11-14"
+
+    strings:
+        $s1 = {3D 27 07 00 00 75 ?? 6A 00 6A 00 68 28 07 00 00 FF 75 ?? E8}
+        $s2 = "POST /%s HTTP/1.1" ascii
+        $s3 = "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36" ascii
+
+    condition:
+        all of them
+}
diff --git a/third_party/yara/JPCERT/veletrix.yara b/third_party/yara/JPCERT/veletrix.yara
@@ -0,0 +1,43 @@
+rule malware_VeletrixLoader {
+    meta:
+        description = "Veletrix Loader"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "253ff072d71caeb02ed596fd6aa266e625f51a09d49d82726a11b66218bdd6c3"
+        created_date = "2025-10-16"
+        updated_date = "2025-10-16"
+
+    strings:
+        $logfile = {
+            C7 45 ?? 6C 6F 67 5F
+            48 8D 4D ??
+            C7 45 ?? 64 65 2E 00
+            C7 85 ?? ?? ?? ?? 6C 6F 67 00
+        }
+
+        $xor_decode = {
+            41 8D 0C 30
+            45 03 C6
+            80 34 39 99
+            44 3B C0
+        }
+
+    condition:
+        all of them
+}
+
+rule malware_VeletrixLoader_python {
+    meta:
+        description = "Veletrix Loader"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "96fe34f367423a1ca75e0e0b293ef4918ca30f5efcb36c9b67dec746493f3b37"
+        created_date = "2025-10-16"
+        updated_date = "2025-10-16"
+
+    strings:
+        $msg = "执行Shellcode（生产环境需极度谨慎！）" ascii
+        $func = "def run_shellcode(shellcode)" ascii
+        $shell = "\\x64\\x65\\x2e\\x00\\xc7" ascii
+
+    condition:
+        2 of them
+}
diff --git a/third_party/yara/bartblaze/RELEASE b/third_party/yara/bartblaze/RELEASE
@@ -1 +1 @@
-5f691e0d7d423a58d2217d5c08fa2f1c00b75a93
+a88bd98592ea6dd57da61bbcb8de76eb8cbf33b6
diff --git a/third_party/yara/bartblaze/generic/LNK_Ruleset.yar b/third_party/yara/bartblaze/generic/LNK_Ruleset.yar
@@ -8,7 +8,7 @@ private rule isLNK
         version = "1.0"
         creation_date = "2020-01-01"
         first_imported = "2021-12-30"
-        last_modified = "2021-12-30"
+        last_modified = "2025-11-14"
         status = "RELEASED"
         sharing = "TLP:WHITE"
         source = "BARTBLAZE"
@@ -54,7 +54,7 @@ rule PS_in_LNK
         $ = "bypass" ascii wide nocase
 
     condition:
-        isLNK and any of them
+        isLNK and 2 of them
 }
 
 rule Script_in_LNK

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-1b8b09eff1eaccd062993a31469158fdb5c34a06`
	`1`	`+9315b430b0dbbb0db4da9196373ec8e26a538608`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-5f691e0d7d423a58d2217d5c08fa2f1c00b75a93`
	`1`	`+a88bd98592ea6dd57da61bbcb8de76eb8cbf33b6`