Update third-party rules as of 2026-01-05

tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.json

@@ -26,10 +26,10 @@
                     ],
                     "RiskScore": 4,
                     "RiskLevel": "CRITICAL",
-                    "RuleURL": "https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/yara/gen_gobfuscate.yar#L2-L18",
+                    "RuleURL": "https://github.com/Neo23x0/signature-base/blob/7c07dc26303ccf056c9ef623fada89458b331e7b/yara/gen_gobfuscate.yar#L2-L18",
                     "ReferenceURL": "https://github.com/unixpickle/gobfuscate",
                     "RuleAuthor": "James Quinn, Paul Hager (merged with new similar pattern)",
-                    "RuleLicenseURL": "https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/LICENSE",
+                    "RuleLicenseURL": "https://github.com/Neo23x0/signature-base/blob/7c07dc26303ccf056c9ef623fada89458b331e7b/LICENSE",
                     "ID": "3P/sig_base/susp_gobfuscate",
                     "RuleName": "SIGNATURE_BASE_SUSP_Gobfuscate_May21"
                 },

tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff

@@ -4,10 +4,10 @@
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
 |:--|:--|:--|:--|
-| -CRITICAL | [3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/a89e17a1c6580e917950e3ead768322d8466f020/yara_rules/downloader_mac_smooth_operator.yar#L1-L16) | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
-| -CRITICAL | [3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275) | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code)<br>`$op1`<br>`$op2`<br>`$sa1`<br>`$sa2` |
-| -CRITICAL | [3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214) | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | `$xc1`<br>`$xc2`<br>`$xc3` |
-| -CRITICAL | [3P/sig_base/susp_xored_mozilla](https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/yara/gen_xor_hunting.yar#L2-L25) | [Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key](https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()), by Florian Roth | `$xo1` |
+| -CRITICAL | [3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/a92ecc9714a549f152ac9acae011dcc84dc526af/yara_rules/downloader_mac_smooth_operator.yar#L1-L16) | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
+| -CRITICAL | [3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/7c07dc26303ccf056c9ef623fada89458b331e7b/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275) | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code)<br>`$op1`<br>`$op2`<br>`$sa1`<br>`$sa2` |
+| -CRITICAL | [3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/7c07dc26303ccf056c9ef623fada89458b331e7b/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214) | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | `$xc1`<br>`$xc2`<br>`$xc3` |
+| -CRITICAL | [3P/sig_base/susp_xored_mozilla](https://github.com/Neo23x0/signature-base/blob/7c07dc26303ccf056c9ef623fada89458b331e7b/yara/gen_xor_hunting.yar#L2-L25) | [Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key](https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()), by Florian Roth | `$xo1` |
 | -CRITICAL | [3P/volexity/iconic](https://github.com/volexity/threat-intel/blob/92353b1ccc638f5ed0e7db43a26cb40fad7f03df/2023/2023-03-30%203CX/indicators/rules.yar#L32-L50) | [Detects the MACOS version of the ICONIC loader.](https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/), by [email protected] | `$str1`<br>`$str2`<br>`$str3` |
 | -CRITICAL | [anti-static/xor/user_agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/xor/xor-user_agent.yara#xor_mozilla) | XOR'ed user agent, often found in backdoors, by Florian Roth | [xor_mozilla::$Mozilla_5_0](https://github.com/search?q=xor_mozilla%3A%3A%24Mozilla_5_0&type=code) |
 | -CRITICAL | [impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#lazarus_darwin_nsurl) | executes programs, sets permissions, sleeps, makes HTTP requests | [NSMutableURLRequest](https://github.com/search?q=NSMutableURLRequest&type=code)<br>[gethostname](https://github.com/search?q=gethostname&type=code)<br>[localtime](https://github.com/search?q=localtime&type=code)<br>[sprintf](https://github.com/search?q=sprintf&type=code)<br>[strncpy](https://github.com/search?q=strncpy&type=code)<br>[pclose](https://github.com/search?q=pclose&type=code)<br>[chmod](https://github.com/search?q=chmod&type=code)<br>[flock](https://github.com/search?q=flock&type=code)<br>[popen](https://github.com/search?q=popen&type=code)<br>[sleep](https://github.com/search?q=sleep&type=code)<br>[rand](https://github.com/search?q=rand&type=code) |

tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff

@@ -4,10 +4,10 @@
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
 |:--|:--|:--|:--|
-| +CRITICAL | **[3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/a89e17a1c6580e917950e3ead768322d8466f020/yara_rules/downloader_mac_smooth_operator.yar#L1-L16)** | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
-| +CRITICAL | **[3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275)** | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code)<br>`$op1`<br>`$op2`<br>`$sa1`<br>`$sa2` |
-| +CRITICAL | **[3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214)** | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | `$xc1`<br>`$xc2`<br>`$xc3` |
-| +CRITICAL | **[3P/sig_base/susp_xored_mozilla](https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/yara/gen_xor_hunting.yar#L2-L25)** | [Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key](https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()), by Florian Roth | `$xo1` |
+| +CRITICAL | **[3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/a92ecc9714a549f152ac9acae011dcc84dc526af/yara_rules/downloader_mac_smooth_operator.yar#L1-L16)** | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
+| +CRITICAL | **[3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/7c07dc26303ccf056c9ef623fada89458b331e7b/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275)** | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code)<br>`$op1`<br>`$op2`<br>`$sa1`<br>`$sa2` |
+| +CRITICAL | **[3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/7c07dc26303ccf056c9ef623fada89458b331e7b/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214)** | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | `$xc1`<br>`$xc2`<br>`$xc3` |
+| +CRITICAL | **[3P/sig_base/susp_xored_mozilla](https://github.com/Neo23x0/signature-base/blob/7c07dc26303ccf056c9ef623fada89458b331e7b/yara/gen_xor_hunting.yar#L2-L25)** | [Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key](https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()), by Florian Roth | `$xo1` |
 | +CRITICAL | **[3P/volexity/iconic](https://github.com/volexity/threat-intel/blob/92353b1ccc638f5ed0e7db43a26cb40fad7f03df/2023/2023-03-30%203CX/indicators/rules.yar#L32-L50)** | [Detects the MACOS version of the ICONIC loader.](https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/), by [email protected] | `$str1`<br>`$str2`<br>`$str3` |
 | +CRITICAL | **[anti-static/xor/user_agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/xor/xor-user_agent.yara#xor_mozilla)** | XOR'ed user agent, often found in backdoors, by Florian Roth | [xor_mozilla::$Mozilla_5_0](https://github.com/search?q=xor_mozilla%3A%3A%24Mozilla_5_0&type=code) |
 | +CRITICAL | **[impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#lazarus_darwin_nsurl)** | executes programs, sets permissions, sleeps, makes HTTP requests | [NSMutableURLRequest](https://github.com/search?q=NSMutableURLRequest&type=code)<br>[gethostname](https://github.com/search?q=gethostname&type=code)<br>[localtime](https://github.com/search?q=localtime&type=code)<br>[sprintf](https://github.com/search?q=sprintf&type=code)<br>[strncpy](https://github.com/search?q=strncpy&type=code)<br>[pclose](https://github.com/search?q=pclose&type=code)<br>[chmod](https://github.com/search?q=chmod&type=code)<br>[flock](https://github.com/search?q=flock&type=code)<br>[popen](https://github.com/search?q=popen&type=code)<br>[sleep](https://github.com/search?q=sleep&type=code)<br>[rand](https://github.com/search?q=rand&type=code) |

tests/macOS/2023.3CX/libffmpeg.dirty.mdiff

@@ -4,10 +4,10 @@
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
 |:--|:--|:--|:--|
-| +CRITICAL | **[3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/a89e17a1c6580e917950e3ead768322d8466f020/yara_rules/downloader_mac_smooth_operator.yar#L1-L16)** | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
-| +CRITICAL | **[3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275)** | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code)<br>`$op1`<br>`$op2`<br>`$sa1`<br>`$sa2` |
-| +CRITICAL | **[3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214)** | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | `$xc1`<br>`$xc2`<br>`$xc3` |
-| +CRITICAL | **[3P/sig_base/susp_xored_mozilla](https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/yara/gen_xor_hunting.yar#L2-L25)** | [Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key](https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()), by Florian Roth | `$xo1` |
+| +CRITICAL | **[3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/a92ecc9714a549f152ac9acae011dcc84dc526af/yara_rules/downloader_mac_smooth_operator.yar#L1-L16)** | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
+| +CRITICAL | **[3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/7c07dc26303ccf056c9ef623fada89458b331e7b/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275)** | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code)<br>`$op1`<br>`$op2`<br>`$sa1`<br>`$sa2` |
+| +CRITICAL | **[3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/7c07dc26303ccf056c9ef623fada89458b331e7b/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214)** | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | `$xc1`<br>`$xc2`<br>`$xc3` |
+| +CRITICAL | **[3P/sig_base/susp_xored_mozilla](https://github.com/Neo23x0/signature-base/blob/7c07dc26303ccf056c9ef623fada89458b331e7b/yara/gen_xor_hunting.yar#L2-L25)** | [Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key](https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()), by Florian Roth | `$xo1` |
 | +CRITICAL | **[3P/volexity/iconic](https://github.com/volexity/threat-intel/blob/92353b1ccc638f5ed0e7db43a26cb40fad7f03df/2023/2023-03-30%203CX/indicators/rules.yar#L32-L50)** | [Detects the MACOS version of the ICONIC loader.](https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/), by [email protected] | `$str1`<br>`$str2`<br>`$str3` |
 | +CRITICAL | **[anti-static/xor/user_agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/xor/xor-user_agent.yara#xor_mozilla)** | XOR'ed user agent, often found in backdoors, by Florian Roth | [xor_mozilla::$Mozilla_5_0](https://github.com/search?q=xor_mozilla%3A%3A%24Mozilla_5_0&type=code) |
 | +CRITICAL | **[impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#lazarus_darwin_nsurl)** | executes programs, sets permissions, sleeps, makes HTTP requests | [NSMutableURLRequest](https://github.com/search?q=NSMutableURLRequest&type=code)<br>[gethostname](https://github.com/search?q=gethostname&type=code)<br>[localtime](https://github.com/search?q=localtime&type=code)<br>[sprintf](https://github.com/search?q=sprintf&type=code)<br>[strncpy](https://github.com/search?q=strncpy&type=code)<br>[pclose](https://github.com/search?q=pclose&type=code)<br>[chmod](https://github.com/search?q=chmod&type=code)<br>[flock](https://github.com/search?q=flock&type=code)<br>[popen](https://github.com/search?q=popen&type=code)<br>[sleep](https://github.com/search?q=sleep&type=code)<br>[rand](https://github.com/search?q=rand&type=code) |