Add React2Shell configuration and YARA rules for threat detection

Author: codeyourweb

examples/React2Shell/react2shell.yaml

@@ -0,0 +1,59 @@
+# Reference: https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182?hl=en
+input:
+    path: []
+    content:
+        grep: 
+          - "reactcdn.windowserrorapis.com"
+          - "82.163.22.139"
+          - "216.158.232.43"
+          - "45.76.155.14"
+        yara:
+          - "./react2shell_compoond.yar"
+          - "./react2shell_minocat.yar"
+          - "./react2shell_snowlight.yar"
+        checksum:
+          - "776850a1e6d6915e9bf35aa83554616129acd94e3a3f6673bd6ddaec530f4273"
+          - "7f05bad031d22c2bb4352bf0b6b9ee2ca064a4c0e11a317e6fedc694de37737a"
+          - "13675cca4674a8f9a8fabe4f9df4ae0ae9ef11986dd1dcc6a896912c7d527274"
+          - "0bc65a55a84d1b2e2a320d2b011186a14f9074d6d28ff9120cb24fcc03c3f696"
+          - "92064e210b23cf5b94585d3722bf53373d54fb4114dca25c34e010d0c010edf3"
+          - "df3f20a961d29eed46636783b71589c183675510737c984a11f78932b177b540"
+options:
+    contentMatchDependsOnPathMatch: true
+    findInHardDrives: true
+    findInRemovableDrives: true
+    findInNetworkDrives: true
+    findInCDRomDrives: true
+output:
+    copyMatchingFiles: false
+    base64Files: false
+    filesCopyPath: ''
+advancedparameters:
+    yaraRC4Key: ''
+    maxScanFilesize: 2048         
+    cleanMemoryIfFileGreaterThanSize: 512
+eventforwarding:
+  enabled: false
+  buffer_size: 5
+  flush_time_seconds: 10
+  file:
+    enabled: false
+    directory_path: "./event_logs"
+    rotate_minutes: 1
+    max_file_size_mb: 1
+    retain_files: 5
+  http:
+    enabled: false
+    url: "https://your-forwarder-url.com/api/events"
+    ssl_verify: false
+    timeout_seconds: 10
+    headers:
+      Authorization: "Bearer YOUR_API_KEY"
+      MY-CUSTOM-HEADER: "My-Header-Value"
+    retry_count: 3
+  filters:
+    event_types:
+      - "error"
+      - "warning"
+      - "alert" 
+      - "info"

examples/React2Shell/react2shell_compoond.yar

@@ -0,0 +1,22 @@
+rule G_Backdoor_COMPOOD_1 {
+	meta:
+		author = "Google Threat Intelligence Group (GTIG)"
+		date_modified = "2025-12-11"
+		rev = "1"
+		md5 = "d3e7b234cf76286c425d987818da3304"
+	strings:
+		$strings_1 = "ShellLinux.Shell"
+		$strings_2 = "ShellLinux.Exec_shell"
+		$strings_3 = "ProcessLinux.sendBody"
+		$strings_4 = "ProcessLinux.ProcessTask"
+		$strings_5 = "socket5Quick.StopProxy"
+		$strings_6 = "httpAndTcp"
+		$strings_7 = "clean.readFile"
+		$strings_8 = "/sys/kernel/mm/transparent_hugepage/hpage_pmd_size"
+		$strings_9 = "/proc/self/auxv"
+		$strings_10 = "/dev/urandom"
+		$strings_11 = "client finished"
+		$strings_12 = "github.com/creack/pty.Start"
+	condition:
+		uint32(0) == 0x464C457f and 8 of ($strings_*)
+}

examples/React2Shell/react2shell_minocat.yar

@@ -0,0 +1,20 @@
+rule G_APT_Tunneler_MINOCAT_1 {
+	meta:
+		author = "Google Threat Intelligence Group (GTIG)"
+		date_modified = "2025-12-10"
+		rev = "1"
+		md5 = "533585eb6a8a4aad2ad09bbf272eb45b"
+	strings:
+		$magic = { 7F 45 4C 46 }
+		$decrypt_func = { 48 85 F6 0F 94 C1 48 85 D2 0F 94 C0 08 C1 0F 85 }
+		$xor_func = { 4D 85 C0 53 49 89 D2 74 57 41 8B 18 48 85 FF 74 }
+		$frp_str1 = "libxf-2.9.644/main.c"
+		$frp_str2 = "xfrp login response: run_id: [%s], version: [%s]"
+		$frp_str3 = "cannot found run ID, it should inited when login!"
+		$frp_str4 = "new work connection request run_id marshal failed!"
+		$telnet_str1 = "Starting telnetd on port %d\n"
+		$telnet_str2 = "No login shell found at %s\n"
+		$key = "bigeelaminoacow"
+	condition:
+		$magic at 0 and (1 of ($decrypt_func, $xor_func)) and (2 of ($frp_str*)) and (1 of ($telnet_str*)) and $key
+}

examples/React2Shell/react2shell_snowlight.yar

@@ -0,0 +1,18 @@
+rule G_Hunting_Downloader_SNOWLIGHT_1 {
+	meta:
+		author = "Google Threat Intelligence Group (GTIG)"
+		date_created = "2025-03-25"
+		date_modified = "2025-03-25"
+		md5 = "3a7b89429f768fdd799ca40052205dd4"
+		rev = 1
+	strings:
+		$str1 = "rm -rf $v"
+		$str2 = "&t=tcp&a="
+		$str3 = "&stage=true"
+		$str4 = "export PATH=$PATH:$(pwd)"
+		$str5 = "curl"
+		$str6 = "wget"
+		$str7 = "python -c 'import urllib"
+	condition:
+		all of them and filesize < 5KB
+}