Links

Yara

2022

Apr

import "pe"
rule Weaponized_glib2_0_dll
{
meta:
description = "Identify potentially malicious versions of glib-2.0.dll"
author = "James Haughom @ SentinelOne"
date = "2022-04-22"
reference = "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/"
/*
The VMware command line utilty 'VMwareXferlogs.exe' used for data
transfer to/from VMX logs is susceptible to DLL sideloading. The
malicious versions of this DLL typically only have code within
the function 'g_path_get_basename()' properly defined, while the
rest will of the exports simply call 'ExitProcess()'. Notice how
in the exports below, the virtual address for all exported functions
are the same except for 'g_path_get_basename()'. We can combine this
along with an anomalously low number of exports for this DLL, as
legit instances of this DLL tend to have over 1k exports.
[Exports]
nth paddr vaddr bind type size lib name
―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
1 0x000014d0 0x1800020d0 GLOBAL FUNC 0 glib-2.0.dll g_error_free
2 0x000014d0 0x1800020d0 GLOBAL FUNC 0 glib-2.0.dll g_free
3 0x000014d0 0x1800020d0 GLOBAL FUNC 0 glib-2.0.dll g_option_context_add_main_entries
4 0x000014d0 0x1800020d0 GLOBAL FUNC 0 glib-2.0.dll g_option_context_free
5 0x000014d0 0x1800020d0 GLOBAL FUNC 0 glib-2.0.dll g_option_context_get_help
6 0x000014d0 0x1800020d0 GLOBAL FUNC 0 glib-2.0.dll g_option_context_new
7 0x000014d0 0x1800020d0 GLOBAL FUNC 0 glib-2.0.dll g_option_context_parse
8 0x00001820 0x180002420 GLOBAL FUNC 0 glib-2.0.dll g_path_get_basename
9 0x000014d0 0x1800020d0 GLOBAL FUNC 0 glib-2.0.dll g_print
10 0x000014d0 0x1800020d0 GLOBAL FUNC 0 glib-2.0.dll g_printerr
11 0x000014d0 0x1800020d0 GLOBAL FUNC 0 glib-2.0.dll g_set_prgname
This rule will detect malicious versions of this DLL by identifying
if the virtual address is the same for all of the exported functions
used by 'VMwareXferlogs.exe' except for 'g_path_get_basename()'.
*/
condition:
/* sample is an unsigned DLL */
pe.characteristics & pe.DLL and pe.number_of_signatures == 0 and
/* ensure that we have all of the exported functions of glib-2.0.dll imported by VMwareXferlogs.exe */
pe.exports("g_path_get_basename") and
pe.exports("g_error_free") and
pe.exports("g_free") and
pe.exports("g_option_context_add_main_entries") and
pe.exports("g_option_context_get_help") and
pe.exports("g_option_context_new") and
pe.exports("g_print") and
pe.exports("g_printerr") and
pe.exports("g_set_prgname") and
pe.exports("g_option_context_free") and
pe.exports("g_option_context_parse") and
/* all exported functions have the same offset besides g_path_get_basename */
pe.export_details[pe.exports_index("g_free")].offset == pe.export_details[pe.exports_index("g_error_free")].offset and
pe.export_details[pe.exports_index("g_free")].offset == pe.export_details[pe.exports_index("g_option_context_get_help")].offset and
pe.export_details[pe.exports_index("g_free")].offset == pe.export_details[pe.exports_index("g_option_context_new")].offset and
pe.export_details[pe.exports_index("g_free")].offset == pe.export_details[pe.exports_index("g_option_context_add_main_entries")].offset and
pe.export_details[pe.exports_index("g_free")].offset == pe.export_details[pe.exports_index("g_print")].offset and
pe.export_details[pe.exports_index("g_free")].offset == pe.export_details[pe.exports_index("g_printerr")].offset and
pe.export_details[pe.exports_index("g_free")].offset == pe.export_details[pe.exports_index("g_set_prgname")].offset and
pe.export_details[pe.exports_index("g_free")].offset == pe.export_details[pe.exports_index("g_option_context_free")].offset and
pe.export_details[pe.exports_index("g_free")].offset == pe.export_details[pe.exports_index("g_option_context_parse")].offset and
pe.export_details[pe.exports_index("g_free")].offset != pe.export_details[pe.exports_index("g_path_get_basename")].offset and
/* benign glib-2.0.dll instances tend to have ~1k exports while malicious ones have the bare minimum */
pe.number_of_exports < 15
}
Last modified 7mo ago