|
| 1 | +import "pe" |
| 2 | +import "hash" |
| 3 | + |
| 4 | +rule MAL_CRIME_RAT_WIN_PE_GodRat_Aug23: GodRAT { |
| 5 | + meta: |
| 6 | + description = "Detects GodRAT malware targeting Windows systems" |
| 7 | + author = "Arda Buyukkaya" |
| 8 | + date = "2025-08-23" |
| 9 | + family = "GodRAT" |
| 10 | + reference = "https://securelist.com/godrat/117119/" |
| 11 | + tags = "RAT, Windows, GodRAT, Gh0st RAT, GETGOD" |
| 12 | + victims = "Financial services" |
| 13 | + sha256 = "154e800ed1719dbdcb188c00d5822444717c2a89017f2d12b8511eeeda0c2f41" |
| 14 | + |
| 15 | + strings: |
| 16 | + // WinRT version string |
| 17 | + $winrt_txt = "C++/WinRT version" ascii wide nocase |
| 18 | + |
| 19 | + // API function names blob |
| 20 | + $api_blob = { |
| 21 | + 4E 74 43 72 65 61 74 65 53 65 63 74 69 6F 6E 00 // NtCreateSection |
| 22 | + 4E 74 4D 61 70 56 69 65 77 4F 66 53 65 63 74 69 6F 6E 00 00 // NtMapViewOfSection |
| 23 | + 4E 74 55 6E 6D 61 70 56 69 65 77 4F 66 53 65 63 74 69 6F 6E 00 00 00 00 // NtUnmapViewOfSection |
| 24 | + } |
| 25 | + |
| 26 | + // Generic XOR decryption routine pattern using SSE instructions |
| 27 | + // Common characteristics across variants: |
| 28 | + // - Uses SSE instructions (MOVUPS/MOVQ) for efficient XOR operations |
| 29 | + // - Processes ~1900 bytes (0x770/0x76C) of encrypted data |
| 30 | + // - Unrolled loop processing multiple bytes per iteration |
| 31 | +
|
| 32 | + |
| 33 | + // Load operations - reading XOR key/data into XMM registers |
| 34 | + $ld_movups = { 0F 10 05 ?? ?? ?? ?? } // movups xmm0, xmmword ptr [address] |
| 35 | + $ld_movq = { F3 0F 7E 05 ?? ?? ?? ?? } // movq xmm0, qword ptr [address] |
| 36 | + |
| 37 | + // Store operations - writing XORed data back to memory |
| 38 | + $st_movups = { 0F 11 85 ?? ?? ?? ?? } // movups xmmword ptr [ebp+offset], xmm0 |
| 39 | + $st_movq = { 66 0F D6 85 ?? ?? ?? ?? } // movq qword ptr [ebp+offset], xmm0 |
| 40 | + |
| 41 | + // String length calculation loop (strlen implementation) |
| 42 | + $scan_loop = { 8A 01 41 84 C0 75 F9 } // mov al, [ecx]; inc ecx; test al, al; jnz loop |
| 43 | + |
| 44 | + // Buffer size checks for ~1900 byte decryption |
| 45 | + $cmp_len_770 = { 81 FF 70 07 00 00 0F 82 ?? ?? ?? ?? } // cmp edi, 0x770 (1904); jb offset |
| 46 | + $cmp_len_76C = { 81 FF 6C 07 00 00 0F 82 ?? ?? ?? ?? } // cmp edi, 0x76C (1900); jb offset |
| 47 | + |
| 48 | + condition: |
| 49 | + pe.is_pe and |
| 50 | + filesize <= 10MB and |
| 51 | + ( |
| 52 | + // Condition 1: WinRT string with specific PE imphash |
| 53 | + ( |
| 54 | + $winrt_txt and |
| 55 | + ( |
| 56 | + pe.imphash() == "0f4b0270c84616ce594b6a84c47a7717" |
| 57 | + ) |
| 58 | + ) |
| 59 | + or |
| 60 | + // Condition 2: Generic XOR decryption pattern (SSE-optimized, ~1900 bytes) |
| 61 | + ( |
| 62 | + // Must have SSE load instruction (reading data/key) |
| 63 | + ($ld_movups or $ld_movq) and |
| 64 | + // Must have multiple SSE store instructions (writing XORed data) |
| 65 | + ( |
| 66 | + (#st_movups >= 2) or |
| 67 | + (#st_movq >= 2) or |
| 68 | + (#st_movups >= 1 and #st_movq >= 1) |
| 69 | + ) and |
| 70 | + // Must have strlen loop (for key length calculation) |
| 71 | + $scan_loop and |
| 72 | + // Must have NT API names blob (common in this malware family) |
| 73 | + $api_blob and |
| 74 | + // Must check for ~1900 byte buffer size (0x770 or 0x76C) |
| 75 | + ($cmp_len_770 or $cmp_len_76C) |
| 76 | + ) |
| 77 | + or |
| 78 | + // Condition 3: Specific import hash for AES Encrypted version |
| 79 | + // sha256: 48d0d162bd408f32f8909d08b8e60a21b49db02380a13d366802d22d4250c4e7 |
| 80 | + pe.imphash() == "ee5ea868d8233000216e7b29bc8cb4e2" |
| 81 | + ) |
| 82 | +} |
0 commit comments