add XMRing rules for KIC

Yara-Rules · Jan 10, 2025 · e00fd36 · e00fd36
1 parent 0f93570
commit e00fd36
Showing 1 changed file with 95 additions and 0 deletions.
diff --git a/malware/MALW_KICXMRig.yar b/malware/MALW_KICXMRig.yar
@@ -0,0 +1,95 @@
+rule u42_crime_win_kongtrojan
+{
+    meta:
+        author = "Kong"
+        date = "2025-01-09"
+        description = "Detects the trojanized Kong manager binary."
+        hash = "e164e6e21c661679c556d16638300c25e16d86bb2d567ad66b4181f1a65f4788"
+
+    strings:
+        $golang = "golang.org"
+        $v1 = "Kong does not care about security"
+        $v2 = "KongIngress"
+        $v3 = "f0VMR"  // start of b64 XMrig
+
+    condition:
+        $golang and (all of ($v*))
+}
+
+rule u42_win_hacktool_XMRig_Miner: XMRig windows_memory
+{
+  meta:
+    author = "Kong"
+    date = "2024-08-23"
+    description = "XMRig Miner"
+    hash = "56ff46874f0536c289ff38af4cb308af8f7e6156e3f9d9227b71004d2042a4e6"
+
+  strings:
+    $s01 = "XMRig"
+        $s02 = "nicehash.com"
+    $s03 = "tls-fingerprint"
+        $s04 = "stratum+tcp://"
+    $s05 = "stratum+ssl://"
+        $s06 = "cryptonight" fullword
+    $s07 = "cryptonightv7" fullword
+        $s08 = "cryptonightheavy" fullword
+    $s09 = "cryptonightv8" fullword
+        $s10 = ".minergate.com"
+    $s11 = "xmr.pool" fullword
+        $s12 = "aeon.pool"
+    $s13 = "worker-id"
+        $s14 = "no active pools, stop mining"
+    $s15 = "CryptonightR"
+    $s16 = "<UV_THREADPOOL_SIZE"
+    $s17 = "src/threadpool.c"
+        $s18 = "* COMMANDS:     'h' hashrate, 'p' pause, 'r' resume" fullword ascii
+    $s19 = "paused, press 'r' to resume"
+        $s20 = "Ctrl+C received, exiting"
+    $s21 = "Usage: xmrig [OPTIONS]"
+        $s22 = "rig-id"
+    $s23 = "\"%s\" was changed, reloading configuration"
+        $s24 = "Unknown/unsupported algorithm detected, reconnect"
+    $s25 = "speed 10s/60s/15m"
+
+    $cmd01 = "specify the algorithm to use"
+        $cmd02 = "URL of mining server"
+    $cmd03 = "username:password pair for mining server"
+        $cmd04 = "username for mining server"
+    $cmd05 = "password for mining server"
+        $cmd06 = "rig identifier for pool-side statistics (needs pool support)"
+    $cmd07 = "number of miner threads"
+        $cmd08 = "set process affinity to CPU core(s), mask 0x3 for cores 0 and 1"
+    $cmd09 = "set process priority (0 idle, 2 normal to 5 highest)"
+        $cmd10 = "algorithm PoW variant"
+    $cmd11 = "donate level, default 5%% (5 minutes in 100 minutes)"
+        $cmd12 = "set custom user-agent string for pool"
+    $cmd13 = "print hashrate report every N seconds"
+        $cmd14 = "port for the miner API"
+
+    $fmt01 = "%-13s%s/%s %s"
+        $fmt02 = "%-13slibuv/%s %s"
+    $fmt03 = "%-13s%s (%d) %sx64 %sAES %sAVX2"
+        $fmt04 = "%-13s%.1f MB/%.1f MB"
+    $fmt05 = "%-13s%d, %s, av=%d, %sdonate=%d%%%s"
+        $fmt06 = "%-13sauto:%s"
+    $fmt07 = "POOL #%-7zu%s%s variant=%s %s"
+        $fmt08 = "{\"id\":%lld,\"jsonrpc\":\"2.0\",\"method\":\"keepalived\",\"params\":{\"id\":\"%s\"}}"
+    $fmt09 = "[%s] duplicate job received, reconnect"
+        $fmt10 = "%s| THREAD | AFFINITY | 10s H/s | 60s H/s | 15m H/s |"
+    $fmt11 = "READY (CPU) threads %zu(%zu) huge pages %zu/%zu %1.0f%% memory %zu KB"
+        $fmt12 = "use pool %s:%d %s %s"
+    $fmt13 = "rejected (%lld/%lld) diff %u \"%s\" (%llu ms)"
+        $fmt14 = "accepted (%lld/%lld) diff %u (%llu ms)"
+    $fmt15 = "* VERSIONS:     XMRig/%s libuv/%s%s" fullword ascii
+
+  condition:
+    (
+        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550)
+        or (uint32(0) == 0x464C457F)
+    )
+    and 5 of ($s*)
+        and (
+            5 of ($cmd*)
+        or 5 of ($fmt*)
+    )
+}