Concrete signature match: Backdoor - Provides unauthorized remote access for 32-bit Windows platform, family Berbew
Backdoor:Win32/Berbew is a trojan that provides attackers with remote control over a compromised system. It establishes persistence through methods like scheduled tasks and startup folders, and utilizes hooking techniques to intercept system functions, likely for stealing credentials or other sensitive data.
Relevant strings associated with this threat: - io\Programas\Inicio\ (PEHSTR_EXT) - \WINME\M (PEHSTR_EXT) - dLLl (SNID) - /'\R. (SNID) - WinExec (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
rule Backdoor_Win32_Berbew_B_2147594707_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Win32/Berbew.gen!B"
threat_id = "2147594707"
type = "Backdoor"
platform = "Win32: Windows 32-bit platform"
family = "Berbew"
severity = "Critical"
info = "gen: malware that is detected using a generic signature"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "8"
strings_accuracy = "High"
strings:
$x_2_1 = {70 64 33 32 00 00 00 00 42 6c 61 63 6b 64 00 00 42 6c 61 63 6b 69 63 65 00 00 00 00 43 66 69 61} //weight: 2, accuracy: High
$x_2_2 = {57 66 69 6e 64 76 33 32 00 00 00 00 5a 6f 6e 65 61 6c 61 72 6d 00 00 00 6d 73 62 6c 61 73 74 00} //weight: 2, accuracy: High
$x_2_3 = {69 6f 5c 50 72 6f 67 72 61 6d 61 73 5c 49 6e 69 63 69 6f 5c 00 00 00 00 5c 57 49 4e 4d 45 5c 4d} //weight: 2, accuracy: High
$x_2_4 = {4e 49 43 4b 20 25 73 0a 55 53 45 52 20 25 73 20} //weight: 2, accuracy: High
$x_2_5 = {73 74 61 72 74 0d 0a 69 66 20 6e 6f 74 20 65 78 69 73 74 20 22 22 25 2a 22 22 20 67 6f 74 6f 20} //weight: 2, accuracy: High
condition:
(filesize < 20MB) and
(4 of ($x*))
}407eb9f9d55687cd6d532600d4ad5846073f8f46a540fb71d04d4bbe2cfa0332cf7a4980d57b03adc6cc1cff874601449e61bd74ac27091cc575c846a47b0d411cf48e24ec0befdc5600daf6362a66ae28dfd42e48262680fd296ae9c4c377b3140bb888bd7c8734184cbb0329e2a50e73589a5e4dc50d8286149ce03af9ec7b4d66abffece9cb6373c661fb0a27f61d7578e9348ed68e9220bc1fd8ea06a2efImmediately isolate the affected machine from the network to prevent further malicious activity. Use your security software to remove the detected threat. Due to the backdoor nature, conduct a full investigation for persistence mechanisms, reset all user credentials on the system, and consider reimaging the machine to ensure complete eradication.