BlueCoat Inception APT Report Yara Rules

1. rule InceptionDLL
2. {
3.     meta:
4.         author = "Blue Coat Systems, Inc"
5.         reference = "http://goo.gl/qr7BP4"
6.         date = "12/10/2014"
7.         description = "Used by unknown APT actors: Inception"
8.     strings:
9.         $a = "dll.polymorphed.dll"
10.         $b = { 83 7d 08 00 0f 84 cf 00 00 00 83 7d 0c 00 0f 84 c5 00
11.                00 00 83 7d 10 00 0f 84 bb 00 00 00 83 7d 14 08 0f 82
12.                b1 00 00 00 c7 45 fc 00 00 00 00 8b 45 10 89 45 dc 68
13.                00 00 }
14.         $c = { FF 15 ?? ?? ?? ?? 8b 4d 08 8b 11 c7 42 14 00 00 00 00
15.                8b 45 08 8b 08 8b 55 14 89 51 18 8b 45 08 8b 08 8b 55
16.                0c 89 51 1c 8b 45 08 8b 08 8b 55 10 89 51 20 8b 45 08
17.                8b 08 }
18.         $d = { 68 10 27 00 00 FF 15 ?? ?? ?? ?? 83 7d CC 0a 0f 8d 47
19.                01 00 00 83 7d d0 00 0f 85 3d 01 00 00 6a 20 6a 00 8d
20.                4d d4 51 e8 ?? ?? ?? ?? 83 c4 0c 8b 55 08 89 55 e8 c7
21.                45 d8 }
22.         $e = { 55 8b ec 8b 45 08 8b 88 ac 23 03 00 51 8b 55 0c 52 8b
23.                45 0c 8b 48 04 ff d1 83 c4 08 8b 55 08 8b 82 14 bb 03
24.                00 50 8b 4d 0c 51 8b 55 0c 8b 42 04 }
25.     condition:
26.         any of them
27. }
28.  
29. rule InceptionRTF {
30.     meta:
31.         author = "Blue Coat Systems, Inc"
32.         reference = "http://goo.gl/qr7BP4"
33.         date = "12/10/2014"
34.         description = "Used by unknown APT actors: Inception"
35.     strings:
36.         $a = "}}PT@T"
37.         $b = "XMLVERSION \"3.1.11.5604.5606"
38.         $c = "objclass Word.Document.12}\\objw9355"
39.     condition:
40.         all of them
41. }
42.  
43. rule InceptionMips {
44.     meta:
45.         author = "Blue Coat Systems, Inc"
46.         reference = "http://goo.gl/qr7BP4"
47.         date = "12/10/2014"
48.         description = "Used by unknown APT actors: Inception"
49.     strings:
50.         $a = "start_sockat" ascii wide
51.         $b = "start_sockss" ascii wide
52.         $c = "13CStatusServer" ascii wide
53.     condition:
54.         all of them
55. }
56.  
57. rule InceptionVBS {
58.     meta:
59.         author = "Blue Coat Systems, Inc; modified by Florian Roth"
60.         reference = "http://goo.gl/qr7BP4"
61.         date = "12/10/2014"
62.         description = "Used by unknown APT actors: Inception"
63.     strings:
64.         $a = "c = Crypt(c,k)"
65.         $b = "fso.BuildPath( WshShell.ExpandEnvironmentStrings(a)"
66.         $c = "Dim p(4)" fullword ascii
67.     condition:
68.         all of them
69. }
70.  
71. rule InceptionBlackberry {
72.     meta:
73.         author = "Blue Coat Systems, Inc; modified by Florian Roth"
74.         reference = "http://goo.gl/qr7BP4"
75.         date = "12/10/2014"
76.         description = "Used by unknown APT actors: Inception"
77.     strings:
78.         $a1 = "POSTALCODE:"
79.         $a2 = "SecurityCategory:"
80.         $a3 = "amount of free flash:"
81.         $a4 = { 24 d8 37 31 7c 27 31 27 7c 3a } /* replaced non ascii character srtring $Ø71|'1'|: */
82.         $b1 = "God_Save_The_Queen"
83.         $b2 = "UrlBlog"
84.     condition:
85.         all of ($a*) or all of ($b*)
86. }
87.  
88. rule InceptionAndroid {
89.     meta:
90.         author = "Blue Coat Systems, Inc"
91.         reference = "http://goo.gl/qr7BP4"
92.         date = "12/10/2014"
93.         description = "Used by unknown APT actors: Inception"
94.     strings:
95.         $a1 = "BLOGS AVAILABLE="
96.         $a2 = "blog-index"
97.         $a3 = "Cant create dex="
98.     condition:
99.         all of them
100. }
101.  
102. rule InceptionIOS {
103.     meta:
104.         author = "Blue Coat Systems, Inc"
105.         reference = "http://goo.gl/qr7BP4"
106.         date = "12/10/2014"
107.         description = "Used by unknown APT actors: Inception"
108.     strings:
109.         $a1 = "Developer/iOS/JohnClerk/"
110.         $b1 = "SkypeUpdate"
111.         $b2 = "/Syscat/"
112.         $b3 = "WhatsAppUpdate"
113.     condition:
114.         $a1 and any of ($b*)
115. }
116.  
117. rule InceptionCloudMe {
118.     meta:
119.         author = "Florian Roth"
120.         reference = "http://goo.gl/qr7BP4"
121.         date = "12/10/2014"
122.         score = 65
123.         description = "Compromised CloudMe accounts from BlueCoat operation Inception"
124.     strings:
125.         $s1 = "franko7046" fullword
126.         $s2 = "sanmorinostar" fullword
127.         $s3 = "tem5842" fullword
128.         $s4 = "bimm4276" fullword
129.         $s5 = "carter0648" fullword
130.         $s6 = "depp3353" fullword
131.         $s7 = "frogs6352" fullword
132.         $s8 = "daw0996" fullword
133.         $s9 = "chak2488" fullword
134.         $s10 = "corn6814" fullword 
135.         $s11 = "james9611" fullword
136.         $s12 = "lisa.walker" fullword
137.         $s13 = "billder1405" fullword
138.         $s14 = "droll5587" fullword
139.         $s15 = "samantha2064" fullword
140.         $s16 = "chloe7400" fullword
141.         $s17 = "browner8674935" fullword
142.         $s18 = "parker2339915" fullword
143.         $s19 = "young0498814" fullword
144.         $s20 = "hurris4124867" fullword
145.         $x1 = "cloudme" nocase fullword
146.     condition:
147.         1 of ($s*) and $x1
148. }