YARAhub

You are currently viewing the YARAhub entry of the YARA rule MALWARE_APT29_SVG_Delivery_Jul23. Depending on the TLP classification of this YARA rule chosen by the author, further information about this YARA rule is available below.

YARA Rule Details: MALWARE_APT29_SVG_Delivery_Jul23

YARA Rule Content Copy Download

The content of the YARA rule is shown below.

rule MALWARE_APT29_SVG_Delivery_Jul23
{
    meta:
        author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
        description = "Detects Javascript code in crafted SVG files delivering malware"
        reference = "https://twitter.com/StopMalvertisin/status/1677192618118369280"
        date = "2023-07-07"
        tlp = "CLEAR"
        hash = "4875a9c4af3044db281c5dc02e5386c77f331e3b92e5ae79ff9961d8cd1f7c4f"
        yarahub_uuid = "f4f38e82-5252-44dc-b020-a317bb3daf84"
        yarahub_reference_md5 = "295527e2e38da97167979ade004de880"
        yarahub_license = "CC BY 4.0"
        yarahub_rule_matching_tlp = "TLP:WHITE"
        yarahub_rule_sharing_tlp = "TLP:WHITE"
        yarahub_author_twitter = "@SI_FalconTeam"

    strings:
        $xml_tag = {3c 3f 78 6d 6c}
        $svg_tag = {3c 73 76 67}

        $js_tag = "<script"
        $js_mimeJS = "text/javascript"
        $js_mimeOS = "application/octet-stream"
        $js_create = "URL.createObjectURL("
        $js_window = "window.location.assign("
        $js_revoke = "URL.revokeObjectURL("
        $js_file = "new File("
        $js_remote = "window.location.href("

        $atom_mime = "application/atom+xml"

    condition:
        $xml_tag at 0x0
        and $svg_tag
        and not $atom_mime
        and filesize > 500KB
        and 4 of ($js_*)
}





  

YARA Rule Matches

The following table shows the most recent files matching this particular YARA rule.