capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard

Published 20 hours ago verified publisher icon mandiant

Idea - Malicious Libraries in TRJ_BANKER

Open johnk3r opened this issue 2 years ago • 3 comments

Hi,

what is the best way to create rule/rules to detect these suspicious libraries?

2022-08-13 20_46_52-Configurações

Would it be a rule for each library?

Ref.: https://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/

johnk3r avatar Aug 13 '22 23:08 johnk3r

https://twitter.com/johnk3r/status/1558600148309131266

johnk3r avatar Aug 13 '22 23:08 johnk3r

Yes, one rule per library fits best with our current approach.

Additionally, we could add a parent rule that combines these, however, that's optional and likely doesn't add much value but may require more maintenance.

mr-tz avatar Aug 15 '22 09:08 mr-tz

Would you mind submitting a PR based on your existing rule(s)?

mr-tz avatar Aug 15 '22 09:08 mr-tz

Additional reference: https://gist.github.com/mr-tz/46983e141a6f6ac9654b75ec86748a7d

mr-tz avatar Aug 23 '22 08:08 mr-tz