#Yara Rule for #TA505 Latest Campaign

rule ta505_downloader
{
meta:
	author = "Krishnendu Paul"
	description = "TA505 June 2020"
	
    strings:
	$meta_hex	=	"document.getElementById"
	$meta_app	= "template.innerHTML"
	$meta_filetype	= "iframeTemplate"
	$meta_b	=	"element.innerHTML"
	
    condition:
	all of ($meta_*) and filesize < 250000
}

Krishnendu Paul

Recommended for you

ffmpeg

[NOTE] Bulk convert .webm files to .mp4 with #FFMPEG on #Windows

FFMPEG [https://ffmpeg.org/download.html#build-windows] is always been great utility for me for it's huge feature sets. But on windows, converting file format of bulk file was really painful for me as need to supply file names either one by one, or needed some GUI to

4 years ago • 1 min read

XLS

Allowing #XLSM and #XLSB files ? Stop it to save your Infra

I understand that a company having legacy systems running always. But, are you permitting XLSM and XLSB filetypes ? #STOP it as fast as possible !! Following images are from a malware packer, possibly related with latest #Zloader and other infections. Credit @DissectMalware [https://twitter.com/DissectMalware]From the 2nd screenshot it

5 years ago • 1 min read

TA505

#TA505 find subdomain to download #Dropper #Malware

So ... if you have main domain from #TA505 TTPs and want to download the dropper file from actual subdomain , following is the method So, found 2 TTPs today from twitter But, subdomains are not there. Without disturbing the poster, goto https://[DOMAIN] It will show you a certificate error page.

5 years ago • 1 min read