upstyle malware detect add

[Kazgangap]

Template / PR Information

During its investigation, Volexity observed that UTA0218 attempted to install a custom Python backdoor, which Volexity calls UPSTYLE, on the firewall. The UPSTYLE backdoor allows the attacker to execute additional commands on the device via specially crafted network requests. Details on this backdoor are included further on in this report.

I tried to write a template based on the YARA rule below.

References:

• https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
• https://github.com/volexity/threat-intel/blob/main/2024/2024-04-12%20Palo%20Alto%20Networks%20GlobalProtect/indicators/rules.yar

Template Validation

I've validated this template locally?

• YES
• NO

Additional Details (leave it blank if not applicable)

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

[GeorginaReeder]

Thanks as always for your contributions @Kazgangap !

[Kazgangap]

hi @pussycat0x @DhiyaneshGeek

This file method was my first template. I don't know how variable values work in nuclei and the template is probably wrong. I have a few questions. Can we introduce a file to nuclei with hash? If the file generates variables when it runs, how can we templatize it.

If it's not going to be fixed and the template for this pest is not going to be written, this PR can be closed.

[pussycat0x]

"Hi @Kazgangap, using the -svd -v flags will assist you in locating variables." also you can try below method to match file with hash values.

file:
  - extensions:
      - all

    matchers:
      - type: dsl
        dsl:
          - "sha256(raw) == '00014d16d21d21d00042d41d00041df1e57cd0b3bf64d18696fb4fce056610'"

[Kazgangap]

hi @pussycat0x Is it true what I wrote according to this wound rule?

https://github.com/volexity/threat-intel/blob/main/2024/2024-04-12%20Palo%20Alto%20Networks%20GlobalProtect/indicators/rules.yar

id: upstyle-malware
info:
  name: Upstyle Malware - Detect
  author: Kazgangap
  severity: info
  reference:
    - https://unit42.paloaltonetworks.com/cve-2024-3400/
    - https://github.com/volexity/threat-intel/blob/main/2024/2024-04-12%20Palo%20Alto%20Networks%20GlobalProtect/indicators/rules.yar
  tags: malware,cve-2024-3400

file:
  - extensions:
      - all

    matchers:
      - type: dsl
        dsl:
          - "sha256(raw) == '3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac'"
          - "sha256(raw) == '0d59d7bddac6c22230187ef6cf7fa22bca93759edc6f9127c41dc28a2cea19d8'"
          - "sha256(raw) == '4dd4bd027f060f325bf6a90d01bfcf4e7751a3775ad0246beacc6eb2bad5ec6f'"
        condition: or

[pussycat0x]

Hi @Kazgangap yeah its fine,
We must address the issue of large files regardless. Currently, we halt reading once the maximum size is reached, compromising the reliability of the signature. Feel free to join our Discord server! Once you're in, just shoot me a DM(pussycat0xpd) so we can discuss together.