chrome.exe  --load-extension="C:\Users\user\AppData\Local\Temp\HHe2lr"

brave.exe  --load-extension="C:\Users\user\AppData\Local\Temp\HHe2lr"

msedge.exe  --load-extension="C:\Users\user\AppData\Local\Temp\HHe2lr"

opera.exe  --load-extension="C:\Users\user\AppData\Local\Temp\HHe2lr"

vivaldi.exe  --load-extension="C:\Users\user\AppData\Local\Temp\HHe2lr"

hxxp://extenision-app[.]com/api/settings

hxxp://extenision-app[.]com/api/machine/

hxxp://extenision-app[.]com/api/machine/init

hxxp://extenision-app[.]com/api/machine/get-urls

• Datetimes for when it was created and updated
• Multiple currency amounts defining the minimum amount (80 EUR, 80 USD, etc)
• Telegram Chat ID and Token

Returns a list of details about victims. This includes…

• Victim IP address
• Victim country
• Variant reference (Google, TradingView, etc)
• When it was added
• When it was last observed communicating to the C2

hxxps://nch-software[.]info/1/2.exe

hxxps://nch-software[.]info/1/install-win64-11.5.8_en-US.exe

hxxps://panger-top[.]click/1/2.exe

hxxps://panger-top[.]click/1/install-win64-11.5.8_en-US.exe

hxxps://146.70.79[.]75/2.exe

hxxps://146.70.79[.]75/1/2.exe

rule M_Hunting_Embedded_Chromium_CRX_1

{

   meta:

         author = "Mandiant"

         md5 = "f1c21a69ed9f85e12d58ef0f5ac5c9b1"

         description = "Hunting for non-CRX files with extension equities"

   strings:

         $a1 = "_metadata" ascii

         $a2 = "manifest.json" ascii

         $a3 = "verified_contents.json" ascii

         $s1 = "_locales" ascii

         $s2 = "messages.json" ascii

         $f = /[a-z0-9A-Z_-]+\.(html|htm|css|js)/ ascii

         $pk = {50 4B 03 04}

   condition:

         (((uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c457f) or (uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca or uint32(0) == 0xcafebabf or uint32(0) == 0xbfbafeca)) and

         (((2 of ($a*)) and $f) or ((1 of ($a*)) and ($f or (1 of ($s*))))) and

         $pk and

         (#pk >1) and

         (for any i in (1..#pk) : ($a2 at @pk[i]+30)) and

         (for any j in (1..#pk) : ($f at @pk[j]+30))

}

rule M_Hunting_Embedded_Chromium_CRXandLNK_1

{

   meta:

         author = "jared.wilson"

         md5 = "f1c21a69ed9f85e12d58ef0f5ac5c9b1"

         description = "Hunting for non-CRX files with extension equities and common strings for Google Chrome LNKs"

   strings:

         $a1 = "_metadata" ascii

         $a2 = "manifest.json" ascii

         $a3 = "verified_contents.json" ascii

         $s1 = "_locales" ascii

         $s2 = "messages.json" ascii

         $f = /[a-z0-9A-Z_-]+\.(html|htm|css|js)/ ascii

         $pk = {50 4B 03 04}

         $load = "--load-extension" ascii wide

         $lnk1 = "Google Chrome.lnk" ascii wide

   condition:

         (((uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c457f) or (uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca or uint32(0) == 0xcafebabf or uint32(0) == 0xbfbafeca)) and

         (((2 of ($a*)) and $f) or ((1 of ($a*)) and ($f or (1 of ($s*))))) and

         $pk and

         (#pk >1) and

         (for any i in (1..#pk) : ($a2 at @pk[i]+30)) and

         (for any j in (1..#pk) : ($f at @pk[j]+30)) and

         ($load or $lnk1)

}

rule M_Hunting_AdvancedInstaller_LNK_1

{

   meta:

         author = "Mandiant"

         md5 = "2782af385665c765807ed887d4bacf36"

         description = "Hunting for Advanced Installer files that drop LNKs to known locations."

   strings:

         $a1 = "Advanced Installer" wide

         $a2 = "Advanced Installer" ascii

         $a3 = "https://www.advancedinstaller.com" ascii

         $l1 = "Google Chrome.lnk"

         $l2 = "Brave.lnk"

         $p1 = "\\Microsoft\\Windows\\Start Menu\\Programs\\Google Chrome.lnk"

         $p2 = "\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Brave.lnk"

         $p3 = "\\Microsoft\\Internet Explorer\\Quick Launch\\Brave.lnk"

         $p4 = "\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk"

         $p5 = "\\Microsoft\\Windows\\Start Menu\\Programs\\Brave.lnk"

         $p6 = "\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk"

         $r = /\$[^\.]+\.CreateShortcut\([^\)]+\)/

   condition:

         ((uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550) and (all of ($a*)) and (1 of ($l*)) and (2 of ($p*)) and $r

}

rule M_Hunting_LNKEngine_LoadExtension_1

{

   meta:

         author = "Mandiant"

         description = "Hunting rule that looks for files containing strings pertaining to execution of Edge, Opera, Brave, Chrome to launch an extension."

         md5 = "30abf9ca1bb792eb5edd8b033c010979"

   strings:

         $r1 = /(chrome|msedge|opera|brave)[^\r\n]+--load-extension=/ ascii nocase wide

         $s1 = "chrome" ascii wide

         $s2 = "--load-extension=" ascii wide

   condition:

         (uint32(0) == 0x0000004c) and filesize < 50KB and all of ($s*) and $r1

}

rule M_Hunting_LNKEngine_LoadExtension_Temp_1

{

    meta:

        author = "Mandiant"

        description = "Hunting rule that looks for files containing strings pertaining to execution of Edge, Opera, Brave, Chrome to launch an extension."

        md5 = "30abf9ca1bb792eb5edd8b033c010979"

    strings:

        $r1 = /(chrome|msedge|opera|brave)[^\r\n]+--load-extension="?[A-Za-z]:\\Users\\[^\\]+\\AppData\\/ ascii nocase wide

        $s2 = "--load-extension=" ascii wide

    condition:

        (uint32(0) == 0x0000004c) and filesize < 50KB and all of them

}

rule M_Hunting_ArchiveEngine_CAB_Extension_1

{

   meta:

         author = "Mandiant"

         description = "Looking for CAB containing what is suspected to be the files that make up an extension"

         md5 = "de283dfb9c88dbb6d455ca4b31c57240"

   strings:

         $f1 = "manifest.json" nocase

         $f2 = ".js" nocase

         $f3 = ".htm" nocase

         $f4 = ".png" nocase

   condition:

         filesize < 1MB and uint32be(0) == 0x4D534346 and ($f1 in (uint32(16) .. uint32(16) + 256)) and ($f2 in (uint32(16) .. uint32(16) + 256)) and ($f3 in (uint32(16) .. uint32(16) + 256)) and ($f4 in (uint32(16) .. uint32(16) + 256))

}

rule M_Hunting_FileWrite_Manifest_Temp_1

{

   meta:

         author = "Mandiant"

         md5 = "f1c21a69ed9f85e12d58ef0f5ac5c9b1"

         description = "Hunting for cases where a process writes a Chrome CRX manifest file to the appdata temp directory."

         severity = "Medium"

   events:

         $e.metadata.event_type = "FILE_CREATION"

         ($e.target.file.names = "manifest.json" OR $e.target.file.full_path = /manifest\.json$/)

$e.target.file.full_path = /[a-zA-Z]{1}:\\Users\\[^\\]+\\AppData\\(Local\\Temp\\|Roaming\\)[^\\]+\\manifest.json/ nocase

   condition:

         $e

}

rule M_Hunting_Process_Chromium_LoadExtension_1

{

   meta:

         author = "Mandiant"

         md5 = "f1c21a69ed9f85e12d58ef0f5ac5c9b1"

         description = "Hunting for cases where Chrome process is startng with the --load-extension parameter with the value in the appdata temp directory."

         severity = "Medium"

events:

$e.metadata.event_type = "PROCESS_OPEN"

$e.target.process.command_line = /(chrome|brave|msedge|opera|vivaldi)\.exe"?\s+\-\-load\-extension="?[A-Za-z]{1}:\\Users\\[^\\]+\\AppData\\(Local\\Temp\\|Roaming\\)[^ ]+/ nocase

$e.target.process.file.full_path = /(chrome|brave|msedge|opera|vivaldi)\.exe$/ nocase

    condition:

$e

}

rule M_Hunting_FileWrite_Chrome_LNK_1

{

   meta:

         author = "Mandiant"

         md5 = "f1c21a69ed9f85e12d58ef0f5ac5c9b1"

         description = "Hunting for cases where the LNK is written to known used locations from a process that is in user directory space."

         severity = "Medium"

   events:

         $e.metadata.event_type = "FILE_CREATION"

         $e.target.file.full_path = /Google Chrome\.lnk$/

         ($e.target.file.full_path = `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk` or $e.target.file.full_path = `C:\Users\Public\Desktop\Google Chrome.lnk` or $e.target.file.full_path = /C:\\Users\\[^\\]+\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk/ or $e.target.file.full_path = /C:\\Users\\[^\\]+\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk/)

         ($e.principal.process.file.full_path = /[a-zA-Z]{1}:\\Users\\[^\\]+/ or $e.src.process.file.full_path = /[a-zA-Z]{1}:\\Users\\[^\\]+/)

   condition:

         $e

}

rule M_Hunting_FileWrite_CRXandLNK_1

{

   meta:

         author = "Mandiant"

         md5 = "f1c21a69ed9f85e12d58ef0f5ac5c9b1"

         description = "Hunting for cases where a process writes a PK/zip (suspected CRX) and an LNK within 1 minute of each other."

         severity = "Medium"

   events:

         $e1.metadata.event_type = "FILE_CREATION"

         $e2.metadata.event_type = "FILE_CREATION"

         $md5 = $e1.principal.process.file.md5

         $e1.principal.process.file.md5 = $e2.principal.process.file.md5

         $e1.principal.process.file.md5 != ""

         $e1.principal.hostname = $e2.principal.hostname        

         $e1.principal.hostname != ""

         $e1.principal.process.pid = $e2.principal.process.pid

         $e1.principal.process.pid != ""

         (((($e1.principal.file.file_type = "FILE_TYPE_CRX") or ($e1.target.file.full_path = /\.zip$/)) and (($e2.principal.file.file_type = "FILE_TYPE_LNK") or ($e2.target.file.full_path = /\.lnk$/))) or (((($e1.principal.file.file_type = "FILE_TYPE_LNK") or ($e1.target.file.full_path = /\.lnk$/)) and (($e2.principal.file.file_type = "FILE_TYPE_CRX") or ($e2.target.file.full_path = /\.zip$/)))))

   match:

         $md5 over 1m

   condition:

         $e1 and $e2

}

rule M_Hunting_FileWrite_ManifestandLNK_1 {

   meta:

         author = "Mandiant"

         md5 = "f1c21a69ed9f85e12d58ef0f5ac5c9b1"

         description = "Hunting for cases where a process writes a CRX Manifest file and an LNK within 1 minute of each other."

         severity = "Medium"

   events:

         $e1.metadata.event_type = "FILE_CREATION"

         $e2.metadata.event_type = "FILE_CREATION"

         $md5 = $e1.principal.process.file.md5

         $e1.principal.process.file.md5 = $e2.principal.process.file.md5

         $e1.principal.process.file.md5 != ""

         $e1.principal.hostname = $e2.principal.hostname        

         $e1.principal.hostname != ""

         $e1.principal.process.pid = $e2.principal.process.pid

         $e1.principal.process.pid != ""

         ((($e1.target.file.full_path = /\\manifest\.json$/) and (($e2.principal.file.file_type = "FILE_TYPE_LNK") or ($e2.target.file.full_path = /\.lnk$/))) or (((($e1.principal.file.file_type = "FILE_TYPE_LNK") or ($e1.target.file.full_path = /\.lnk$/)) and ($e2.target.file.full_path = /\\manifest\.json$/))))

   match:

         $md5 over 1m

   condition:

         $e1 and $e2

}

// M_Hunting_FileWrite_ManifestandChromeLNK_1

tag:peexe and ((behaviour_files:"C:\\Users\\Public\\Desktop\\Google Chrome.lnk" and behaviour_files:"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Google Chrome.lnk") or (behaviour_files:"C:\\Users\\Public\\Desktop\\Google Chrome.lnk" and behaviour_files:"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk") or (behaviour_files:"C:\\Users\\Public\\Desktop\\Google Chrome.lnk" and behaviour_files:"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk") or (behaviour_files:"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Google Chrome.lnk" and behaviour_files:"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk") or (behaviour_files:"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Google Chrome.lnk" and behaviour_files:"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk") or (behaviour_files:"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk" and behaviour_files:"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk")) and behaviour_files:".zip" and behaviour_files:"manifest.json"

rule M_Hunting_RILIDE_InjectJS_1

{

   meta:

         author = "Mandiant"

         md5 = "9fe5b99b20bc91995b81eddd917bff50"

         description = "Hunting for the code that RILIDE injects"

   strings:

         $banner = "https://public.bnbstatic.com/image/email_template/emailBanner.png"

         $s1 = "[Bybit]Withdrawal Request" ascii

         $s2 = "[Bybit] Authorize New Device" ascii

         $a1 = "created a withdrawal request"

         $a2 = "Authorize New Device You recently attempted to sign in to your Bybit account from a new device or location. As a security measure, we require additional"

         $a3 = "Please check your withdrawal address carefully."         

         $a4 = "Verification Code Of Withdrawal"

         $a6 = "Withdrawal Verification Code"

         $a7 = "Verification Code Of Authorization"

         $a8 = "initiate this withdrawal or the address is"

         $a9 = "Authorize New Device You recently attempted to sign in to your OKX account from a new device or location. As a security measure, we require additional"

         $a10 = "Confirm your new withdrawal address"

         $a11 = "A new withdrawal address was just added to your account."

         $f1 = "div:contains(\"Binance\"), div:contains(\"binance\")"

         $f2 = "binance()" fullword

         $f3 = "div:contains(\"Bybit\"), div:contains(\"bybit\")"

         $f4 = "bybit()" fullword

         $f5 = "div:contains(\"Huobi\"), div:contains(\"huobi\")"

         $f6 = "huobi()" fullword

         $f7 = "div:contains(\"Okx\"), div:contains(\"okx\")"

         $f8 = "okx()" fullword

         $f9 = "div:contains(\"Kraken\"), div:contains(\"kraken\")"

         $f10 = "kraken()" fullword

   condition:

         filesize < 1MB and $banner and (1 of ($s*)) and (3 of ($a*)) and (6 of ($f*))

}

rule M_Hunting_RILIDE_InjectJS_2

{

   meta:

         author = "Mandiant"

         md5 = "6e426758f184b5a942428731b749b000"

         description = "Hunting for the code that RILIDE injects"

   strings:

         $anchor = "const DOMAIN = 'https://extenision-app.com/api'"

         $v1 = "exchangeRates" ascii fullword

         $v2 = "supportedAssets" ascii fullword

         $v3 = "supportedAccounts" ascii fullword

         $v4 = "currencySymbol" ascii fullword

         $v5 = "userId" ascii fullword

         $v6 = "settings" ascii fullword

         $v7 = "extensions" ascii fullword

         $s1 = "Confirm settings change"

         $s2 = "2-step verification"

         $s3 = "This extra step is to make sure it's really you trying to change settings"

         $s4 = "Enter the 2-step verification code we texted to your phone"

         $s5 = "Enter the 2-step verification code from your authenticator app"

         $s6 = "Didn't receive the SMS?"

         $s7 = "Re-send SMS"

         $u1 = "${DOMAIN}/settings"

         $u2 = "${DOMAIN}/exchange/get-address?type=${type}"

         $u3 = "${DOMAIN}/exchange/create-account"

         $u4 = "${DOMAIN}/exchange/set-balance"

         $u5 = "${DOMAIN}/exchange/set-all-balances"

         $u6 = "${DOMAIN}/exchange/set-withdraw"

         $p1 = "password = localStorage.getItem('coinbase_password')"

         $p2 = "email = localStorage.getItem('coinbase_username')"

         $f1 = "getExchangeRates" fullword

         $f2 = "getSupportedAssets" fullword

         $f3 = "getAccounts" fullword

         $f4 = "currentWithdraw"

   condition:

         filesize < 1MB and (($anchor and (8 of them)) or ((4 of ($v*)) and (4 of ($s*)) and (3 of ($u*)) and (1 of ($p*)) and (2 of ($f*))))

}

rule M_Hunting_RILIDE_InjectJS_3

{

   meta:

         author = "Mandiant"

         md5 = "6e426758f184b5a942428731b749b000"

         description = "Hunting for the code that RILIDE injects"

   strings:

         $anchor = "const DOMAIN = 'https://extenision-app.com/api'"

         $v1 = "userId" ascii fullword

         $v2 = "bearerToken" ascii fullword

         $v3 = "sharedKey" ascii fullword

         $v4 = "multiaddr" ascii fullword

         $v5 = "ethAccount" ascii fullword

         $v6 = "userSeed" ascii fullword

         $s1 = "${DOMAIN}/exchange/create-account"

         $s2 = "${DOMAIN}/exchange/set-balance"

         $s3 = "${DOMAIN}/exchange/set-all-balances"

         $s4 = "${DOMAIN}/settings"

         $f1 = "setBalance"

         $f2 = "setAllBalance"

         $f3 = "getSettings"

         $f4 = "getPrecisions"

         $f5 = "getPriceInUSDT"

         $f6 = "checkAuthTimer"

         $f7 = "checkBalanceTimer"

         $f8 = "balanceInUSDT"

   condition:

         filesize < 1MB and (($anchor and (8 of them)) or ((4 of ($v*)) and (2 of ($s*)) and (6 of ($f*))))

}