Loerbas (Malware Family)

Loerbas

Loader and Cleaner components used in attacks against high-performance computing centers in Europe.

References

2020-05-16 ⋅ Cado Security ⋅ Chris Doman, James Campbell
Recent Attacks Against Supercomputers
Loerbas

2020-05-16 ⋅ atdotde ⋅ Robert Helling
High Performance Hackers
Loerbas

2020-05-15 ⋅ Twitter (@nunohaien) ⋅ Tillmann Werner
Twitter Thread on attacks on high-performance computing labs
Loerbas

Yara Rules

[TLP:WHITE] elf_loerbas_w0 (20200518 | detects loader module)

rule elf_loerbas_w0 {
	meta:
		author = "Tillmann Werner"
		description = "detects loader module"
		source = "https://twitter.com/nunohaien/status/1261281419483140096"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.loerbas"
        malpedia_version = "20200518"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $fragemnt = { 61 31 C2 8B 45 FC 48 98 }
    condition:
        all of them
}

[TLP:WHITE] elf_loerbas_w1 (20200518 | detects cleaner module)

rule elf_loerbas_w1 {
	meta:
		author = "Tillmann Werner"
		description = "detects cleaner module"
		source = "https://twitter.com/nunohaien/status/1261281419483140096"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.loerbas"
        malpedia_version = "20200518"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $fragemnt = { 14 CC FC 28 25 DE B9 }
    condition:
        all of them
}

Download all Yara Rules

Loerbas Propose Change

References

Yara Rules

Loerbas