Gazer (Malware Family)

Gazer

aka: WhiteBear

Actor(s): Turla

VTCollection

There is no description at this point.

References

2023-07-26 ⋅ cocomelonc ⋅ cocomelonc
Malware development trick - part 35: Store payload in alternate data streams. Simple C++ example.
Valak POWERSOURCE Gazer PowerDuke

2022-06-12 ⋅ cocomelonc
Malware development: persistence - part 7. Winlogon. Simple C++ example.
BazarBackdoor Gazer TurlaRPC Turla SilentMoon

2022-04-26 ⋅ cocomelonc ⋅ cocomelonc
Malware development: persistence - part 2. Screensaver hijack. C++ example.
Gazer

2020-12-02 ⋅ ESET Research ⋅ Matthieu Faou
Turla Crutch: Keeping the “back door” open
Crutch Gazer Turla

2019-07-26 ⋅ Github (eset) ⋅ ESET Research
Turla Indicators of Compromise
Gazer

2018-10-04 ⋅ Kaspersky Labs ⋅ GReAT
Shedding Skin – Turla’s Fresh Faces
KopiLuwak Agent.BTZ Cobra Carbon System Gazer Meterpreter Mosquito Skipper

2018-09-10 ⋅ Youtube ( Monnappa K A) ⋅ Monnappa K A
turla gazer backdoor code injection & winlogon shell persistence
Gazer

2017-08-30 ⋅ ESET Research ⋅ Graham Cluley
New ESET research uncovers Gazer, the stealthy backdoor that spies on embassies
Gazer

2017-08-30 ⋅ Kaspersky Labs ⋅ GReAT
Introducing WhiteBear
Gazer Turla White Bear

2016-06-30 ⋅ Bitdefender ⋅ Bitdefender
Pacifier APT
Gazer Turla

2015-01-01 ⋅ Bitdefender ⋅ Andrei Ardelean, Claudiu Cobliș, Cristian Istrate, Marius Tivadar
New Pacifier APT Components Point to Russian-Linked Turla Group
KopiLuwak Gazer Skipper

Yara Rules

[TLP:WHITE] win_gazer_auto (20230808 \| Detects win.gazer.) rule win_gazer_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.gazer." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. / strings: $sequence_0 = { 85c0 7511 e8???????? 84c0 7508 } // n = 5, score = 300 // 85c0 \| mov ebx, dword ptr [ebx + 0x30] // 7511 \| dec ecx // e8???????? \| // 84c0 \| mov ebp, dword ptr [ebx + 0x38] // 7508 \| dec ecx $sequence_1 = { 85c0 7511 e8???????? 84c0 7508 83c8ff e9???????? } // n = 7, score = 300 // 85c0 \| mov dword ptr [eax + 0x14], eax // 7511 \| dec ecx // e8???????? \| // 84c0 \| mov dword ptr [ebx + 0x40], ecx // 7508 \| dec ecx // 83c8ff \| cmp ecx, dword ptr [ebx + 0x30] // e9???????? \| $sequence_2 = { 85c0 7511 e8???????? 84c0 } // n = 4, score = 300 // 85c0 \| je 0x15c9 // 7511 \| mov esi, eax // e8???????? \| // 84c0 \| push dword ptr [edi] $sequence_3 = { ff15???????? 85c0 7511 e8???????? 84c0 7508 83c8ff } // n = 7, score = 300 // ff15???????? \| // 85c0 \| cmp ebp, dword ptr [edi + 0xc] // 7511 \| jne 0x626 // e8???????? \| // 84c0 \| push dword ptr [edi + 0x14] // 7508 \| add esp, 0x14 // 83c8ff \| add edi, 4 $sequence_4 = { 7511 e8???????? 84c0 7508 83c8ff e9???????? } // n = 6, score = 300 // 7511 \| dec eax // e8???????? \| // 84c0 \| mov ecx, dword ptr [ebp - 0x28] // 7508 \| dec eax // 83c8ff \| mov dword ptr [ebp - 0x20], edi // e9???????? \| $sequence_5 = { ff15???????? 85c0 7511 e8???????? 84c0 7508 } // n = 6, score = 300 // ff15???????? \| // 85c0 \| mov eax, dword ptr [ebp + 0x14] // 7511 \| cmp dword ptr [ebp + 0xc], 0 // e8???????? \| // 84c0 \| push esi // 7508 \| mov esi, dword ptr [ebp + 8] $sequence_6 = { 7511 e8???????? 84c0 7508 83c8ff } // n = 5, score = 300 // 7511 \| dec eax // e8???????? \| // 84c0 \| cwde // 7508 \| inc ecx // 83c8ff \| mov dword ptr [esp + eax4], edx $sequence_7 = { ff15???????? 85c0 7511 e8???????? 84c0 } // n = 5, score = 300 // ff15???????? \| // 85c0 \| pop esi // 7511 \| mov dword ptr [esi + 0x40], eax // e8???????? \| // 84c0 \| mov ebx, dword ptr [esi + 0x3c] $sequence_8 = { 85c0 7511 e8???????? 84c0 7508 83c8ff } // n = 6, score = 300 // 85c0 \| cmp edi, ebx // 7511 \| jne 0x78b // e8???????? \| // 84c0 \| dec eax // 7508 \| cmp dword ptr [esi + 0x150], ebp // 83c8ff \| je 0x7fa $sequence_9 = { 4133c0 23c1 33c2 4103c1 } // n = 4, score = 200 // 4133c0 \| inc eax // 23c1 \| mov dword ptr [ebp - 0x20], eax // 33c2 \| lea eax, [ebp - 0x20] // 4103c1 \| push eax condition: 7 of them and filesize < 950272 }
[TLP:WHITE] win_gazer_w0 (20170831 \| Turla Gazer malware) // For feedback or questions contact us at: github@eset.com // https://github.com/eset/malware-ioc/ // // These yara rules are provided to the community under the two-clause BSD // license as follows: // // Copyright (c) 2017, ESET // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are met: // // 1. Redistributions of source code must retain the above copyright notice, this // list of conditions and the following disclaimer. // // 2. Redistributions in binary form must reproduce the above copyright notice, // this list of conditions and the following disclaimer in the documentation // and/or other materials provided with the distribution. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // import "pe" rule win_gazer_w0 { meta: author = "ESET Research" date = "2017-08-30" info = "certificate subject" description = "Turla Gazer malware" reference = "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer" malpedia_version = "20170831" malpedia_license = "BSD 2-Clause" malpedia_sharing = "TLP:WHITE" condition: for any i in (0..pe.number_of_signatures - 1): (pe.signatures[i].subject contains "Solid Loop" or pe.signatures[i].subject contains "Ultimate Computer Support") }
[TLP:WHITE] win_gazer_w1 (20170831 \| Turla Gazer malware) // // Copyright (c) 2017, ESET // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are met: // // 1. Redistributions of source code must retain the above copyright notice, this // list of conditions and the following disclaimer. // // 2. Redistributions in binary form must reproduce the above copyright notice, // this list of conditions and the following disclaimer in the documentation // and/or other materials provided with the distribution. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // rule win_gazer_w1 { meta: author = "ESET Research" date = "2017-08-30" info = "logfile name" description = "Turla Gazer malware" reference = "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer" malpedia_version = "20170831" malpedia_license = "BSD 2-Clause" malpedia_sharing = "TLP:WHITE" strings: $s1 = "CVRG72B5.tmp.cvr" $s2 = "CVRG1A6B.tmp.cvr" $s3 = "CVRG38D9.tmp.cvr" condition: 1 of them }
[TLP:WHITE] win_gazer_w2 (20170831 \| Turla Gazer malware) // // Copyright (c) 2017, ESET // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are met: // // 1. Redistributions of source code must retain the above copyright notice, this // list of conditions and the following disclaimer. // // 2. Redistributions in binary form must reproduce the above copyright notice, // this list of conditions and the following disclaimer in the documentation // and/or other materials provided with the distribution. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // rule win_gazer_w2 { meta: author = "ESET Research" date = "2017-08-30" info = "certificate" description = "Turla Gazer malware" reference = "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer" malpedia_version = "20170831" malpedia_license = "BSD 2-Clause" malpedia_sharing = "TLP:WHITE" strings: $certif1 = {52 76 a4 53 cd 70 9c 18 da 65 15 7e 5f 1f de 02} $certif2 = {12 90 f2 41 d9 b2 80 af 77 fc da 12 c6 b4 96 9c} condition: 1 of them and filesize < 2MB }

Download all Yara Rules

[TLP:WHITE] win_gazer_auto (20230808 \| Detects win.gazer.) rule win_gazer_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.gazer." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. / strings: $sequence_0 = { 85c0 7511 e8???????? 84c0 7508 } // n = 5, score = 300 // 85c0 \| mov ebx, dword ptr [ebx + 0x30] // 7511 \| dec ecx // e8???????? \| // 84c0 \| mov ebp, dword ptr [ebx + 0x38] // 7508 \| dec ecx $sequence_1 = { 85c0 7511 e8???????? 84c0 7508 83c8ff e9???????? } // n = 7, score = 300 // 85c0 \| mov dword ptr [eax + 0x14], eax // 7511 \| dec ecx // e8???????? \| // 84c0 \| mov dword ptr [ebx + 0x40], ecx // 7508 \| dec ecx // 83c8ff \| cmp ecx, dword ptr [ebx + 0x30] // e9???????? \| $sequence_2 = { 85c0 7511 e8???????? 84c0 } // n = 4, score = 300 // 85c0 \| je 0x15c9 // 7511 \| mov esi, eax // e8???????? \| // 84c0 \| push dword ptr [edi] $sequence_3 = { ff15???????? 85c0 7511 e8???????? 84c0 7508 83c8ff } // n = 7, score = 300 // ff15???????? \| // 85c0 \| cmp ebp, dword ptr [edi + 0xc] // 7511 \| jne 0x626 // e8???????? \| // 84c0 \| push dword ptr [edi + 0x14] // 7508 \| add esp, 0x14 // 83c8ff \| add edi, 4 $sequence_4 = { 7511 e8???????? 84c0 7508 83c8ff e9???????? } // n = 6, score = 300 // 7511 \| dec eax // e8???????? \| // 84c0 \| mov ecx, dword ptr [ebp - 0x28] // 7508 \| dec eax // 83c8ff \| mov dword ptr [ebp - 0x20], edi // e9???????? \| $sequence_5 = { ff15???????? 85c0 7511 e8???????? 84c0 7508 } // n = 6, score = 300 // ff15???????? \| // 85c0 \| mov eax, dword ptr [ebp + 0x14] // 7511 \| cmp dword ptr [ebp + 0xc], 0 // e8???????? \| // 84c0 \| push esi // 7508 \| mov esi, dword ptr [ebp + 8] $sequence_6 = { 7511 e8???????? 84c0 7508 83c8ff } // n = 5, score = 300 // 7511 \| dec eax // e8???????? \| // 84c0 \| cwde // 7508 \| inc ecx // 83c8ff \| mov dword ptr [esp + eax4], edx $sequence_7 = { ff15???????? 85c0 7511 e8???????? 84c0 } // n = 5, score = 300 // ff15???????? \| // 85c0 \| pop esi // 7511 \| mov dword ptr [esi + 0x40], eax // e8???????? \| // 84c0 \| mov ebx, dword ptr [esi + 0x3c] $sequence_8 = { 85c0 7511 e8???????? 84c0 7508 83c8ff } // n = 6, score = 300 // 85c0 \| cmp edi, ebx // 7511 \| jne 0x78b // e8???????? \| // 84c0 \| dec eax // 7508 \| cmp dword ptr [esi + 0x150], ebp // 83c8ff \| je 0x7fa $sequence_9 = { 4133c0 23c1 33c2 4103c1 } // n = 4, score = 200 // 4133c0 \| inc eax // 23c1 \| mov dword ptr [ebp - 0x20], eax // 33c2 \| lea eax, [ebp - 0x20] // 4103c1 \| push eax condition: 7 of them and filesize < 950272 }
[TLP:WHITE] win_gazer_w0 (20170831 \| Turla Gazer malware) // For feedback or questions contact us at: github@eset.com // https://github.com/eset/malware-ioc/ // // These yara rules are provided to the community under the two-clause BSD // license as follows: // // Copyright (c) 2017, ESET // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are met: // // 1. Redistributions of source code must retain the above copyright notice, this // list of conditions and the following disclaimer. // // 2. Redistributions in binary form must reproduce the above copyright notice, // this list of conditions and the following disclaimer in the documentation // and/or other materials provided with the distribution. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // import "pe" rule win_gazer_w0 { meta: author = "ESET Research" date = "2017-08-30" info = "certificate subject" description = "Turla Gazer malware" reference = "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer" malpedia_version = "20170831" malpedia_license = "BSD 2-Clause" malpedia_sharing = "TLP:WHITE" condition: for any i in (0..pe.number_of_signatures - 1): (pe.signatures[i].subject contains "Solid Loop" or pe.signatures[i].subject contains "Ultimate Computer Support") }
[TLP:WHITE] win_gazer_w1 (20170831 \| Turla Gazer malware) // // Copyright (c) 2017, ESET // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are met: // // 1. Redistributions of source code must retain the above copyright notice, this // list of conditions and the following disclaimer. // // 2. Redistributions in binary form must reproduce the above copyright notice, // this list of conditions and the following disclaimer in the documentation // and/or other materials provided with the distribution. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // rule win_gazer_w1 { meta: author = "ESET Research" date = "2017-08-30" info = "logfile name" description = "Turla Gazer malware" reference = "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer" malpedia_version = "20170831" malpedia_license = "BSD 2-Clause" malpedia_sharing = "TLP:WHITE" strings: $s1 = "CVRG72B5.tmp.cvr" $s2 = "CVRG1A6B.tmp.cvr" $s3 = "CVRG38D9.tmp.cvr" condition: 1 of them }
[TLP:WHITE] win_gazer_w2 (20170831 \| Turla Gazer malware) // // Copyright (c) 2017, ESET // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are met: // // 1. Redistributions of source code must retain the above copyright notice, this // list of conditions and the following disclaimer. // // 2. Redistributions in binary form must reproduce the above copyright notice, // this list of conditions and the following disclaimer in the documentation // and/or other materials provided with the distribution. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // rule win_gazer_w2 { meta: author = "ESET Research" date = "2017-08-30" info = "certificate" description = "Turla Gazer malware" reference = "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer" malpedia_version = "20170831" malpedia_license = "BSD 2-Clause" malpedia_sharing = "TLP:WHITE" strings: $certif1 = {52 76 a4 53 cd 70 9c 18 da 65 15 7e 5f 1f de 02} $certif2 = {12 90 f2 41 d9 b2 80 af 77 fc da 12 c6 b4 96 9c} condition: 1 of them and filesize < 2MB }

Gazer Propose Change

References

Yara Rules

Gazer