Events

Hunting APTs with YARA

For the past few years, we have been spreading our knowledge and experience of using YARA, often called a pattern matching swiss knife for malware researchers (and everyone else). Most of the time, this took the form of the Kaspersky training course titled, “Hunting APTs with YARA Like a GReAT Ninja”. The first YARA training session of that kind took place in February 2016, on the beautiful islands of Tenerife. We have had hundreds of participants attend sessions in over a dozen countries since then.

Our next YARA training session was scheduled to take place in Barcelona, during SAS 2020, however, the global situation and the spread of the novel 2019 coronavirus disease, aka COVID-19, forced us to postpone both the conference and the training.

Meanwhile, we have been receiving a lot of requests to make our YARA hands-on training available to more people. We are working on this and we should soon be able to provide it as an online training experience. Stay tuned for updates by following us on Twitter: @craiu @kaspersky.

With many people working from home and spending even more time online, it is also likely the number of threats and attacks will increase as well. Therefore, we have decided to share some of the YARA experience we have accumulated during recent years, in the hope that all of you will find it useful for keeping threats at bay.

So, if you have wondered how to leverage YARA better and how to achieve a new level of knowledge in APT detection, mitigation and response, it all boils down to a couple of secret ingredients and lots of work. While the work is up to you, we can help a bit with a preview of the secret ingredients.

Long story short:

When: March 31, 14:00 GMT
Where: BrightTalk – https://kas.pr/z2o2
Who: Security researchers and incident response personnel, malware analysts, security engineers, network security analysts, APT hunters and IT security staff

During the webinar, we will demonstrate examples of real-world hunting rules we have developed internally at GReAT. For instance, these allowed us to find zero-days in-the-wild, financial APT tools, malware targeting crypto-investors, or APT tools that sabotage and tag SSL traffic.

For researchers, knowledge of YARA opens up several interesting opportunities:

  • First of all, this can be a great starting point for a carrier in threat intelligence.
  • It can help you make your day-to-day work more efficient.
  • You can start hunting for APT samples on platforms such as VirusTotal. All major APTs’ tools have been uploaded on VirusTotal at some point in time; one just needs knowledge and some luck to find those needles.
  • You can start hunting for APTs on your office/home computers, which might bring some interesting, and sometimes, surprising, results.

For organizations, this webinar will be useful if they commonly deal with problems, such as:

  • Managing multiple YARA rulesets from various sources; understanding which rules are good enough for detection, which ones are good for hunting and which ones should be avoided
  • Testing for false positives
  • Using YARA for incident response
  • Enhancing your SOC
  • How to keep calm and start using YARA with KLara.

Last but not least, if you want to share feedback or if you have #yara questions that you would like answered at the webinar, please feel free to drop us some comments on Twitter. See you on March 31!

Hunting APTs with YARA

Your email address will not be published. Required fields are marked *

 

  1. Dean

    Does Kaspersky incorporate their APT findings into their consumer products for detection ?

Reports

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Subscribe to our weekly e-mails

The hottest research right in your inbox