MALWARE_Storm0978_HTML_PROTHANDLER_Jul23.yar

rule MALWARE_Storm0978_HTML_PROTHANDLER_Jul23
{
    meta:
        author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
        description = "Detects Office HTML injection through docfiles with Windows Protocol Handler execution"
        reference = "https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit"
        date = "2023-07-11"
        tlp = "CLEAR"
        hash = "07377209fe68a98e9bca310d9749daa4eb79558e9fc419cf0b02a9e37679038d"
        yarahub_uuid = "85dbba47-f82d-478f-b941-88ac44f62a2b"
        yarahub_reference_md5 = "26a6a0c852677a193994e4a3ccc8c2eb"
        yarahub_license = "CC BY 4.0"
        yarahub_rule_matching_tlp = "TLP:WHITE"
        yarahub_rule_sharing_tlp = "TLP:WHITE"
        yarahub_author_twitter = "@SI_FalconTeam"

    strings:
        $doc_magic = {D0 CF 11 E0 A1 B1 1A E1}

        $s_htmlTag = "<html>" nocase ascii wide
        $s_location = "location.href" nocase ascii wide
        $s_iframe = "document.write('<iframe" nocase ascii wide
        $s_mhtml = "src=\"mhtml:ms-" nocase ascii wide
        $s_temp = "/appdata/local/temp" nocase ascii wide
        $s_script = "<script defer>" nocase ascii wide

        // Some of the most popular ones; 
        // Source: https://github.com/splunk/security_content/blob/develop/lookups/windows_protocol_handlers.csv
        $prothandler_msdt = "ms-msdt" ascii wide
        $prothandler_search = "search-ms" ascii wide
        $prothandler_msits = "ms-its" ascii wide
        $prothandler_word = "ms-word" ascii wide
        $prothandler_excel = "ms-excel" ascii wide
        $prothandler_powerp = "ms-powerpoint" ascii wide

    condition:
        $doc_magic at 0x0
        and $doc_magic
        and 4 of ($s_*)
        and 1 of ($prothandler_*)
}