MINOCAT sample
rule G_APT_Tunneler_MINOCAT_1 { meta: author = "Google Threat Intelligence Group (GTIG)" date_modified = "2025-12-10" rev = "1" md5 = "533585eb6a8a4aad2ad09bbf272eb45b" strings: $magic = { 7F 45 4C 46 } $decrypt_func = { 48 85 F6 0F 94 C1 48 85 D2 0F 94 C0 08 C1 0F 85 } $xor_func = { 4D 85 C0 53 49 89 D2 74 57 41 8B 18 48 85 FF 74 } $frp_str1 = "libxf-2.9.644/main.c" $frp_str2 = "xfrp login response: run_id: [%s], version: [%s]" $frp_str3 = "cannot found run ID, it should inited when login!" $frp_str4 = "new work connection request run_id marshal failed!" $telnet_str1 = "Starting telnetd on port %d\n" $telnet_str2 = "No login shell found at %s\n" $key = "bigeelaminoacow" condition: $magic at 0 and (1 of ($decrypt_func, $xor_func)) and (2 of ($frp_str*)) and (1 of ($telnet_str*)) and $key }rule G_Backdoor_COMPOOD_1 { meta: author = "Google Threat Intelligence Group (GTIG)" date_modified = "2025-12-11" rev = “1” md5 = “d3e7b234cf76286c425d987818da3304” strings: $strings_1 = "ShellLinux.Shell" $strings_2 = "ShellLinux.Exec_shell" $strings_3 = "ProcessLinux.sendBody" $strings_4 = "ProcessLinux.ProcessTask" $strings_5 = "socket5Quick.StopProxy" $strings_6 = "httpAndTcp" $strings_7 = "clean.readFile" $strings_8 = "/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" $strings_9 = "/proc/self/auxv" $strings_10 = "/dev/urandom" $strings_11 = "client finished" $strings_12 = "github.com/creack/pty.Start" condition: uint32(0) == 0x464C457f and 8 of ($strings_*) }rule G_Hunting_Downloader_SNOWLIGHT_1 { meta: author = "Google Threat Intelligence Group (GTIG)" date_created = "2025-03-25" date_modified = "2025-03-25" md5 = "3a7b89429f768fdd799ca40052205dd4" rev = 1 strings: $str1 = "rm -rf $v" $str2 = "&t=tcp&a=" $str3 = "&stage=true" $str4 = "export PATH=$PATH:$(pwd)" $str5 = "curl" $str6 = "wget" $str7 = "python -c 'import urllib" condition: all of them and filesize < 5KB }