Essential information

Value / Name

dca1f1581a0c6fe7647e710ba4ef035308523823

Confidence

100/100

Revoked

Yes

Valid from

02/06/2022 10:15

Valid until

05/09/2023 10:15

Pattern type

yara

Published

20/12/2025 19:32

Modified

20/12/2025 21:15

Author / Source

AlienVault

Description

No description.

Pattern

rule lyceum_golang_backdoor   
   {   
       meta:   
           author = "CPR"   
           hash1 = "a437f997d45bc14e76d0f2482f572a34"   
           hash2 = "23d174e6a0905fd59b2613d5ac106261"   
           hash3 = "bcb465cc2257e5777bab431690ca5039"   
       strings:   
           $func1 = "main.Ase256"   
           $func2 = "main.DecryptAse256"   
           $func3 = "main.IsServerUp"   
           $func4 = "main.register"   
           $func5 = "main.commandforrun"   
           $func6 = "main.UPLOAD"   
           $func7 = "main.commandforanswer"   
           $func8 = "main.GetMD5Hash"   
           $func9 = "main.get_uid"   
           $func10 = "main.commandrun"   
           $func11 = "main.download"   
           $func12 = "main.postFile"   
           $func13 = "main.sendAns"   
           $func14 = "main.comRun"   
           $cnc_uri1 = "/GO/1.php"   
           $cnc_uri2 = "/GO/2.php"   
           $cnc_uri3 = "/GO/3.php"   
           $auth_token = "auth_token=\"XXXXXXX\""   
           $log1 = "client registred"   
           $log2 = "no command"   
           $log3 = "can not create file"   
           $log4 = "errorGettingUserName"   
           $log5 = "New record created successfully"   
           $log6 = "SERVER_IS_DOWN"   
           $dga = "trailers.apple.com."   
       condition:   
           uint16(0)==0x5a4d and ((10 of ($func*) or any of ($cnc_uri*) or $auth_token or 3 of ($log*)) or ($dga and 4 of them))   
   }

Labels / Tags

Labels: apt cve201711882 el machete geopolitical conflict lyceum sidewinder spear-phishing ukraine

Marking (TLP)

TLP:CLEAR