Skip to main content

Threat detection with YARA

In this guide, we're creating a file classification rule for a specific project in the package store.

1. Create the YARA ruleโ€‹

In your rl-secure package store, access the project directory where you want to place the custom YARA rule.

By default, every project directory contains the .yara directory.

Navigate to the .yara directory and create a file named My_Classification_Rule.yara inside it.

2. Add the YARA rule contentsโ€‹

Open the newly created My_Classification_Rule.yara file in a text editor.

Copy the YARA rule contents from the following example into the file.

Example 1: Classify files as maliciousโ€‹

Third-party software components may be compromised even when they're installed from popular and generally trustworthy sources like official package repositories. Malicious actors make use of various techniques (such as typo-squatting, obfuscation, and backdoor planting) to create opportunities for further software supply chain compromise, data exfiltration, and malware execution. To prevent this, it is essential to audit third-party and open-source libraries before using them in your development environments.

You can create a YARA rule that will classify a software component as malicious when specific patterns and behaviors are detected.

In this example, we have identified patterns used in the IconBurst NPM software supply chain attack. Specifically, our YARA rule is matching the contents of package.json files against variables defined in the strings section. The presence of those strings in a package.json file indicates malicious intent. It means the associated NPM package is related to IconBurst and should not be used.

When the rule is triggered, the file classification from the meta section will be applied. Matching files will be classified as malicious and assigned the threat name Text.Infostealer.IconBurst.

Example 2: YARA rule contents
rule Text_Infostealer_IconBurst : tc_detection malicious
{
    meta:

        author              = "ReversingLabs"

        source              = "ReversingLabs"
        status              = "RELEASED"
        sharing             = "TLP:WHITE"
        category            = "MALWARE"
        malware             = "ICONBURST"
        description         = "Yara rule that detects package.json files of NPM packages related to the IconBurst software supply chain attack."

        tc_detection_type   = "Infostealer"
        tc_detection_name   = "IconBurst"
        tc_detection_factor = 5

    strings:
        $ajaxapis_v1_0_0_name = /\"name\"\s{0,10}:\s{0,10}\"ajaxapis\"/
        $ajaxapis_v1_0_0_version = /\"version\"\s{0,10}:\s{0,10}\"1\.0\.0\"/
        $ajaxapis_v1_0_0_main = /\"main\"\s{0,10}:\s{0,10}\"ajax\.min\.js\"/
        $ajaxapis_v1_0_0_author = /\"author\"\s{0,10}:\s{0,10}\"\"/
        $package_icon_v6_0_5_name = /\"name\"\s{0,10}:\s{0,10}\"package\-icon\"/
        $package_icon_v6_0_5_version = /\"version\"\s{0,10}:\s{0,10}\"6\.0\.5\"/
        $package_icon_v6_0_5_main = /\"main\"\s{0,10}:\s{0,10}\"ionicons\.map\.js\"/
        $package_icon_v6_0_5_author = /\"author\"\s{0,10}:\s{0,10}\"\"/
        $swiper_bundle_v3_7_1_name = /\"name\"\s{0,10}:\s{0,10}\"swiper\-bundle\"/
        $swiper_bundle_v3_7_1_version = /\"version\"\s{0,10}:\s{0,10}\"3\.7\.1\"/
        $swiper_bundle_v3_7_1_main = /\"main\"\s{0,10}:\s{0,10}\"node\.js\"/
        $swiper_bundle_v3_7_1_author = /\"author\"\s{0,10}:\s{0,10}\"\"/

    condition:
        (
            all of ($ajaxapis_v1_0_0_*)
        ) or
        (
            all of ($package_icon_v6_0_5_*)
        ) or
        (
            all of ($swiper_bundle_v3_7_1_*)
        )
}
tip

You can find more examples of YARA rules in the official ReversingLabs GitHub repository.

All rules from the repository are already included in Spectra Assure products.

3. Enable the ruleโ€‹

Save your changes to the My_Classification_Rule.yara file.

After saving changes to the rule, synchronize the project to apply the rule to all packages in the project.

rl-secure sync pkg:rl/my-project

You can confirm the rule has been used during analysis by looking at the report.

Export the SAFE report (rl-html) for a package version in the project:

rl-secure report rl-html pkg:rl/my-project/my-package@version

Open the SAFE report in your web browser and navigate to the Policies page from the sidebar on the left-hand side.

Filter the page by policy category (select YARA Policies in the filter dropdown) to check if the rule you created is correctly listed.