mirror of
https://github.com/projectdiscovery/nuclei-templates.git
synced 2026-02-07 19:23:18 +08:00
38 lines
1.2 KiB
YAML
38 lines
1.2 KiB
YAML
id: macos-bella-malware
|
|
|
|
info:
|
|
name: Bella Malware - Detect
|
|
author: daffainfo
|
|
severity: info
|
|
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/macos/malware_macos_bella.yara
|
|
tags: malware,file,macos-bella
|
|
file:
|
|
- extensions:
|
|
- all
|
|
|
|
matchers-condition: or
|
|
matchers:
|
|
- type: word
|
|
part: raw
|
|
words:
|
|
- "Verified! [2FV Enabled] Account ->"
|
|
- "There is no root shell to perform this command. See [rooter] manual entry."
|
|
- "Attempt to escalate Bella to root through a variety of attack vectors."
|
|
- "BELLA IS NOW RUNNING. CONNECT TO BELLA FROM THE CONTROL CENTER."
|
|
condition: or
|
|
|
|
- type: word
|
|
part: raw
|
|
words:
|
|
- "user_pass_phish"
|
|
- "bella_info"
|
|
- "get_root"
|
|
condition: and
|
|
|
|
- type: word
|
|
part: raw
|
|
words:
|
|
- "Please specify a bella server."
|
|
- "What port should Bella connect on [Default is 4545]:"
|
|
condition: and
|
|
# digest: 4a0a00473045022100b876bbe208f565b67632157baace763709ab49dba00b6b330bb8dbb1b2725f5902203cd581b750f72eb0f712aad0397d0456e75196c6dbac7da8d10006ef59ed967c:922c64590222798bb761d5b6d8e72950 |