Shares tag: YARA • Same author: Greg Lesewich • Published within a week
Writing Rules for Non-Objective C Malware
2023-01-18 • Greg Lesewich •
https://github.com/g-les/100DaysofYARA/blob/main/100DaysofYARA_2023_Blog5_MATA_Dacls.ipynb
The source examines the macOS port of the DPRK-linked Dacls/MATA malware family and explains how to build YARA rules from non-Objective-C binary traits. The analysis focuses on exported MataNet function names, wolfSSL-linked symbols, HTTP header strings, plist persistence paths, RC4 routines, and reverse-shell/networking functions visible in the sample. It treats those strings and symbols as higher-value signature material for detecting MATA components, while pointing readers to protocol-emulation research for deeper C2 discovery. The report is useful for Lazarus/DPRK tracking because it documents practical macOS malware detection logic rather than a new intrusion campaign.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| YARA | MAL_MATA_Beacon_Command_Opcodes | 2023-01-18 | 2023-01-18 |
| YARA | MAL_MATA_SendPacket_Command_Opc… | 2023-01-18 | 2023-01-18 |
| YARA | SUSP_Macho_AES_CBC_Mode_XOR | 2023-01-18 | 2023-01-18 |
| YARA | SUSP_Macho_Library_StackString | 2023-01-18 | 2023-01-18 |
| IPv4 | 67.43.239.146 | 2020-05-05 | 2023-01-18 |
| IPv4 | 185.62.58.207 | 2020-05-05 | 2023-01-18 |
Related Reports
2021-03-23 •
26% Match
#MATA
#TFlower
#Lazarus
#T1070.004
#T1113
#T1112
#T1053.005
#T1036.005
#T1552.001
#T1486
#T1008
#T1573.001
#T1021.001
#T1562
#T1055.001
#T1021.002
#T1070.003
#T1021.004
#T1547.005
#T1572
#T1070.001
Shares tag: MATA • Shares 2 IOCs
Shares tag: MATA • Shares 2 IOCs
Shares tag: Dacls • Shares 2 IOCs
Shares tag: Dacls • Shares 2 IOCs
Shares tag: YARA • Same author: Greg Lesewich