{ "type": "bundle", "id": "bundle--e7a9d63f-5336-44c8-8dbb-6c961d9d72fe", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--905e45e7-af77-42eb-9289-5cd4fbbb0fa5", "created": "2023-03-08T12:51:41.595163Z", "modified": "2023-03-08T14:31:55.177985Z", "name": "GregLesewich", "identity_class": "organization" }, { "type": "url", "spec_version": "2.1", "id": "url--c1044d52-426f-4905-89da-fa1e2d65eeee", "value": "https://content.dropboxapi.com/2/files/upload" }, { "type": "url", "spec_version": "2.1", "id": "url--f038e68c-d14a-4800-8c23-b4e782ab82e7", "value": "https://api.dropboxapi.com/2/files/list_folder" }, { "type": "file", "spec_version": "2.1", "id": "file--e5e6c6bc-1648-4c56-bd45-cc9921facfc5", "hashes": { "SHA-256": "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f545e87c-c01b-4137-8d3d-c1799444bf25", "created": "2026-06-24T18:09:14.824343Z", "modified": "2026-06-24T18:09:14.824343Z", "name": "YARA Rule", "pattern": "rule MAL_CloudMensis_FlowEncrypt\r\n{\r\n \tmeta:\r\n \t\tauthor = \"Greg Lesnewich\"\r\n \t\tdescription = \"track the CloudMensis malware family based on hardcoded FlowEncrypt routine\"\r\n \t\tversion = \"1.0\"\r\n \t\treference = \"https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\"\r\n \t\thash = \"b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd\"\r\n\r\n \tstrings:\r\n \t\t$FlowEncrypt = { b8 11 00 00 00 31 f6 41 b9 ?? ?? ?? ?? 41 0f b6 f8 40 30 3c 32 8d 44 07 1f 48 89 c7 49 0f af f9 48 c1 ef 27 69 ff fb 00 00 00 29 f8 48 ff c6 41 89 c0 48 39 f1}\r\n\r\n \t\t\t// 0x100039363 mov eax, 0x11\r\n \t\t\t// 0x100039368 xor esi, esi\r\n \t\t\t// 0x10003936a mov r9d, 0x828cbfbf\r\n \t\t\t// 0x100039370 movzx edi, r8b\r\n \t\t\t// 0x100039374 xor byte [rdx + rsi], dil ; arg3\r\n \t\t\t// 0x100039378 lea eax, [rdi + rax + 0x1f]\r\n \t\t\t// 0x10003937c mov rdi, rax\r\n \t\t\t// 0x10003937f imul rdi, r9\r\n \t\t\t// 0x100039383 shr rdi, 0x27\r\n \t\t\t// 0x100039387 imul edi, edi, 0xfb\r\n \t\t\t// 0x10003938d sub eax, edi\r\n \t\t\t// 0x10003938f inc rsi\r\n \t\t\t// 0x100039392 mov r8d, eax\r\n \t\t\t// 0x100039395 cmp rcx, rsi ; arg4\r\n\r\n $FlowEncrypt_ARM = {4b 00 40 39 6b 01 04 4a 4b 14 00 38 4a 01 24 0b 4a 7d 00 11 4b 7d a8 9b 6b fd 67 d3 6a a9 09 1b e4 03 0a aa 63 04 00 f1 }\r\n \t\t\t// int64_t _-[functions FlowEncrypt:::](int64_t, int64_t,\r\n \t\t\t// char* arg3, int64_t arg4, char arg5)\r\n \t\t\t// 100032b78 030200b4 cbz x3, 0x100032bb8\r\n \t\t\t// 100032b7c 2a028052 mov w10, #0x11\r\n \t\t\t// 100032b80 e8f79752 mov w8, #0xbfbf\r\n \t\t\t// 100032b84 8851b072 movk w8, #0x828c, lsl #0x10 {0xbfbf} {0x828cbfbf}\r\n \t\t\t// 100032b88 691f8052 mov w9, #0xfb\r\n \t\t\t// 100032b8c 4b004039 ldrb w11, [x2]\r\n \t\t\t// 100032b90 6b01044a eor w11, w11, w4\r\n \t\t\t// 100032b94 4b140038 strb w11, [x2], #0x1\r\n \t\t\t// 100032b98 4a01240b add w10, w10, w4, uxtb\r\n \t\t\t// 100032b9c 4a7d0011 add w10, w10, #0x1f\r\n \t\t\t// 100032ba0 4b7da89b umull x11, w10, w8\r\n \t\t\t// 100032ba4 6bfd67d3 lsr x11, x11, #0x27\r\n \t\t\t// 100032ba8 6aa9091b msub w10, w11, w9, w10\r\n \t\t\t// 100032bac e4030aaa mov x4, x10\r\n \t\t\t// 100032bb0 630400f1 subs x3, x3, #0x1\r\n \t\t\t// 100032bb4 c1feff54 b.ne 0x100032b8c\r\n \tcondition:\r\n \t\t\t1 of them\r\n}", "pattern_type": "yara", "valid_from": "2023-01-16T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--611742c6-3092-43a9-8012-88df2e948fac", "created": "2026-06-24T18:09:14.825089Z", "modified": "2026-06-24T18:09:14.825089Z", "name": "YARA Rule", "pattern": "rule MAL_CloudMensis_FlowEncrypt\r\n{\r\n \tmeta:\r\n \t\tauthor = \"Greg Lesnewich\"\r\n \t\tdescription = \"track the CloudMensis malware family based on hardcoded FlowEncrypt routine\"\r\n \t\tversion = \"1.0\"\r\n \t\treference = \"https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\"\r\n \t\thash = \"b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd\"\r\n\r\n \tstrings:\r\n \t\t$FlowEncrypt = { b8 11 00 00 00 31 f6 41 b9 ?? ?? ?? ?? 41 0f b6 f8 40 30 3c 32 8d 44 07 1f 48 89 c7 49 0f af f9 48 c1 ef 27 69 ff fb 00 00 00 29 f8 48 ff c6 41 89 c0 48 39 f1}\r\n\r\n \t\t\t// 0x100039363 mov eax, 0x11\r\n \t\t\t// 0x100039368 xor esi, esi\r\n \t\t\t// 0x10003936a mov r9d, 0x828cbfbf\r\n \t\t\t// 0x100039370 movzx edi, r8b\r\n \t\t\t// 0x100039374 xor byte [rdx + rsi], dil ; arg3\r\n \t\t\t// 0x100039378 lea eax, [rdi + rax + 0x1f]\r\n \t\t\t// 0x10003937c mov rdi, rax\r\n \t\t\t// 0x10003937f imul rdi, r9\r\n \t\t\t// 0x100039383 shr rdi, 0x27\r\n \t\t\t// 0x100039387 imul edi, edi, 0xfb\r\n \t\t\t// 0x10003938d sub eax, edi\r\n \t\t\t// 0x10003938f inc rsi\r\n \t\t\t// 0x100039392 mov r8d, eax\r\n \t\t\t// 0x100039395 cmp rcx, rsi ; arg4\r\n\r\n\r\n \tcondition:\r\n \t\t\t1 of them\r\n}", "pattern_type": "yara", "valid_from": "2023-01-16T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1c057426-b4b5-4403-a39b-4aaf5651f73a", "created": "2026-06-24T18:09:14.825682Z", "modified": "2026-06-24T18:09:14.825682Z", "name": "YARA Rule", "pattern": "rule APT_NK_APT37_CloudMensis_ClassData\r\n{\r\n \tmeta:\r\n \t\tauthor = \"Greg Lesnewich\"\r\n \t\tdescription = \"track the CloudMensis backdoor based on embedded class interface names\"\r\n \t\tversion = \"1.0\"\r\n \t\treference = \"https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\"\r\n \t\thash = \"b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd\"\r\n\r\n \tstrings:\r\n \t\t$functions1 = \"CreatePlistFileAt\" ascii wide\r\n \t\t$functions2 = \"EMAILSearchAndMoveFS\" ascii wide\r\n \t\t$functions3 = \"EncryptMyFile\" ascii wide\r\n \t\t$functions4 = \"ExecuteCmdAndSaveResult\" ascii wide\r\n \t\t$functions5 = \"uploadImmediately\" ascii wide\r\n \t\t$functions6 = \"ExecuteShellCmdAndUpload\" ascii wide\r\n \t\t$functions7 = \"FlowEncrypt\" ascii wide\r\n \t\t$functions8 = \"GetIpAndCountryCode\" ascii wide\r\n \t\t$functions9 = \"RSAEncryptData\" ascii wide\r\n \t\t$functions10 = \"UploadFileImmediately\" ascii wide\r\n \t\t$functions11 = \"ZipAndMoveZS\" ascii wide\r\n\r\n \t\t$screenkeylog1 = \"screen_keylog\" ascii wide\r\n \t\t$screenkeylog2 = \"keyLogger\" ascii wide\r\n \t\t$screenkeylog3 = \"keylog\" ascii wide\r\n \t\t$screenkeylog4 = \"runKeyScreenFunc\" ascii wide\r\n\r\n \t\t$get_comInfo1 = \"get_comInfo\"\r\n \t\t$get_comInfo2 = \"getCurrentTimeAsDWORD\"\r\n \t\t$get_comInfo3 = \"getCurrentTimeAsStruct\"\r\n \t\t$get_comInfo4 = \"getDiskUsage\"\r\n \t\t$get_comInfo5 = \"getLoginName\"\r\n \t\t$get_comInfo6 = \"getMacMinorVersion\"\r\n \t\t$get_comInfo7 = \"getMacPatchVersion\"\r\n \t\t$get_comInfo8 = \"getMemoryUsed\"\r\n \t\t$get_comInfo9 = \"getMyFileModified:\"\r\n \t\t$get_comInfo10 = \"getMyFileSize:\"\r\n \t\t$get_comInfo11 = \"getProcessMemory\"\r\n \t\t$get_comInfo12 = \"getSysBit\"\r\n \t\t$get_comInfo13 = \"initCloudCmdDirectories\"\r\n \t\t$get_comInfo14 = \"initCloudDataDirectories\"\r\n \t\t$get_comInfo15 = \"strControlEntry\"\r\n\r\n \t\t$dev = \"LeonWork/MainTask/BaD/Client_v\" ascii wide\r\n\r\n \tcondition:\r\n \t\t(uint32be(0x0) == 0xCAFEBABE or uint32be(0x0) == 0xCFFAEDFE) and \r\n \t\t((3 of ($get_comInfo*) and (2 of ($functions*) or 1 of ($screenkeylog*))) or $dev and 3 of them)\r\n}", "pattern_type": "yara", "valid_from": "2023-01-16T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--52f99e60-c8c1-46bd-b8c3-46b7c6536c74", "hashes": { "SHA-1": "55554944ad0c6122f4393d7a831706fbda3b38ac" } }, { "type": "url", "spec_version": "2.1", "id": "url--f8e384ec-1fde-44dc-b3db-aacc7c7eb0b3", "value": "https://api.dropboxapi.com/2/files/create_folder_v2" }, { "type": "url", "spec_version": "2.1", "id": "url--4bdc5d5f-be93-4000-b171-2fa8250ec703", "value": "https://api.dropboxapi.com/2/files/delete_v2" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--3be555f5-1f0d-5001-b84a-c6c910760fd0", "created": "2026-06-24T18:09:14.830841Z", "modified": "2026-06-24T18:09:14.830841Z", "name": "APT37" }, { "type": "report", "spec_version": "2.1", "id": "report--0154843a-9a57-46b1-ae56-5aedc96d5f6f", "created_by_ref": "identity--905e45e7-af77-42eb-9289-5cd4fbbb0fa5", "created": "2026-06-24T18:09:14.834741Z", "modified": "2026-06-24T18:09:14.834741Z", "name": "YARA-ing with MacOS", "published": "2023-01-16T00:00:00Z", "object_refs": [ "identity--905e45e7-af77-42eb-9289-5cd4fbbb0fa5", "url--c1044d52-426f-4905-89da-fa1e2d65eeee", "url--f038e68c-d14a-4800-8c23-b4e782ab82e7", "file--e5e6c6bc-1648-4c56-bd45-cc9921facfc5", "indicator--f545e87c-c01b-4137-8d3d-c1799444bf25", "indicator--611742c6-3092-43a9-8012-88df2e948fac", "indicator--1c057426-b4b5-4403-a39b-4aaf5651f73a", "file--52f99e60-c8c1-46bd-b8c3-46b7c6536c74", "url--f8e384ec-1fde-44dc-b3db-aacc7c7eb0b3", "url--4bdc5d5f-be93-4000-b171-2fa8250ec703", "threat-actor--3be555f5-1f0d-5001-b84a-c6c910760fd0" ], "external_references": [ { "source_name": "source", "url": "https://github.com/g-les/100DaysofYARA/blob/main/100DaysofYARA_2023_Blog4_CloudMensis_RokRAT.ipynb" } ] } ] }