One of the most important tools for the threat hunter and malware analyst (among others) are the YARA rules. YARA is defined as the “the pattern matching swiss knife for malware researchers” and is commonly used to find patterns in binaries, plain text files, documents, and even network captures.
At Stratosphere actively use them in order to identify and acquire samples, fresh or old, from specific threats and campaigns. And, in the spirit of sharing our knowledge with the community, we have created a repository with the rules we have created and used so far. The rules were separated in categories: malware, protocols and tools. The first category contains YARA rules used to identify families of malware. The second is protocol centered, meaning that it searches for samples that are using a specific application or network protocol. The names of the rules are composed of <OS>_<TYPE>_<NAME>.yar to be able to identify them quickly. The third category, included in our repository, is where we share some of the tools created to build or utilize specific YARA rules. In this case we have only one tool which can be used to generate rules based on the IPv6 range of a specific country. This can be used for further research by the analyst or as a base to develop a more specific rule.
The rules can be downloaded from https://github.com/stratosphereips/yara-rules . For now we have 13 rules added to the repository and hope that it will grow!