Advent of Cyber 2025 - Day 13


🔍 Decoding McSkidy’s Message with YARA

Advent of Cyber 2025 – Day 13

Introduction

When McSkidy went missing, chaos spread across The Best Festival Company (TBFC). Yet even in her absence, she found a way to help the blue team. From an anonymous location, she sent a folder of seemingly innocent Easter images. Hidden within these images was a secret message — one that could only be uncovered using the right tool: YARA.

In this challenge, defenders were tasked with creating a YARA rule to:

  • Scan a directory of images

  • Detect hidden keywords

  • Extract encoded codewords

  • Decode McSkidy’s message

🎯 Learning Objectives

By completing this task, you will learn to:

  • Understand what YARA is and why it’s used

  • Recognize scenarios where defenders rely on YARA rules

  • Explore different types of YARA strings

  • Write effective YARA rules

  • Detect malicious indicators in real-world scenarios

What Is YARA?

YARA is a pattern-matching tool used by cybersecurity professionals to identify and classify malware. Unlike relying on filenames or file hashes, YARA scans files, memory, and directories for unique patterns or digital fingerprints left by attackers.

Think of YARA as a detective’s notebook for cyber defenders:

  • Instead of fingerprints, it looks for strings and byte patterns

  • Instead of suspects, it identifies malware families

  • Instead of guesses, it uses logical conditions

Within TBFC, YARA acts as a silent guardian, searching systems for threats that try to hide in plain sight.

Why YARA Matters

Attackers often disguise malware as images, documents, or harmless executables. YARA allows defenders to hunt threats based on behavior and patterns, not just known filenames.

Common Use Cases:

  • Post-incident analysis: searching for leftover traces

  • Threat hunting: scanning endpoints for malware families

  • Intelligence-driven scans: using community-shared rules

  • Memory analysis: detecting malicious code in running processes

Core Benefits of YARA:

  • Speed: scan thousands of files quickly

  • Flexibility: match text, hex, and regex patterns

  • Control: define what “malicious” means

  • Shareability: reuse rules across teams

  • Visibility: connect scattered clues into a full attack story

Anatomy of a YARA Rule

A typical YARA rule consists of three main parts:

  1. Metadata – Provides context about the rule (author, description, date)

  2. Strings – The indicators YARA searches for (text, hex, regex)

  3. Condition – Defines when the rule triggers

Example Rule:

rule TBFC_KingMalhare_Trace
{
    meta:
        author = "Defender of SOC-mas"
        description = "Detects traces of King Malhare’s malware"
        date = "2025-10-10"

    strings:
        $s1 = "rundll32.exe" fullword ascii
        $s2 = "msvcrt.dll" fullword wide
        $url = /http:\/\/.*malhare.*/ nocase

    condition:
        any of them
}

Understanding YARA Strings

  • Text strings: simple keyword matching (nocase for case-insensitive, ascii or wide for encoding)

  • Hexadecimal strings: detect raw byte patterns like executable headers ({ 4D 5A })

  • Regular expressions: flexible patterns such as URLs or encoded commands (/http:\/\/.*malhare.*/ nocase)

Conditions control the logic of the rule:

  • any of them → match any string

  • all of them → match all strings

  • Logical combinations → e.g., ($s1 or $s2) and not $benign

  • File properties → e.g., filesize < 700KB

Practical Scenario: Detecting IcedID

TBFC analysts identified a lightweight IcedID loader with a common MZ header.

YARA Rule Example:

rule TBFC_Simple_MZ_Detect
{
    meta:
        author = "TBFC SOC L2"
        description = "IcedID Rule"
        date = "2025-10-10"
        confidence = "low"

    strings:
        $mz   = { 4D 5A }
        $hex1 = { 48 8B ?? ?? 48 89 }
        $s1   = "malhare" nocase

    condition:
        all of them and filesize < 10485760
}

Command Used:

yara -r icedid_starter.yar C:\

Final Challenge: Decoding McSkidy’s Message

Directory to scan: /home/ubuntu/Downloads/easter

Detection criteria: strings starting with TBFC:

Regex pattern used:

/TBFC:[A-Za-z0-9]+/

Results:

  • Images containing TBFC strings: 5

  • Decoded message:

“Find me in HopSec Island”

Conclusion

This challenge demonstrates that YARA is more than a malware detection tool — it is a forensic and investigative powerhouse. By combining pattern matching, logical conditions, and creativity, defenders can uncover hidden messages even when attackers disguise them inside ordinary files.

McSkidy left the clues. YARA revealed the truth.

Next stop: HopSec Island 🏝️

Comments

Post a Comment

Popular Posts