Ars Technica has recently published an article about the “wiper” malware. In that article they published a Yara rule provided by FBI. However, the rule does not work due to a syntax error. Following rule corrects the syntax error and can be used with Yara 3.2.0.
Happy hunting!
rule unknown_wiper_error_strings { meta: description = "unique custom error debug strings discovered in the wiper malware" strings: $IP1 = "203.131.222.102" fullword nocase $IP2 = "217.96.33.164" fullword nocase $IP3 = "88.53.215.64" fullword nocase $MZ = "MZ" condition: $MZ at 0 and all of them }