[Emerging-Sigs] APT backdoor OSX.XSLCmd CnC Beacon

Patrick Olsen patrickolsen at sysforensics.org
Fri Sep 5 22:42:24 EDT 2014


Hey All,

I don't get much SIG writing time at the office so looking to improve on
that. First sig submitted here on ET so apologize upfront if the formatting
isn't correct. I tried to model it off some other sigs.
Feedback/constructive criticism is very welcome.

Reference:
http://www.fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html

alert tcp $HOME_NET any -> any any (msg:"ET TROJAN APT backdoor OSX.XSLCmd
CnC Beacon"; flow:established, to_server; content:"POST"; offset:0;
depth:4; content:"User-Agent: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows
NT 5.1)"; fast_pattern; pcre:"/compose\.aspx\?s\=[A-Z0-9]{47}/";
content:"Accept-Encoding: gzip"; classtype:trojan-activity; reference:
http://www.fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html;
sid:198386; rev:1;)

I took a stab at the bable fish GET mentioned in the post, but don't have a
PCAP to test.

alert tcp $HOME_NET any -> any any (msg:"ET TROJAN APT backdoor OSX.XSLCmd
Babelfish CnC Beacon"; flow:established, to_server; content:"GET";
offset:0; depth:3; content:"Host: babelfish.yahoo.com"; fast_pattern;
pcre:"/url\=http\:\/\/1234\/config\.htm\?/"; classtype:trojan-activity;
reference:
http://www.fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html;
sid:198387; rev:1;)

Patrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140906/454331fe/attachment.html>


More information about the Emerging-sigs mailing list