[Emerging-Sigs] Kuriyama Loader

Duane Howard duane.security at gmail.com
Fri Jan 26 13:31:41 HST 2018


Question: it looks like John provided references to samples here, but in
the released rule there are no reference URLs or hashes. Seems like a lot
of context got dropped that could have been included in this rule?

On Fri, Jan 26, 2018 at 8:37 AM, Travis Green <tgreen at emergingthreats.net>
wrote:

> Thanks! We'll get this in QA for today's release.
>
> -Travis
>
> On Thu, Jan 25, 2018 at 3:18 AM, Attack Detection <
> attackdetectionteam at gmail.com> wrote:
>
>> Hi, Kuriyama bot here.
>> Translation of the description from the seller's website:
>> Kuriyama is a multifunctional experimental loader that uses the Telegraph
>> as a control panel. The idea of creating a similar I picked up in botnets,
>> focusing on youtube, twitter, etc. When using a telegraph, you do not need
>> to bother with anonymity, setting up the VPN, hosting, domains and other
>> slag. The post of the telegraph will be tied to your hardware and you will
>> not be able to reconnect the build without agreement with me.
>>
>> Signature:
>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "ET TROJAN
>> [PTsecurity] Kuriyama Loader Checkin";flow: established, to_server;
>> content: "?hwid="; http_uri; content: "&group="; http_uri; fast_pattern;
>> content: "&os="; http_uri; content: "&cpu="; http_uri; content: "GET";
>> http_method;  content:!"Referer|3a|"; http_header;
>> metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit,
>> attack_target Client_Endpoint, deployment Perimeter, signature_severity
>> Major, created_at 2018_01_25, malware_family botnet, malware_family
>> loaders, performance_impact Moderate, updated_at 2018_01_25; classtype:
>> trojan-activity; metadata: id_462921,created_at 2018_1_25; sid: 10002482;
>> rev: 1;)
>>
>> Links:
>> Page(ru) https://darkwebs.ws/threads/41806/
>> Pcap: https://www.dropbox.com/sh/78kmpbf29yrdpbq/AADI55uuJg5wxhkfz
>> NlqP8IMa?dl=0
>> VT: https://www.virustotal.com/en/file/2cb01f61d24400c4a868e4a83
>> 6019ff33588336bb6c611511fe3248aa3205d6b/analysis/
>> HA: https://www.hybrid-analysis.com/sample/2cb01f61d24400c4a868e
>> 4a836019ff33588336bb6c611511fe3248aa3205d6b/?environmentId=100
>>
>> Best regards, John.
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>>
>
>
> --
> PGP: 0xBED7B297
> <https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180126/6dde8554/attachment-0001.html>


More information about the Emerging-sigs mailing list