[Emerging-Sigs] Kuriyama Loader
duane.security at gmail.com
Fri Jan 26 13:31:41 HST 2018
Question: it looks like John provided references to samples here, but in
the released rule there are no reference URLs or hashes. Seems like a lot
of context got dropped that could have been included in this rule?
On Fri, Jan 26, 2018 at 8:37 AM, Travis Green <tgreen at emergingthreats.net>
> Thanks! We'll get this in QA for today's release.
> On Thu, Jan 25, 2018 at 3:18 AM, Attack Detection <
> attackdetectionteam at gmail.com> wrote:
>> Hi, Kuriyama bot here.
>> Translation of the description from the seller's website:
>> Kuriyama is a multifunctional experimental loader that uses the Telegraph
>> as a control panel. The idea of creating a similar I picked up in botnets,
>> focusing on youtube, twitter, etc. When using a telegraph, you do not need
>> to bother with anonymity, setting up the VPN, hosting, domains and other
>> slag. The post of the telegraph will be tied to your hardware and you will
>> not be able to reconnect the build without agreement with me.
>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "ET TROJAN
>> [PTsecurity] Kuriyama Loader Checkin";flow: established, to_server;
>> content: "?hwid="; http_uri; content: "&group="; http_uri; fast_pattern;
>> content: "&os="; http_uri; content: "&cpu="; http_uri; content: "GET";
>> http_method; content:!"Referer|3a|"; http_header;
>> metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit,
>> attack_target Client_Endpoint, deployment Perimeter, signature_severity
>> Major, created_at 2018_01_25, malware_family botnet, malware_family
>> loaders, performance_impact Moderate, updated_at 2018_01_25; classtype:
>> trojan-activity; metadata: id_462921,created_at 2018_1_25; sid: 10002482;
>> rev: 1;)
>> Page(ru) https://darkwebs.ws/threads/41806/
>> Pcap: https://www.dropbox.com/sh/78kmpbf29yrdpbq/AADI55uuJg5wxhkfz
>> VT: https://www.virustotal.com/en/file/2cb01f61d24400c4a868e4a83
>> HA: https://www.hybrid-analysis.com/sample/2cb01f61d24400c4a868e
>> Best regards, John.
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
> PGP: 0xBED7B297
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> Support Emerging Threats! Subscribe to Emerging Threats Pro
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs