[Emerging-Sigs] Machete sigs

Travis Green travis at travisgreen.net
Thu Aug 15 08:42:51 HDT 2019


List friends,
While following up on the excellent research from ESET on the Machete
malware, I was able to put some sigs together for it (details here:
http://travisgreen.net/2019/08/14/machete-malware.html).

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Py.Machete
HTTP Exfil"; flow:established,to_server; content:"POST"; http_method;
content:"namepc="; http_client_body; content:"nadir="; http_client_body;
content:"menrut0="; http_client_body; content:"menfile0=";
http_client_body; content:"mens0="; http_client_body; reference:url,
travisgreen.net/2019/08/14/machete-malware.html; classtype:trojan-activity;
sid:1003911; rev:1;)

alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Py.Machete FTP
Exfil 1"; flow:established,to_server; content:"STOR|20|FIREPERF.zip";
depth:17; reference:url,travisgreen.net/2019/08/14/machete-malware.html;
classtype:trojan-activity; sid:1003912; rev:1;)

alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Py.Machete FTP
Exfil 2"; flow:established,to_server; content:"STOR|20|CRHOMEPER.zip";
depth:18; reference:url,travisgreen.net/2019/08/14/machete-malware.html;
classtype:trojan-activity; sid:1003913; rev:1;)

Feedback welcomed,
-T

-- 
PGP: ABE625E6
keybase.io/travisbgreen
calendly.com/travisgreen
travisgreen.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190815/7621e99e/attachment.html>


More information about the Emerging-sigs mailing list