[Emerging-Sigs] L4L Stealer Sigs

Travis Green travis at travisgreen.net
Thu Oct 31 06:46:34 HDT 2019


All, We also sig'd up a CN language MSIL Stealer during the Suricon 2019
Threat Hunting class in beautiful Amsterdam:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL.L4L
Stealer IP Check"; flow:established,to_server; content:"GET"; http_method;
content:".php?action=getIP"; http_uri; endswith; http_header_names;
content:!"User-Agent"; content:!"Referer"; content:!"Accept";
reference:md5,918ffdba1014ec647ae24ddc9de9fde9; classtype:trojan-activity;
sid:1003930; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL.L4L
Stealer Screenshot Exfiltration"; flow:established,to_server;
content:"POST"; http_method; content:".php?action=upload&host="; http_uri;
content:"@"; http_uri; distance:0; http_header_names;
content:!"User-Agent"; content:!"Referer"; content:!"Accept"; pkt_data;
content:"filename=|22|screenshot_"; http_client_body; content:".jpeg|22|";
distance:0; http_client_body;
reference:md5,918ffdba1014ec647ae24ddc9de9fde9; classtype:trojan-activity;
sid:1003931; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL.L4L
Stealer Systeminfo Exfiltration"; flow:established,to_server;
content:"POST"; http_method; content:".php?action=upload&host="; http_uri;
content:"@"; http_uri; distance:0; http_header_names;
content:!"User-Agent"; content:!"Referer"; content:!"Accept"; pkt_data;
content:"filename=|22|system.info|22|"; http_client_body;
reference:md5,918ffdba1014ec647ae24ddc9de9fde9; classtype:trojan-activity;
sid:1003932; rev:1;)

Suggestions/improvements/comments welcomed,
-T

-- 
travisgreen.net
PGP key <http://travisgreen.net/assets/travis@travisgreen.net.asc>
calendly.com/travisgreen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191031/3ba0cb8f/attachment.html>


More information about the Emerging-sigs mailing list