[Emerging-Sigs] KBot C2 Sig

Jack Mott jmott at emergingthreats.net
Wed Feb 12 05:38:31 HST 2020


Hi Stuart,

Thanks for letting us know-- yes, in fact looks like the negation of that
host was left off. Will get that updated now!

Thanks again,

Jack

On Wed, Feb 12, 2020 at 8:34 AM Stuart Gonzalez <stu at perchsecurity.com>
wrote:

> Hi Team,
>
>
>
> Looking through this sig and wondering if the content match for “.eset.com”
> should have been negated. I reviewed the references, as well as, other
> malware repos for this malware and found no indication C2 traffic destined
> for eset subdomains.
>
>
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO TROJAN
> Bolek/Kbot CnC Checkin"; flow:established,to_server; urilen:1;
> content:"POST"; http_method;
> pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/Ps"; content:".eset.com";
> http_host; isdataat:!1,relative; http_header_names; content:"|0d 0a|Host|0d
> 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:36; fast_pattern;
> content:!"Accept"; content:!"Referer"; metadata: former_category MALWARE;
> reference:md5,24a497e3993289168455f12d11f0430f;
> reference:md5,2d7ce4c681bdbddf4ab2740f5fb589dc; classtype:trojan-activity;
> sid:2820288; rev:5; metadata:created_at 2016_05_20, updated_at 2020_02_11;)
>
>
>
> https://securelist.com/kbot-sometimes-they-come-back/96157/
>
>
> https://www.virustotal.com/gui/file/406a4fcb391cc8098d1a6578e2609c21f0f59ca2386f926e3438c57e4549c966/behavior/VirusTotal%20Cuckoofork
>
>
>
>
>
> [image: PERCH] <http://perchsecurity.com>
>
> Stuart Gonzalez / Chief Bot Officer
> stu at perchsecurity.com / 713.591.1602
>
> PERCH
> perchsecurity.com | Perch Blog <http://www.perchsecurity.com/blog> | Product
> Support <help at perchsecurity.com> | SOC Operations <soc at perchsecurity.com>
>
> [image: Twitter] <https://twitter.com/perchsecurity> [image: LinkedIn]
> <https://www.linkedin.com/company/perchsecurity/> [image: Subscribe to
> our blog!] <https://perchsecurity.com/perch-news/index.xml>
>
> This e-mail message may contain confidential or legally privileged
> information and is intended only for the use of the intended recipient(s).
> Any unauthorized disclosure, dissemination, distribution, copying or the
> taking of any action in reliance on the information herein is prohibited.
> E-mails are not secure and cannot be guaranteed to be error free as they
> can be intercepted, amended, or contain viruses. Anyone who communicates
> with us by e-mail is deemed to have accepted these risks. Perch Security is
> not responsible for errors or omissions in this message and denies any
> responsibility for any damage arising from the use of e-mail. Any opinion
> and other statement contained in this message and any attachment are solely
> those of the author and do not necessarily represent those of the company.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200212/78b92c79/attachment.html>


More information about the Emerging-sigs mailing list