[Emerging-Sigs] KBot C2 Sig

Brad Woodberg bwoodberg at proofpoint.com
Wed Feb 12 05:44:57 HST 2020


Hi David,

I tested the portal and could not reproduce the issue, nor have we received any other reports.  If you can provide the details of what you entered that would be helpful.  I’ll let the team speak to the signature itself.

Brad Woodberg l Group Product Manager - Emerging Threats, TAP Campaigns
Proofpoint, Inc.

E: bwoodberg at proofpoint.com<mailto:bwoodberg at proofpoint.com>
[id:image001.png at 01D285E1.0101B2B0]<http://www.proofpoint.com/>
threat protection l compliance l archiving & governance l secure communication

From: Emerging-sigs <emerging-sigs-bounces at lists.emergingthreats.net> on behalf of "elhijo at 0lim.net" <elhijo at 0lim.net>
Date: Wednesday, February 12, 2020 at 10:39 AM
To: "emerging-sigs at emergingthreats.net" <emerging-sigs at emergingthreats.net>
Subject: Re: [Emerging-Sigs] KBot C2 Sig

Hi,

was trying to send you same issue through ET feedback webpage but I get bad gateway error every time I submit my request.

sid:2820288

All alerts linked to i[1234]4.c.eset.com

Cheers,

David


February 12, 2020 4:30 PM, "Stuart Gonzalez" <stu at perchsecurity.com<mailto:stu at perchsecurity.com?to=%22Stuart%20Gonzalez%22%20%3cstu at perchsecurity.com%3e>> wrote:

Hi Team,

Looking through this sig and wondering if the content match for “.eset.com” should have been negated. I reviewed the references, as well as, other malware repos for this malware and found no indication C2 traffic destined for eset subdomains.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO TROJAN Bolek/Kbot CnC Checkin"; flow:established,to_server; urilen:1; content:"POST"; http_method; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/Ps"; content:".eset.com"; http_host; isdataat:!1,relative; http_header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:36; fast_pattern; content:!"Accept"; content:!"Referer"; metadata: former_category MALWARE; reference:md5,24a497e3993289168455f12d11f0430f; reference:md5,2d7ce4c681bdbddf4ab2740f5fb589dc; classtype:trojan-activity; sid:2820288; rev:5; metadata:created_at 2016_05_20, updated_at 2020_02_11;)

https://securelist.com/kbot-sometimes-they-come-back/96157/<https://urldefense.com/v3/__https:/securelist.com/kbot-sometimes-they-come-back/96157/__;!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afswfOFXJM$>

https://www.virustotal.com/gui/file/406a4fcb391cc8098d1a6578e2609c21f0f59ca2386f926e3438c57e4549c966/behavior/VirusTotal%20Cuckoofork<https://urldefense.com/v3/__https:/www.virustotal.com/gui/file/406a4fcb391cc8098d1a6578e2609c21f0f59ca2386f926e3438c57e4549c966/behavior/VirusTotal*20Cuckoofork__;JQ!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs0dE7LiA$>

[PERCH]<https://urldefense.com/v3/__http:/perchsecurity.com__;!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs0rDxOMx$>

Stuart Gonzalez / Chief Bot Officer
stu at perchsecurity.com<mailto:stu at perchsecurity.com> / 713.591.1602

PERCH
perchsecurity.com<https://urldefense.com/v3/__https:/perchsecurity.com__;!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs-VGCy0A$> | Perch Blog<https://urldefense.com/v3/__http:/www.perchsecurity.com/blog__;!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs0ySdime$> | Product Support<mailto:help at perchsecurity.com> | SOC Operations<mailto:soc at perchsecurity.com>

[Twitter]<https://urldefense.com/v3/__https:/twitter.com/perchsecurity__;!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs2F_T-3c$>[LinkedIn]<https://urldefense.com/v3/__https:/www.linkedin.com/company/perchsecurity/__;!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs08s1wqf$>[Subscribe to our blog!]<https://urldefense.com/v3/__https:/perchsecurity.com/perch-news/index.xml__;!!ORgEfCBsr282Fw!9MK6rbUaP6N_DoD0PDZLpfUpt2Lmz1p-mJU6CqeIrxM0tSLw7aXLrZoBs2afs_dNq7tG$>

This e-mail message may contain confidential or legally privileged information and is intended only for the use of the intended recipient(s). Any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is prohibited. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, or contain viruses. Anyone who communicates with us by e-mail is deemed to have accepted these risks. Perch Security is not responsible for errors or omissions in this message and denies any responsibility for any damage arising from the use of e-mail. Any opinion and other statement contained in this message and any attachment are solely those of the author and do not necessarily represent those of the company.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200212/7f249225/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 10808 bytes
Desc: image001.png
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200212/7f249225/attachment-0001.png>


More information about the Emerging-sigs mailing list