[Emerging-Sigs] Pony Loader Trojan

Erik Hjelmvik erik.hjelmvik at gmail.com
Wed Jul 4 01:13:01 HDT 2018


Hi all,

Here’s a new way to find the Pony Loader trojan:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Pony Loader
Checkin"; flow:established,to_server; content:"POST"; nocase; http_method;
content:"|0d 0a|Accept-Encoding: identity, |2a 3b|q=0|0d 0a|"; http_header;
fast_pattern; content:"|0d 0a|Content-Encoding: binary|0d 0a|";
http_header; content:!"Referer|3a 20|"; http_header; content:" HTTP/1.0|0d
0a|"; reference:md5,99FAB94FD824737393F5184685E8EDF2; reference:url,
netresec.com/?b=187E291; classtype:trojan-activity; sid:10471101; rev:1;
metadata:created_at 2018_07_04;)

This signature should be more reliable than sid 2014411, and probably
faster as well.

Please see my blog post and video for more details:
https://www.netresec.com/?page=Blog&month=2018-07&post=Detecting-the-Pony-Trojan-with-RegEx-using-CapLoader

Best regards,
Erik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180704/9a278fb1/attachment.html>


More information about the Emerging-sigs mailing list