US-CERT- AA22-216A: 2021 Top Malware Strains

Started by Netwörkheäd, August 04, 2022, 06:54:49 PM

Previous topic - Next topic

Netwörkheäd

AA22-216A: 2021 Top Malware Strains

[html]Original release date: August 4, 2022

Summary

Immediate Actions You Can Take Now to Protect Against Malware:



• Patch all systems and prioritize patching https://www.cisa.gov/known-exploited-vulnerabilities-catalog">known exploited vulnerabilities.

• Enforce multifactor authentication (MFA).

• Secure Remote Desktop Protocol (RDP) and other risky services.

• Make offline backups of your data.

• Provide end-user awareness and training about social engineering and phishing.



This joint Cybersecurity Advisory (CSA) was coauthored by the Cybersecurity and Infrastructure Security Agency (https://www.cisa.gov/">CISA) and the Australian Cyber Security Centre (https://www.cyber.gov.au/">ACSC). This advisory provides details on the top malware strains observed in 2021. Malware, short for "malicious software," can compromise a system by performing an unauthorized function or process. Malicious cyber actors often use malware to covertly compromise and then gain access to a computer or mobile device. Some examples of malware include viruses, worms, Trojans, ransomware, spyware, and rootkits.[https://www.cisa.gov/sites/default/files/publications/Malware_1.pdf">1]



In 2021, the top malware strains included remote access Trojans (RATs), banking Trojans, information stealers, and ransomware. Most of the top malware strains have been in use for more than five years with their respective code bases evolving into multiple variations. The most prolific malware users are cyber criminals, who use malware to deliver ransomware or facilitate theft of personal and financial information.



CISA and ACSC encourage organizations to apply the recommendations in the Mitigations sections of this joint CSA. These mitigations include applying timely patches to systems, implementing user training, securing Remote Desktop Protocol (RDP), patching all systems especially for known exploited vulnerabilities, making offline backups of data, and enforcing multifactor authentication (MFA).



Download the PDF version of this report: https://us-cert.cisa.gov/sites/default/files/publications/aa22-216a-2021-top-malware-strains.pdf">pdf, 489 kb


Technical Details

Key Findings



The top malware strains of 2021 are: Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot and GootLoader.




       
  • Malicious cyber actors have used Agent Tesla, AZORult, Formbook, LokiBot, NanoCore, Remcos, and TrickBot for at least five years.

  •    
  • Malicious cyber actors have used Qakbot and Ursnif for more than a decade.



Updates made by malware developers, and reuse of code from these malware strains, contribute to the malware's longevity and evolution into multiple variations. Malicious actors' use of known malware strains offers organizations opportunities to better prepare, identify, and mitigate attacks from these known malware strains.



The most prolific malware users of the top malware strains are cyber criminals, who use malware to deliver ransomware or facilitate theft of personal and financial information.




       
  • Qakbot and TrickBot are used to form botnets and are developed and operated by Eurasian cyber criminals known for using or brokering botnet-enabled access to facilitate highly lucrative ransomware attacks. Eurasian cyber criminals enjoy permissive operating environments in Russia and other former Soviet republics.

  •    
  • According to U.S. government reporting, TrickBot malware often enables initial access for Conti ransomware, which was used in nearly 450 global ransomware attacks in the first half of 2021. As of 2020, malicious cyber actors have purchased access to systems compromised by TrickBot malware on multiple occasions to conduct cybercrime operations.

  •    
  • In 2021, cyber criminals conducted mass phishing campaigns with Formbook, Agent Tesla, and Remcos malware that incorporated COVID-19 pandemic themes to steal personal data and credentials from businesses and individuals.



In the criminal malware industry, including malware as a service (MaaS), developers create malware that malware distributors often broker to malware end-users.[https://www.cisa.gov/uscert/sites/default/files/documents/NCCIC_ICS-CERT_AAL_Malware_Trends_Paper_S508C.pdf">2] Developers of these top 2021 malware strains continue to support, improve, and distribute their malware over several years. Malware developers benefit from lucrative cyber operations with low risk of negative consequences. Many malware developers often operate from locations with few legal prohibitions against malware development and deployment. Some developers even market their malware products as legitimate cyber security tools. For example, the developers of Remcos and Agent Tesla have marketed the software as legitimate tools for remote management and penetration testing. Malicious cyber actors can purchase Remcos and Agent Tesla online for low cost and have been observed using both tools for malicious purposes.



Top Malware



Agent Tesla





AZORult





FormBook





Ursnif





LokiBot





MOUSEISLAND





NanoCore





Qakbot





Remcos





TrickBot





GootLoader




Mitigations

Below are the steps that CISA and ACSC recommend organizations take to improve their cybersecurity posture based on known adversary tactics, techniques, and procedures (TTPs). CISA and ACSC urge critical infrastructure organizations to prepare for and mitigate potential cyber threats immediately by (1) updating software, (2) enforcing MFA, (3) securing and monitoring RDP and other potentially risky services, (4) making offline backups of your data, and (5) providing end-user awareness and training.




       
  • Update software, including operating systems, applications, and firmware, on IT network assets. Prioritize patching https://www.cisa.gov/known-exploited-vulnerabilities-catalog">known exploited vulnerabilities and critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.

       

            
    • Consider using a centralized patch management system.

    •       
    • Consider signing up for CISA's https://www.cisa.gov/cyber-hygiene-services">cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats. CISA's vulnerability scanning service evaluates external network presence by executing continuous scans of public, static IP addresses for accessible services and vulnerabilities.

    •    

       




       
  • Enforce MFA to the greatest extent possible and require accounts with password logins, including service accounts, to have https://www.cisa.gov/tips/st04-002">strong passwords. Do not allow passwords to be used across multiple accounts or stored on a system to which an adversary may have access. Additionally, ACSC has issued guidance on implementing multifactor authentication for hardening authentication systems.

  •    
  • If you use RDP and/or other potentially risky services, secure and monitor them closely. RDP exploitation is one of the top initial infection vectors for ransomware, and risky services, including RDP, can allow unauthorized access to your session using an on-path attacker.
       

            
    • Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources, and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a virtual private network (VPN) or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force attempts, log RDP login attempts, and disable unused remote access/RDP ports.

    •       
    • Ensure devices are properly configured and that security features are enabled. Disable ports and protocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol Port 3389). 

    •    

       




       
  • Maintain offline (i.e., physically disconnected) backups of data. Backup procedures should be conducted on a frequent, regular basis (at a minimum every 90 days). Regularly test backup procedures and ensure that backups are isolated from network connections that could enable the spread of malware.

       

            
    • Ensure the backup keys are kept offline as well, to prevent them being encrypted in a ransomware incident.

    •       
    • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization's data infrastructure with a particular focus on key data assets.

    •    

       




       
  • Provide end-user awareness and training to help prevent successful targeted social engineering and spearphishing campaigns. Phishing is one of the top infection vectors for ransomware.

       

            
    • Ensure that employees are aware of potential cyber threats and delivery methods.

    •       
    • Ensure that employees are aware of what to do and whom to contact when they receive a suspected phishing email or suspect a cyber incident.

    •    

       



As part of a longer-term effort, implement network segmentation to separate network segments based on role and functionality. Network segmentation can help prevent the spread of ransomware and threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. The ACSC has observed ransomware and data theft incidents in which Australian divisions of multinational companies were impacted by ransomware incidents affecting assets maintained and hosted by offshore divisions outside their control.



RESOURCES





DISCLAIMER



The information in this report is being provided "as is" for informational purposes only. CISA and ACSC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.



APPENDIX: SNORT SIGNATURES FOR THE TOP 2021 MALWARE




   
      
         
         
      
   
   
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
      
      
         
         
      
      
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         

         

Malware


         

         

Snort Detection Signature


         

         

Agent Tesla


         

         

alert any any -> any any (msg:"HTTP GET request /aw/aw.exe"; flow:established,to_server; sid:1; rev:1; content:"GET"; http_method; content:"/aw/aw.exe"; http_uri; reference:url, https://www.datto.com/blog/what-is-agent-tesla-spyware-and-how-does-it-work; metadata:service http;)


         

         

AZORult


         

         

alert tcp any any -> any any (msg:"HTTP Server Content Data contains 'llehS|2e|tpircSW'"; sid:1; rev:1; flow:established,from_server; file_data; content:"llehS|2e|tpircSW"; nocase; fast_pattern:only; pcre:"/GCM(?:\x20|%20)\*W-O\*/i"; reference:url,maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/; metadata:service http;)


         

         

AZORult


         

         

alert tcp any any -> any any (msg:"HTTP POST Client Body contains 'J/|fb|' and '/|fb|'"; sid:1; rev:1; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"J/|fb|"; http_client_body; fast_pattern; content:"/|fb|"; http_client_body; depth:11; content:!"Referer|3a 20|"; http_header; metadata:service http;)


         

         

FormBook


         

         

alert tcp any any -> any any (msg:"HTTP URI POST contains '&sql=1' at the end"; sid:1; rev:1; flow:established,to_server; content:"&sql=1"; http_uri; fast_pattern:only; content:"POST"; http_method; pcre:"/(?(DEFINE)(?'b64std'[a-zA-Z0-9+\/=]+?))(?(DEFINE)(?'b64url'[a-zA-Z0-9_-]+?))^\/[a-z0-9]{3,4}\/\?(?P>b64url){3,8}=(?P>b64std){40,90}&(?P>b64url){2,6}=(?P>b64url){4,11}&sql=1$/iU"; reference:url,www.malware-traffic-analysis.net/2018/02/16/index.html; metadata:service http;)


         

         

alert tcp any any -> any any (msg:"HTTP URI GET/POST contains '/list/hx28/config.php?id='"; sid:1; rev:1; flow:established,to_server; content:"/list/hx28/config.php?id="; http_uri; fast_pattern:only; content:"Connection|3a 20|close|0d 0a|"; http_header; reference:url,www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html; metadata:service http;)


         

         

Ursnif


         

         

alert tcp any any -> any any (msg:"HTTP POST Data contains .bin filename, long URI contains '/images/'"; sid:1; rev:1; flow:established,to_server;  urilen:>60,norm; content:"/images/"; http_uri; depth:8; content:"POST"; nocase; http_method; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|upload_file|22 3b 20|filename=|22|"; http_client_body; content:"|2e|bin|22 0d 0a|"; http_client_body; distance:1; within:32; fast_pattern;  reference:url,www.broadanalysis.com/2016/03/23/angler-ek-sends-data-stealing-payload/; metadata:service http;)


         

         

alert tcp any any -> any any (msg:"HTTP URI GET/POST contains '/images/' plus random sub directories and an Image File (Ursnif)"; sid:1; rev:1; flow:established,to_server;  content:"/images/"; http_uri; fast_pattern:only; content:!"Host: www.urlquery.net"; http_header; pcre:"/\/images(\/(?=[a-z0-9\_]{0,22}[A-Z][a-z0-9\_]{0,22}[A-Z])(?=[A-Z0-9\_]{0,22}[a-z])[A-Za-z0-9\_]{1,24}){5,20}\/[a-zA-Z0-9\_]+\.(?:gif|jpeg|jpg|bmp)$/U"; metadata:service http)


         

         

LokiBot


         

         

alert tcp any any -> any any (msg:"HTTP Client Header contains 'User-Agent|3a 20|Mozilla/4.08 (Charon|3b| Inferno)'"; sid:1; rev:1; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.08 (Charon|3b| Inferno)|0d 0a|"; http_header; fast_pattern:only; metadata:service http; )


         

         

LokiBot


         

         

alert tcp any any -> any any (msg:"HTTP URI POST contains '/*/fre.php' post-infection"; sid:1; rev:1; flow:established,to_server; content:"/fre.php"; http_uri; fast_pattern:only; urilen:<50,norm; content:"POST"; nocase; http_method; pcre:"/\/(?:alien|loky\d|donep|jemp|lokey|new2|loki|Charles|sev7n|dbwork|scroll\/NW|wrk|job|five\d?|donemy|animation\dkc|love|Masky|v\d|lifetn|Ben)\/fre\.php$/iU"; metadata:service http;)


         

         

LokiBot


         

         

alert tcp any any -> any any (msg:"HTTP URI POST contains '/w.php/'"; sid:1; rev:1; flow:established,to_server; content:"/w.php/"; http_uri; fast_pattern:only; content:"POST"; nocase; http_method; pcre:"/\/\w+\/w\.php\/[a-z]{13}$/iU";  metadata:service http;)


         

         

MOUSEISLAND


         

         

alert tcp any any -> any any (msg:"HTTP URI GET contains '/assets/<8-80 hex>/<4-16 alnum>?<3-6 alnum>='"; sid:9206287; rev:1; flow:established,to_server; content:"/assets/"; http_uri; fast_pattern:only; content:"HTTP/1.1|0d 0a|"; depth:256; content:!"|0d 0a|Cookie:"; content:!"|0d 0a|Referer:"; pcre:"/\/assets\/[a-fA-F0-9/]{8,80}\/[a-zA-Z0-9]{4,16}\?[a-z0-9]{3,6}=/U";  metadata:service http;)


         

         

NanoCore


         

         

alert tcp any any -> any 25 (msg:"SMTP Attachment Filename 'Packinglist-Invoice101.pps'"; sid:1; rev:1; flow:established,to_server,only_stream; content:"Content-Disposition|3a 20|attachment|3b|"; content:"Packinglist-Invoice101.pps"; nocase; distance:0; fast_pattern; pcre:"/Content-Disposition\x3a\x20attachment\x3b[\x20\t\r\n]+?(?:file)*?name=\x22*?Packinglist-Invoice101\.pps\x22*?/im"; reference:cve,2014-4114; reference:msb,MS14-060; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1017_Phishing_in_Plain_Sight-Body-FINAL.pdf; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1017_Phishing_in_Plain_Sight-Appendix-FINAL.pdf;)


         

         

NanoCore


         

         

alert tcp any any -> any any (msg:"HTTP Client Header contains 'Host|3a 20|frankief hopto me' (GenericKD/Kazy/NanoCore/Recam)"; sid:1; rev:1; flow:established,to_server; content:"Host|3a 20|frankief|2e|hopto|2e|me|0d 0a|"; http_header; fast_pattern:only;  metadata:service http;)


         

         

NanoCore


         

         

alert tcp any any -> any any (msg:"HTTP GET URI contains 'FAD00979338'"; sid:1; rev:1; flow:established,to_server; content:"GET"; http_method; content:"getPluginName.php?PluginID=FAD00979338"; fast_pattern; http_uri; metadata:service http;)


         

         

Qakbot


         

         

alert tcp any any -> any any (msg:"HTTP URI GET /t?v=2&c= (Qakbot)"; sid:1; rev:1; flow:established,to_server; content:"/t?v=2&c="; http_uri; depth:9; fast_pattern; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf;)


         

         

Qakbot


         

         

alert tcp any any -> any 21 (msg:"Possible FTP data exfiltration"; sid:1; rev:1; flow:to_server,established; content:"STOR si_"; content:".cb"; within:50; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/3104ff71bf880bc40d096eca7d1ccc3f762ea6cc89743c6fef744fd76d441d1b/analysis/; metadata:service ftp-ctrlchan;)


         

         

Qakbot


         

         

alert tcp any any -> any any (msg:"Malicious executable download attempt"; sid:1; rev:1; flow:to_client,established; file_type:MSEXE; file_data; content:"|52 DB 91 CB FE 67 30 9A 8E 72 28 4F 1C A9 81 A1 AA BE AC 8D D9 AB E4 15 EF EA C6 73 89 9F CF 2E|"; fast_pattern:only; reference:url,virustotal.com/#/file/ad815edc045c779628db3a3397c559ca08f012216dfac4873f11044b2aa1537b/detection; metadata:service http;)


         

         

Qakbot


         

         

alert tcp any any -> any any (msg:"HTTP POST URI contains 'odin/si.php?get&'"; sid:1; rev:1; flow:to_server,established; content:"/odin/si.php?get&"; fast_pattern:only; http_uri; content:"news_slist"; http_uri; content:"comp="; http_uri;  reference:url,www.virustotal.com/en/file/478132b5c80bd41b8c11e5ed591fdf05d52e316d40f7c4abf4bfd25db2463dff/analysis/1464186685/; metadata:service http;)


         

         

Qakbot


         

         

alert tcp any any -> any any (msg:"HTTP URI contains '/random750x750.jpg?x='"; sid:1; rev:1; flow:to_server,established; content:"/random750x750.jpg?x="; fast_pattern:only; http_uri; content:"&y="; http_uri; content:"Accept|3a 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0d 0a|"; http_header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http_header; content:!"Accept-"; http_header; content:!"Referer"; http_header;  reference:url,www.virustotal.com/en/file/1826dba769dad9898acd95d6bd026a0b55d0a093a267b481695494f3ab547088/analysis/1461598351/; metadata:service http;)


         

         

Qakbot


         

         

alert tcp any any -> any any (msg:"HTTP URI contains '/datacollectionservice.php3'"; sid:1; rev:1; flow:to_server,established; content:"/datacollectionservice.php3"; fast_pattern:only; http_uri; metadata:service http;)


         

         

Qakbot


         

         

alert tcp any any -> any any (msg:"HTTP header contains 'Accept|3a 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0d 0a|'"; sid:1; rev:1; flow:to_server,established; urilen:30<>35,norm; content:"btst="; http_header; content:"snkz="; http_header; content:"Accept|3a 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0d 0a|"; fast_pattern:only; http_header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http_header; content:!"Connection"; http_header; content:!"Referer"; http_header;  reference:url,www.virustotal.com/en/file/1826dba769dad9898acd95d6bd026a0b55d0a093a267b481695494f3ab547088/analysis/1461598351/; metadata:service http;)


         

         

Qakbot


         

         

alert tcp any any -> any 21 (msg:"Possible ps_dump FTP exfil"; sid:1; rev:1; flow:to_server,established; content:"ps_dump"; fast_pattern:only; pcre:"/ps_dump_[^_]+_[a-z]{5}\d{4}\x2Ekcb/smi";  reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service ftp;)


         

         

Qakbot


         

         

alert tcp any any -> any 21 (msg:"Possible seclog FTP exfil"; sid:1; rev:1; flow:to_server,established; content:"seclog"; fast_pattern:only; pcre:"/seclog_[a-z]{5}\d{4}_\d{10}\x2Ekcb/smi";  reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service ftp;)


         

         

Qakbot


         

         

alert tcp any any -> any any (msg:"HTTP URI contains '/cgi-bin/jl/jloader.pl'"; sid:1; rev:1; flow:to_server,established; content:"/cgi-bin/jl/jloader.pl"; fast_pattern:only; http_uri;  reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service http;)


         

         

Qakbot


         

         

alert tcp any any -> any any (msg:"HTTP URI contains '/cgi-bin/clientinfo3.pl'"; sid:1; rev:1; flow:to_server,established; content:"/cgi-bin/clientinfo3.pl"; fast_pattern:only; http_uri;  reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service http;)


         

         

Qakbot


         

         

alert tcp any any -> any any (msg:"HTTP URI contains '/u/updates.cb'"; sid:1; rev:1; flow:to_server,established; content:"/u/updates.cb"; fast_pattern:only; http_uri; pcre:"/^Host\x3A[^\r\n]+((up\d+)|(adserv))/Hmi"; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service http;)


         

         

Qakbot


         

         

alert tcp any any -> any any (msg:"HTTP response content contains '|47 65 74 46 69 6C 65 46 72 6F 6D 52 65 73 6F 75 72 63 65 73 28 29 3A 20 4C 6F 61 64 52 65 73 6F 75 72 63 65 28 29 20 66 61 69 6C 65 64|'"; sid:1; rev:1; flow:to_client,established; file_data; content:"|47 65 74 46 69 6C 65 46 72 6F 6D 52 65 73 6F 75 72 63 65 73 28 29 3A 20 4C 6F 61 64 52 65 73 6F 75 72 63 65 28 29 20 66 61 69 6C 65 64|"; fast_pattern:only; content:"|47 65 74 46 69 6C 65 46 72 6F 6D 52 65 73 6F 75 72 63 65 73 28 29 3A 20 43 72 65 61 74 65 46 69 6C 65 28 29 20 66 61 69 6C 65 64|"; content:"|52 75 6E 45 78 65 46 72 6F 6D 52 65 73 28 29 20 73 74 61 72 74 65 64|"; content:"|73 7A 46 69 6C 65 50 61 74 68 3D|"; content:"|5C 25 75 2E 65 78 65|"; reference:url,www.virustotal.com/en/file/23e72e8b5e7856e811a326d1841bd2ac27ac02fa909d0a951b0b8c9d1d6aa61c/analysis; metadata:service ftp-data,service http;)


         

         

Qakbot


         

         

alert tcp any any -> any any (msg:"HTTP POST URI contains 'v=3&c='"; sid:1; rev:1; flow:to_server,established; content:"/t"; http_uri; content:"POST"; http_method; content:"v=3&c="; depth:6; http_client_body; content:"=="; within:2; distance:66; http_client_body;  reference:url,www.virustotal.com/en/file/3104ff71bf880bc40d096eca7d1ccc3f762ea6cc89743c6fef744fd76d441d1b/analysis/; metadata:service http;)


         

         

Qakbot


         

         

alert tcp any any -> any any (msg:"HTTP URI GET contains '/<alpha>/595265.jpg'"; sid:1; rev:1; flow:established,to_server; content:"/595265.jpg"; http_uri; fast_pattern:only; content:"GET"; nocase; http_method; pcre:"/^\/[a-z]{5,15}\/595265\.jpg$/U";  reference:url,www.virustotal.com/gui/file/3104ff71bf880bc40d096eca7d1ccc3f762ea6cc89743c6fef744fd76d441d1b/detection; metadata:service http;)


         

         

Remcos


         

         

alert tcp any any -> any any (msg:"Non-Std TCP Client Traffic contains '|1b 84 d5 b0 5d f4 c4 93 c5 30 c2|' (Checkin #23)"; sid:1; rev:1; flow:established,to_server; dsize:<700; content:"|1b 84 d5 b0 5d f4 c4 93 c5 30 c2|"; depth:11; fast_pattern; content:"|da b1|"; distance:2; within:2;  reference:url,blog.trendmicro.com/trendlabs-security-intelligence/analysis-new-remcos-rat-arrives-via-phishing-email/; reference:url,isc.sans.edu/forums/diary/Malspam+using+passwordprotected+Word+docs+to+push+Remcos+RAT/25292/; reference:url,www.malware-traffic-analysis.net/2019/09/03/index.html; reference:url,www.malware-traffic-analysis.net/2017/10/27/index.html;)


         

         

TrickBot


         

         

alert tcp any any -> any any (msg:"HTTP Client Header contains 'host|3a 20|tpsci.com'"; sid:1; rev:1; flow:established,to_server; content:"host|3a 20|tpsci.com"; http_header; fast_pattern:only; metadata:service http;)


         

         

TrickBot


         

         

alert tcp any any -> any any (msg:"HTTP Client Header contains 'User-Agent|3a 20|*Loader'"; sid:1; rev:1; flow:established,to_server; content:"User-Agent|3a 20|"; http_header; content:"Loader|0d 0a|"; nocase; http_header; distance:0; within:24; fast_pattern; metadata:service http;)


         
Let's not argue. Let's network!

icecream-guy

:professorcat:

My Moral Fibers have been cut.