Skip to content

Instantly share code, notes, and snippets.

@fox-srt
Created September 7, 2023 13:04
Show Gist options
  • Save fox-srt/13cb234fe3929943b6baf9bf819a9767 to your computer and use it in GitHub Desktop.
Save fox-srt/13cb234fe3929943b6baf9bf819a9767 to your computer and use it in GitHub Desktop.
hook.rules
# Detection for Hook/ERMAC mobile malware
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT - Mobile Malware - Possible Hook/ERMAC HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/php/"; depth:5; content:".php/"; isdataat:!1,relative; fast_pattern; pcre:"/^\/php\/[a-z0-9]{1,21}\.php\/$/U"; classtype:trojan-activity; priority:1; threshold:type limit,track by_src,count 1,seconds 3600; metadata:ids suricata; metadata:created_at 2023-06-02; metadata:updated_at 2023-06-07; sid:21004440; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT - Mobile Malware - Possible Hook Websocket Packet Observed (login)"; content:"|81|"; depth:1; byte_test:1,&,0x80,1; luajit:hook.lua; classtype:trojan-activity; priority:1; threshold:type limit,track by_src,count 1,seconds 3600; metadata:ids suricata; metadata:created_at 2023-06-02; metadata:updated_at 2023-06-07; sid:21004441; rev:2;)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment