Last active
February 1, 2022 20:33
-
-
Save malwareforme/816819b7a130304de0bfa6cb800ee868 to your computer and use it in GitHub Desktop.
StrifeWater RAT Suricata Signatures
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StrifeWater RAT CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|token|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|tid|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|apiData|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22 3b 20|filename=|22|data|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; classtype:command-and-control; reference:url,www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations; reference:md5,a70d6bbf2acb62e257c98cb0450f4fec; sid:1602; rev:1;) | |
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Non-standard User-Agent (example/1.0)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|example/1.0"; nocase; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:1603; rev:1;) | |
02/01/2022-13:14:26.942404 [**] [1:1602:1] ET MALWARE StrifeWater RAT CnC Activity [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 10.127.1.186:49692 -> 87.120.8.210:80 | |
02/01/2022-13:14:26.942404 [**] [1:1604:1] ET USER_AGENTS Observed Non-standard User-Agent (example/1.0) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.127.1.186:49692 -> 87.120.8.210:80 | |
Article: https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations | |
Sample run: https://tria.ge/220201-yze4tsbcal/behavioral2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment