Wednesday, December 14, 2016

1:40912 1:40913 MALWARE-OTHER Win.Trojan.Flokibot variant download attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan download attempt snort alert didn't include documentation.

1 40913 MALWARE-OTHER Win.Trojan.Flokibot variant download attempt
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Flokibot variant download attempt"; flow:to_server,established; file_data; content:"Hash: 0x%x not loaded."; fast_pattern:only; content:"|00|B|00|O|00|T|00|3|00|2|00|"; nocase; content:"|00|K|00|E|00|Y|00|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0aa1f07a2ebcdd42896d3d8fdb5e9a9fef0f4f894d2501b9cbbe4cbad673ec03/analysis/; classtype:trojan-activity; sid:40913; rev:1; ) 1 40912 MALWARE-OTHER Win.Trojan.Flokibot variant download attempt
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Flokibot variant download attempt"; flow:to_client,established; file_data; content:"Hash: 0x%x not loaded."; fast_pattern:only; content:"|00|B|00|O|00|T|00|3|00|2|00|"; nocase; content:"|00|K|00|E|00|Y|00|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0aa1f07a2ebcdd42896d3d8fdb5e9a9fef0f4f894d2501b9cbbe4cbad673ec03/analysis/; classtype:trojan-activity; sid:40912; rev:1; )


If I had to guess I think it's related to the Sednit hacking group and perhaps a rootkit they developed or something similar which stated.

Floki Bot is a malware variant that has recently been offered for sale on various darknet markets. It is based on the same codebase that was used by the infamous Zeus trojan. Floki Bot claims to feature several new capabilities making it an attractive tool for criminals. Talos also observed the introduction of new code that allows Floki Bot to make use of the Tor network.
Malwarebytes also has a good writeup on the malware.
The virus total link above shows several generic hits like Win.Trojan.Flokibot, Trojan-Spy.Zbot, Trojan.Win32.DownLoader, etc.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1 comment:

  1. eToro is the ultimate forex trading platform for novice and professional traders.

    ReplyDelete