Monday, December 26, 2016

1:41031 MALWARE-CNC Win.Trojan.Athena variant outbound connection

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan connection attempts snort alert didn't include documentation.

(1:41031) MALWARE-CNC Win.Trojan.Athena variant outbound connection

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Athena variant outbound connection"; flow:to_server,established; content:"User-Agent: Go-http-client"; fast_pattern:only; http_header; content:"/cmd/"; depth:5; http_uri; pcre:"/^\x2Fcmd\x2F[\-a-zA-Z0-9_+]{650,}={0,3}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,; classtype:trojan-activity; sid:41031; rev:1; )

If I had to guess I think it's related to this malware analysis of a file called msguard.exe or something similar which stated.

It appears to make callouts to .onion addresses with cmd parameters that are likely sending or receiving information to a C&C server.
The virus total link above shows several generic hits like Win.Trojan.Athena, W32.Clodece.Trojan, Trojan.Dynamer, Trojan.Razy, etc.

More about neonprimetime

Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java

Top Github Contributions
  1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment