Bandios C2 Check in

I found some malware that did not have a signature.

alert http $HOME_NET any → $EXTERNAL_NET any (msg:“bandios c2 check in”; http.method; content:“GET”; http.uri; content:“.php?t=”; http.uri; content:“&m=”; within:5; reference:url,test.com; sid:2008003; rev:1;)

Sorry for the poor reference. I was trying to link to VT. I was getting a “Cannot post to that host” error message. I guessed it might be a problem with the link, after ensuring I was auth’ed to this site…

VT domain + /gui/file/44195bb3585937343dc0bc17eba7c5af1c0fdd885e3049dd374a6c580793ce13/detection

Try wrapping those rules in a code block, I guess Discourse calls it “preformatted text” to prevent Discourse from trying to make them all fancy. I’m not 100% sure if it’ll work, but worth a shot!

In the mean time, i’ll see what I can find out with your sig and let you know!

1 Like

Alright, finally got some time to take a look at this.

It looks like we actually have two rules in the PRO ruleset today that cover this traffic. So this is a great find!

2830631 - ETPRO ADWARE_PUP Win32/Atshz.A Checkin M2
2830630 - ETPRO ADWARE_PUP Win32/Atshz.A Checkin

I will move these to the OPEN ruleset today and will update this message once I have the new SIDs.

I did a lot of searching/pivoting based on the pattern that you found in the URI. From what I can tell looks like the values within the URI and the filename (data.php) appear to be very consistent. Knowing this allows for a static content match that acts as a good fast_pattern;

These two signatures were created back in 2020 and still produce good sig hits today!

EDIT –
There are now out in the open ruleset!

2043008 - ET ADWARE_PUP Win32/Atshz.A Checkin (adware_pup.rules)
2043009 - ET ADWARE_PUP Win32/Atshz.A Checkin M2 (adware_pup.rules)

Sounds like this was hitting a spam rule in Discourse about linking to the same domain in multiple posts. We’ve got it fixed for ya now though. Sorry for the trouble. But, I think moving forward wrapping rules as “preformatted-text” will avoid it creating a link to the site, make it easier for copy/paste too.

1 Like