Ok, finally got around to taking a good look at this today.
I’ve detailed my analysis of the samples and have provided some feedback on your proposed rules! Today there will be five new rules released based on your research 
. I’ll be sure to update the post with the sids and rule content once they are released.
SIDs
2044038 - ET ADWARE_PUP BoostBeast Task Request M1 (adware_pup.rules)
2044039 - ET ADWARE_PUP BoostBeast Task Request M2 (adware_pup.rules)
2044040 - ET ADWARE_PUP BoostBeast Checkin M1 (adware_pup.rules)
2044041 - ET ADWARE_PUP BoostBeast Checkin M2 (adware_pup.rules)
2044042 - ET ADWARE_PUP BoostBeast Task Response (adware_pup.rules)
Rules
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BoostBeast Task Request M1"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:21; content:"/api/taskforecast/get"; fast_pattern; threshold:type limit, count 1, seconds 120, track by_src; reference:url,app.any.run/tasks/556c8a11-a736-48db-9779-bb74db2431c6/; reference:md5,73923a750344d1a1e734a12e98271c69; classtype:pup-activity; sid:2044038; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_01_31, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2023_01_31; target:src_ip;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BoostBeast Task Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/"; startswith; content:"/task/get?browser="; distance:0; fast_pattern; threshold:type limit, count 1, seconds 120, track by_src; reference:url,tria.ge/230131-lezarafg93/behavioral2; reference:md5,fbdd33cf51fe4113000a7fc14908b56d; classtype:trojan-activity; sid:2044039; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_01_31, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2023_01_31; target:src_ip;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BoostBeast Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/taskforecast/installed"; bsize:27; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; reference:url,app.any.run/tasks/556c8a11-a736-48db-9779-bb74db2431c6/; reference:md5,73923a750344d1a1e734a12e98271c69; classtype:pup-activity; sid:2044040; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_01_31, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2023_01_31; target:src_ip;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BoostBeast Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/"; startswith; content:"/task/installed"; endswith; fast_pattern; http.user_agent; content:"HeadlessChrome/"; reference:url,tria.ge/230131-lezarafg93/behavioral2; reference:md5,fbdd33cf51fe4113000a7fc14908b56d; classtype:trojan-activity; sid:2044041; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_01_31, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2023_01_31; target:src_ip;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP BoostBeast Task Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/plain|3b|"; startswith; http.response_body; content:"|7b 22|Id|22 3a|"; startswith; content:"|2c 22|Watch|22 3a|"; fast_pattern; content:"|2c 22|Action|22 3a 22|"; threshold:type limit, count 1, seconds 120, track by_src; reference:url,app.any.run/tasks/556c8a11-a736-48db-9779-bb74db2431c6/; reference:md5,73923a750344d1a1e734a12e98271c69; classtype:trojan-activity; sid:2044042; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_01_31, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2023_01_31; target:dest_ip;)
Analysis
Very interesting find! This actually seems to be some sort of malicious program which forces a user to unknowingly watch or stream a YouTube Video or Live Stream. I did a pivot on the IP address in VirusTotal and found many related samples.
Sidnote: The most interesting youtube video I could find which was commanded, was located at https://www.youtube.com/watch?v=3eWCZq94teo This is an unlisted live stream titled “Test”.
I was able to identify three main activities which happen with the C2 server.
Checkin
Task Requests
Exception Handling
Distribution
In at least two cases it appears that this was delivered via SmokeLoader
Active Development
Using that same C2 server, I was able to find, what appears to be an updated version of the application. This sample appears to have been complied on Jan 27th of 2023.
A very good sandbox execution can be found on Tria.ge
While this version uses the same interactions (Checkin, Task Request, and Exception Handling) the format of them is slightly different.
Checkin
Task Request
Monitoring
If you wanted, you could actually monitor which video’s are being “commanded” via a simple curl to the c2 server. Fun stuff!
Rule Feedback
Protocols
I’m guessing, based on the use of suricata keyworks (http.uri, http.method) these rules were written for Suricata. As such, it’s highly suggested to use the protocol associated with the traffic being inspected. In this case, the protocol of [http]( would be best.
bsize
When you’ve got an “exact” match (like the URI in sid:2008005) the bsize keyword can be used to ensure the match is exact and can help optimize the fast_pattern when used.
In this case adding the bsize:21 to http.uri; bsize:21; content:“/api/taskforecast/get”;
Hex Encoding Special Characters
With this content match content:"{"Id""; there are a handful of “special” characters within Suricata’s (and snort’s) language that need to be hex encoded when used within a content match. The quote (") is one of them and should be encoded using the |22| method.
From the Docs
