Cryptbot Stealer has been switching its behavior in the past weeks from uploading logs to C2 on /gate.php to /zip.php. Maybe there are more changes.
I believe this change has been completed and theres no rule detection for Cryptbot as for now, so old rules must need to be updated.
Rules related to cryptbot fired
- ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M1
- ET MALWARE Win32/Cryptbot V2 Data Exfiltration Attempt
- ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M2
No rules fired, 0 detection on Cryptbot.
Thanks in advance.