Dapato password stealer

Tried to incorporate the previous feedback; however, it wasn’t working for this signature. Here’s my notes:

Content modifiers for the URI and HTTP method did not work in this signature, nor did the http keyword. Given the lack of spacing in the User-Agent and Content-Type fields after the “:”, the problems with the content modifiers, and Suricata’s HTTP keyword not parsing the traffic, it leads me to believe the malware author wrote this network connection stream by themselves and not with an HTTP-conforming library. Could be wrong, but I had so much trouble with HTTP-related inspection on this, that is my only guess.

alert tcp $HOME_NET any → $EXTERNAL_NET any (msg:“Dapato password stealer”; content:“POST”; content:“/info/step”; content:“info=”; reference:url,VirusTotal; sid:2008002; rev:1;)

Hey Noah,

Thanks for sharing the new sample! I took a look at this and see what you mean regarding the missing spaces. Just for reference, this is the detonation I’m looking at Tria.ge Analysis

Do you mind sharing your http signature and pcap you are testing with? With this run from Tria.ge I was able to get a rule working using the URI/Method Buffers. I noticed that on your previous post it looks like your signature was formatted for Suricata 4 which may be an issue depending on how you are testing.

Suricata 4/5 use buffers in a slightly different ways. Suri 4 uses content modifiers that look back in the rule. For example, this signature uses the http_uri content modifier format to match “index.php” in the uri.

alert http any any -> any any (content:"index.php"; http_uri; sid:1;)

Suricata 5 uses sticky buffers which places the buffer name first, and all keywords following it apply to that buffer. This is that same rule written using the http.uri sticky buffer:

alert http any any -> any any (http.uri; content:"index.php"; sid:1;)

One thing to note that when using sticky buffers, a lot of the underscores _ have been replaced with periods .

for example:
http_uri has become http.uri

The Suricata documentation has a helpful table which correlates the legacy buffers with their sticky buffer equivalents.

Here is your signature in the sticky buffers and content modifiers format.

Suricata 5 using sticky buffers:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Dapato password stealer"; http.method; content:"POST"; http.uri; content:"/info/step"; http.request_body; content:"info="; sid:1; rev:1;)

Suricata 4 using content modifiers:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Dapato password stealer"; content:"POST"; http_method; content:"/info/step"; http_uri; content:"info="; http_client_body; sid:1; rev:1;)

Sticky buffers can be hard to get the hang of, especially if you’ve worked with older versions of Suricata or Snort!

Edited to add:
Brandon Murphy on our team has great writeup on this malware which is worth checking out. The malware is also known as CopperStealer. Here’s a link https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft

The version of Suricata I am running is 6.0.4. I tried to upload the pcap but it says new user can’t attach anything. I had the signature how it should have been with http, but it wouldn’t work. I kept modifying it until it did work, so I no longer have the http signature. The original http signature was basically your Suricata 4 signature, without the http_client_body. Thank you for your feedback. I’ll give it another go to get sticky buffers to start working.