Hi, I noticed that the darkcloud stealer requests an external ip address with a custom header, and I suggest detecting it with the following rule:

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] DarkCloud External IP Check";
flow: established, to_server; http.method; 
content: "GET"; 
http.uri; content: "/"; urilen: 1; 
http.header; content: "User-Agent: Project1|0d0a|Host: showip.net"; depth: 38; isdataat: !3, relative; 
threshold: type limit, track by_dst, seconds 300, count 1;  
reference: md5,8bd23a467dcfc443e51dad9e8067a7d8;  
reference: url,app.any.run/tasks/a3280139-0930-4ed0-b245-4cb635c11881; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family DarkCloud,  created_at 2023_08_07; 
classtype: trojan-activity; sid: 1; rev: 1;)

Best regards, Jane <3

1 Like

Hey @Jane0sint - thanks! I threw this in as HUNTING to align with some of the other mal family ip check sigs we have.

2047083 - ET HUNTING [ANY.RUN] DARKCLOUD Style External IP Check

yes, it’s a good idea to hunt for external ip with custom headers like project1. I think I’ve already met this user agent somewhere. Thank you.