DarkCloud

Jane0sint · August 8, 2023, 7:25am

Hi, I noticed that the darkcloud stealer requests an external ip address with a custom header, and I suggest detecting it with the following rule:

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] DarkCloud External IP Check";
flow: established, to_server; http.method; 
content: "GET"; 
http.uri; content: "/"; urilen: 1; 
http.header; content: "User-Agent: Project1|0d0a|Host: showip.net"; depth: 38; isdataat: !3, relative; 
threshold: type limit, track by_dst, seconds 300, count 1;  
reference: md5,8bd23a467dcfc443e51dad9e8067a7d8;  
reference: url,app.any.run/tasks/a3280139-0930-4ed0-b245-4cb635c11881; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family DarkCloud,  created_at 2023_08_07; 
classtype: trojan-activity; sid: 1; rev: 1;)

Best regards, Jane <3

ishaughnessy · August 8, 2023, 9:25pm

Hey @Jane0sint - thanks! I threw this in as HUNTING to align with some of the other mal family ip check sigs we have.

2047083 - ET HUNTING [ANY.RUN] DARKCLOUD Style External IP Check

Jane0sint · August 9, 2023, 7:58pm

yes, it’s a good idea to hunt for external ip with custom headers like project1. I think I’ve already met this user agent somewhere. Thank you.

Topic		Replies	Views
ObserverStealer Rule Signatures	5	560	June 23, 2023
DarkGate Rule Signatures	4	452	December 28, 2023
Gh0stRat Rule Signatures	3	575	December 28, 2023
StealC Stealer Rule Signatures	11	782	December 28, 2023
DarkCrystal RAT Rule Signatures	13	836	January 2, 2024

DarkCloud

Related topics