ET Malware - Socks5Systemz

hi Team Emerging Threats

can please advise where can i get more information about below rule name

ET MALWARE Socks5Systemz CnC Checkin M2

need a site that can give me a deep dive into malware analysis and understanding its impact

via real world scenarios hit by such a malware focusing on volume and financial losses from such a

malware

Thanks

1 Like

Hi @prime69 - This signature is based off of the content in This blog by Bitsight. I noticed a typo in the the signature references so I’ll get that fixed up in today’s release. Let me know if you have any other questions and I’m happy to help!

Thanks,
Isaac

1 Like

Thank you for your assistance ishaughnessy,

can please advise if there is any url link where i can learn to contribute to the community via understanding and eventually writing malware signatures…based on packet capture…

just would like to contribute to our community defend against Blackhat…

i understand i am just starting to crawl but thats the best place to learn from the bottom up…

Thanks

Hi, for my part I can offer a little research on Twitter (x) and a couple of rules of your choice

More samples by tag Malware Reports - Online Malware Analysis Sandbox

During the research, a couple of encryption keys were discovered, but never a different user agent

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection";flow: established, to_server; http.method; content: "GET"; http.uri; content: ".php?c="; pcre: "/^((?:[a-f0-9]){2})+$/R"; http.user_agent; content: "Mozilla/5.0 (Windows|3b| U|3b| MSIE 9.0|3b| Windows NT 9.0|3b| en-US)"; bsize: 57; http.header_names; content: "|0d 0a|Host|0d 0a|User-Agent|0d 0a 0d 0a|";  reference: md5,545519a4f5847b77094b2a6baa5d1cfe;  reference: url,app.any.run/tasks/351c3d1b-05d6-483e-9480-b4db71a8a9ff; classtype: command-and-control; sid: 1; rev: 1;)

When a client appears, the backconnection rule is triggered

alert tcp any any -> any 1074 (msg: "ET MALWARE [ANY.RUN] Socks5Systemz TCP Backconnect Client Traffic";flow: established, to_server; stream_size: server, =, 1;stream_size: client, =, 12; dsize: 10; content: "|C0 A8 64|";depth:  3; classtype: command-and-control;  reference: md5,1eef6f11bc52c68880c0fa35f8318923;  reference: url,app.any.run/tasks/685b5fb6-1b1a-4f4d-92f5-8a9593275a92; sid: 2; rev: 1;)

Welcome to community prime69
Best regards, Jane

1 Like

@prime69 - Our community page is the best spot to reach out to us, if you are stuck or confused on a topic create a post and we are always happy to take a look! Even simple questions will be helpful to others in the community so don’t hold back!

If you are interested in learning suricata here is a link to a presentation I gave at BSidesSLC which may be helpful.

@Jane0sint is one of our top community contributors and I definitely recommend following her posts here and the research she shares on Twitter.

2 Likes

heya @Jane0sint

I got one of these out today.
2049397 - ET MALWARE [ANY.RUN] Socks5Systemz TCP Backconnect Client Traffic

I found a few FP’s on [ANY.RUN] Socks5Systemz HTTP C2 Connection for bot traffic going to Google Analytics so I’m going to add a negation and try again tomorrow.

Example URL causing FP

google-analytics.bit/single.php?c=55edc18a576296d983604c6c2c792a748ce3f5dd3f6ab361c8106646ba3fb836c10b4e79e3b794c7661bf9463f

Cheers,
Isaac

1 Like

@Jane0sint - After trying some negations Socks5Systemz HTTP C2 Connection still did not perform well and was not part of today’s release.

Thanks,
Isaac

1 Like

Hi, sorry for the long response, I was working on a brushaloader.
Everything got a little worse with the appearance of this sample Analysis New Text Document.bin.zip (MD5: 191C2DAF0AE932762F01CD6B5423A1FB) Malicious activity - Interactive analysis ANY.RUN
It has the following URI:
/click/?counter=de7ef49b2c006853fb38357b3206f31360ff1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f508166429e289d5886 9b3a226d55f676647fc3813369d184da325a538cd207fc12cc

Here’s my proposal for a rule,

  1. Make a limit on the length of the content up to RC4 from (156):
    client_id=eb639ef9&connected=0&server_port=0&debug=3&os=6&dgt=1&dti=1700768612
    to (188):
    client_id=86c0bdd1&connected=1&server_port=32209&debug=76&os=6.1.7601&dgt=0&dti=1701391532
  2. The absence of other parameters in the URI line, that is, only one equal sign. (not a google case)
  3. And also exclude google-analytics from the hosts.
http.uri;
content: "?"; depth: 20; 
pcre: "/^[^=]+=((?:[a-f0-9]){2}){78,94}$/"; 

The amount of content has been reduced, I’m sorry (︶︹︶)

Is it just me or is there a dga here? All domains 7 characters

I’d like to use this too:

http.host; 
content: "."; offset: 7; depth:1;  
pcre: "/^[a-z]{7}\.[a-z]{2,5}$/"; 

And that’s the rule:

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection";
flow: established, to_server; http.method;
content: "GET"; http.uri;
content: "?"; depth: 20;
pcre: "/^[^=]+=((?:[a-f0-9]){2}){78,94}$/"; http.user_agent;
content: "Mozilla/5.0 (Windows|3b| U|3b| MSIE 9.0|3b| Windows NT 9.0|3b| en-US)"; bsize: 57; http.header_names;
content: "|0d 0a|Host|0d 0a|User-Agent|0d 0a 0d 0a|";
http.host; content: "."; offset: 7; depth:1;  pcre: "/^[a-z]{7}\.[a-z]{2,5}$/"; 
reference: md5,7308178fbfc957dec7a304ad131e0b5b;
reference: url,app.any.run/tasks/685b5fb6-1b1a-4f4d-92f5-8a9593275a92; classtype: command-and-control;
sid: 1; rev: 1;)

And add another rule for a new key thanks to @naumovax
https://x.com/naumovax/status/1727714533546848394?s=20

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection";
flow: established, to_server; http.method;
content: "GET"; http.uri;
content: "=de7ef49b2c006853fb"; 
reference: md5,7308178fbfc957dec7a304ad131e0b5b;
reference: url,app.any.run/tasks/685b5fb6-1b1a-4f4d-92f5-8a9593275a92; classtype: command-and-control;
sid: 1; rev: 1;)

Jane ゚𐦍༘⋆

1 Like

@Jane0sint - Nice, these performed well in QA and were included in today’s release! :partying_face:

2049467 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1
2049468 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2

2 Likes

Thanks @ishaughnessy @prime69 @Jane0sint !

1 Like

Thanks Team for the assist

lots to learn and grow…

Appreciate all your experience and insight

Regards

2 Likes

Hi, can I please add a link to this discussion to the rules 2049467 2049468?
reference:url,community.emergingthreats.net/t/et-malware-socks5systemz/;

1 Like

The updated signatures will go out today, thanks Jane!

JT

1 Like

Hi, I propose to change the existing rule (2049467) and add another one.

Changes to 2049467:
pcre:“/^(?:[^=]+=((?:[a-f0-9]){2}){78,104})$/”;

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1"; flow:established, to_server; http.method; content:"GET"; http.uri; content:"?"; depth:20; pcre:"/^(?:[^=]+=((?:[a-f0-9]){2}){78,104})$/"; http.user_agent; content:"Mozilla|2f|5|2e|0|20 28|Windows|3b 20|U|3b 20|MSIE|20|9|2e|0|3b 20|Windows|20|NT|20|9|2e|0|3b 20|en|2d|US|29|"; bsize:57; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a 0d 0a|"; bsize:22; http.host; content:"."; offset:7; depth:1; pcre:"/^(?:[a-z]{7})\.(?:[a-z]{2,5})$/"; reference:md5,7308178fbfc957dec7a304ad131e0b5b; reference:url,app.any.run/tasks/685b5fb6-1b1a-4f4d-92f5-8a9593275a92; reference:url,community.emergingthreats.net/t/et-malware-socks5systemz/1155/; classtype:trojan-activity; sid:2049467; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_12_04, deployment Perimeter, former_category MALWARE, malware_family Socks5Systemz, confidence High, signature_severity Critical, updated_at 2023_12_28; target:src_ip;)

Sample with traffic: Automated Malware Analysis Report for adobe.exe - Generated by Joe Sandbox

New rule:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"=67e28dd86d55f12847"; fast_pattern; reference:md5,7308178fbfc957dec7a304ad131e0b5b; reference:url,www.joesandbox.com/analysis/1374165/0/html; reference:url,community.emergingthreats.net/t/et-malware-socks5systemz/1155/; classtype:trojan-activity; sid:111; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2024_01_13, deployment Perimeter, former_category MALWARE, malware_family Socks5Systemz, confidence High, signature_severity Critical, updated_at 2024_01_13; target:src_ip;)

Jane :cake::strawberry::guitar:

1 Like

Hey @Jane0sint - I’ve got this update + new sig in for today’s release, I’ll get you the new sid once I have it!

1 Like

@Jane0sint - Here’s the sid/name in today’s release
2050112 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2

2 Likes