Eternity Clipper

Jane0sint · September 25, 2023, 3:45pm

Hi! Check out new tweet on this threat ➷
And of course I propose rules for the clipper✎

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] EternityClipper (Successful Installation)";flow: established, to_server; http.uri;content: "?install=";content: "&wallets="; distance: 0;content: "&user="; distance: 0;content: "&comp="; distance: 0;content: "&ip="; distance: 0;content: "&country="; distance: 0;content: "&city="; distance: 0; http.user_agent;content: "OnionWClient";classtype: trojan-activity;reference: md5,e94cbfc023e1e1c5da6d44d719b50319;reference: url,app.any.run/tasks/dc98848c-5576-43c2-af7f-35bd83a7aa2a; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family EternityClipper,  created_at 2023_09_22;sid: 1; rev: 1;)

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] EternityClipper (Address Change)";flow: established, to_server; http.uri;content: "?currency=";content: "&from="; distance: 0; content: "&to="; distance: 0; content: "&user="; distance: 0; content: "&comp="; distance: 0; content: "&ip="; distance: 0; content: "&country="; distance: 0; content: "&city="; distance: 0; http.user_agent;content: "OnionWClient";classtype: trojan-activity;reference: md5,e94cbfc023e1e1c5da6d44d719b50319;reference: url,app.any.run/tasks/dc98848c-5576-43c2-af7f-35bd83a7aa2a;metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family EternityClipper,  created_at 2023_09_22;sid: 2; rev: 1;)

And I also suggest renaming ET MALWARE Win32/Eternity Activity (POST) to Eternity Stealer or add a new one.

It is similar to a clipper but contains /stld in the URI.
Sends ~90 kb in this example.

Best regards, Jane ☾⋆｡𖦹 °✩

ishaughnessy · September 25, 2023, 10:43pm

Heya @Jane0sint !

I’ve got your new sigs in and they’ll go out in tomorrow’s release. I also renamed sid 2042517 - Win32/Eternity Stealer Activity (POST) to be consistent with your two new signatures.

rgonzalez · September 26, 2023, 3:12pm

Thanks @Jane0sint @ishaughnessy !

Jane0sint · September 27, 2023, 5:25am

2048260 - ET MALWARE [ANY.RUN] Win32/EternityClipper CnC Activity (Successful Installation) (POST)
2048261 - ET MALWARE [ANY.RUN] Win32/EternityClipper CnC Activity (Address Change) (POST)

✿ڿڰۣ—

ishaughnessy · September 27, 2023, 1:07pm

Thanks for adding the correct signatures… copy/paste from my phone did not work well

Topic		Replies	Views
Weekly Community Review - October 4, 2023 Announcements	0	240	October 20, 2023
TheBoxClipper Rule Signatures	2	454	August 30, 2023
StatusRecorder Rule Signatures	1	381	June 27, 2023
PureLogs Stealer Rule Signatures	12	816	December 28, 2023
GoodMorning Ransomware Rule Signatures etopen	7	465	June 23, 2023

Eternity Clipper

Related topics