Hello, I’m glad it’s time to participate in the life of the community again! Have you read the article Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia ? There is a chance of detection, and write a signature to the server response Analysis sweetspecter.zip (MD5: D3B13760394FCDC4ED391853E5F5FFA4) Malicious activity - Interactive analysis ANY.RUN
3, 4 → content: “|15 00 00 00 01 00 00 00|”;
alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] Gh0stRAT.Gen Server Response (SweetSpecter)";
flow: established, to_client;
dsize: 21;
content: !"|00 00 00 00|"; depth: 4;
content: "|15000000 01000000|"; offset: 4; depth: 8;
classtype: command-and-control;
reference:md5,cfd26f1694178a0f6df3a92fa9b24644;
reference:url,community.emergingthreats.net/t/gh0strat-generic-sweetspecter-variant/1720;
reference:url,unit42.paloaltonetworks.com/operation-diplomatic-specter;
metadata: malware_family Gh0stRat, created_at 2023_06_15;
sid: 1; rev: 1;)
Best regards, Jane
