Gh0stRat.Generic SweetSpecter variant

Hello, I’m glad it’s time to participate in the life of the community again! Have you read the article Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia ? There is a chance of detection, and write a signature to the server response Analysis (MD5: D3B13760394FCDC4ED391853E5F5FFA4) Malicious activity - Interactive analysis ANY.RUN

3, 4 → content: “|15 00 00 00 01 00 00 00|”;

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] Gh0stRAT.Gen Server Response (SweetSpecter)"; 
flow: established, to_client;  
dsize: 21; 
content: !"|00 00 00 00|"; depth: 4; 
content: "|15000000 01000000|"; offset: 4; depth: 8; 

classtype: command-and-control; 
metadata: malware_family Gh0stRat, created_at 2023_06_15; 
sid: 1; rev: 1;)

Best regards, Jane

1 Like

Hey @Jane0sint ,

Good to hear from you again! I haven’t seen that post yet so I’ll take a look. We’ll get this sig in today’s release!

Isaac :smirk_cat:

1 Like