Hydrochasma (Fast Reverse Proxy)

Hi, community!
We have fast reverse proxy traffic at our disposal.

Rule:

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] Hydrochasma Fast Reverse Proxy";flow: established, to_server;dsize: 3; stream_size: client, =, 4;stream_size: server, =, 1;content: "|106162|";depth: 3; classtype: command-and-control;reference:md5,8d4f9c64ba15f7cabd81936d1c8c83d4;reference:url,app.any.run/tasks/128bd923-3347-4a7f-8261-9a4c7cb29ea8;metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family hydrochasma,  created_at 2023_07_01;sid: 1; rev: 1;)

Regards Jane!

2 Likes

As always, thanks @Jane0sint !

We ended up shipping the signature as disabled for performance. Here are the sid details:

2046726 - ET MALWARE [ANY.RUN] Hydrochasma Fast Reverse Proxy

1 Like

Forgive me for my insistence, I revised the detection criteria to focus on the content. Here I have added a few bytes from the TLS handshake and suggest checking the following rule:

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] Hydrochasma Fast Reverse Proxy"; flow: established, to_server; content: "|10 61 62 16 03 01 00 ee 01 00 00 ea 03 03|";depth:14; classtype: command-and-control;reference:md5,8d4f9c64ba15f7cabd81936d1c8c83d4;reference:url,app.any.run/tasks/128bd923-3347-4a7f-8261-9a4c7cb29ea8;metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family hydrochasma,  created_at 2023_07_07;sid: 1; rev: 1;)

Thanks @Jane0sint ! I opted to leave the original signature in place and add this as a new sig. Here are the details, Have a great weekend!

2046751 - ET MALWARE [ANY.RUN] Hydrochasma Fast Reverse Proxy M2

1 Like

oops, there is an inaccuracy due to which the rule does not work. Is written to the stream and the packet is specified in the rule.
Please fix tcp-pkt to tcp.
It may not be the most important rule in the set, I just want it to work, thanks <3

ah, my bad! I’ll take care of this today

1 Like

Update!
As I thought, the first three bytes are replaceable. I propose to update the rule by replacing it with many bytes!
The code below shows a mask of several outgoing streams, a rule has been generated for static bytes.

0000000: ____ __16 0301 00ee 0100 00ea 0303 ____ ____ ____ ____ ____ ____ ____ ____  ___..........._____.__________  
000001e: ____ ____ ____ ____ ____ ____ ____ ____ 20__ ____ ____ ____ ____ ____ ____  ______..._______ _____________  
000003c: ____ ____ ____ ____ ____ ____ ____ ____ ____ __00 26c_ __c_ __c0 2_c0 __c_  __..___________.___.&._._._._.  
000005a: __c_ __c0 09c0 13c0 0ac0 1400 9c00 9d00 2f00 35c0 1200 0a13 0_13 0_13 0_01  _._............./.5...........  
0000078: 0000 7b00 0500 0501 0000 0000 000a 000a 0008 001d 0017 0018 0019 000b 0002  ..{...........................  
0000096: 0100 000d 001a 0018 0804 0403 0807 0805 0806 0401 0501 0601 0503 0603 0201  ..............................  
00000b4: 0203 ff01 0001 0000 1200 0000 2b00 0908 0304 0303 0302 0301 0033 0026 0024  ............+............3.&.$  
00000d2: 001d 0020 ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____  ... _____________.__.________.  
00000f0: ____ ____ ____ 1403 0300 0101 1703 0300 35__ ____ ____ ____ ____ ____ ____  _.____..........5____.__.__...  
000010e: ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____  ._..____.____.____.________.__  
000012c: ____ ____ ____ ____ ____ 1703 0300 1___ ____ ____ ____ ____ ____ ____ ____  _.__._____....._._._____._.__.  
000014a: ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____  ___.___.___._....._.______.___  
0000168: ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____  ____...____.....___.__._._____  
0000186: ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____  .____________________.________  
00001a4: ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____  _______...___.__.________.___.  
00001c2: ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____  ._                              

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] Hydrochasma Fast Reverse Proxy";
flow: established, to_server;
content: "|16030100ee010000ea0303|";offset:3;depth:11;
content: "|20|";distance:32;within:1;
content: "|0026|";distance:32;within:2;
content: "|c0|";distance:4;within:1;
content: "|c0|";distance:1;within:1;
content: "|c009c013c00ac014009c009d002f0035c012000a13|";distance:5;within:21;
content: "|13|";distance:1;within:1;
content: "|13|";distance:1;within:1;
content: "|0100007b000500050100000000000a000a0008001d001700180019000b00020100000d001a0018080404030807080508060401050106010503060302010203ff0100010000120000002b0009080304030303020301003300260024001d0020|";distance:1;within:95;
content: "|1403030001011703030035|";distance:32;within:11;
content: "|17030300|";distance:53;within:4;
threshold: type limit, track by_dst, seconds 1300, count 1;classtype: command-and-control;
reference:md5,f0f69284967de298d89cad5585dafd15;
reference:url,app.any.run/tasks/b3ef48ea-2f47-49bb-9eff-70fcae8bf366;
metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, id 3457845, malware_family Hydrochasma, created_at 2023_07_27;
sid: 1; rev: 1;)

It is possible to shorten it somewhere, because the client part of the ssl handshake is here.
I also have a JA3s hash, and it is calculated by a suricata, unlike JA3, eve.json is below

"tls":{"version":"TLS 1.3",
"ja3":{},
"ja3s":{"hash":"f4febc55ea12b31ae17cfb7e614afda8",
"string":"771,4865,43-51"}},
"app_proto":"tls",
"flow":{"pkts_toserver":14,
"pkts_toclient":16,
"bytes_toserver":1755,
"bytes_toclient":2402,
...

Keep an eye open, hydrochasma🪰

thanks @Jane0sint! Here are the sid details from today

2046950 - ET MALWARE [ANY.RUN] Hydrochasma Fast Reverse Proxy M3