Hi, we have an Konni.APT here, I collected the links in my tweet :
Let’s add a rule to this threat. I suggest the following two, but can probably come up with some more.
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Konni.APT Exfiltration";flow: established, to_server;http.method; content: "POST";http.uri; content: "upload.php";http.header; content: "Content-Type: application/x-www-form-urlencoded"; depth: 47;http.request_body;content: "fn="; depth: 3; content: "&fd="; distance:0;content: "&r=63"; distance:0;pcre: "/^[0-9]{16}$/R";http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|";threshold: type limit, track by_dst, seconds 1300, count 1;reference: md5,cc4aeb24de3cf447f4902de124f61a59;reference:url,app.any.run/tasks/e86329e9-30a6-485b-b796-4d41cc474af2; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, id 3380391, malware_family Konni_apt, created_at 2023_07_14; classtype: credential-theft;sid: 1; rev: 1;)
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Konni.APT Keep-Alive";flow: established, to_server; http.method; content: "GET"; http.uri; content: "/list.php?f="; startswith; content: "&r=63"; distance: 0; pcre: "/^[0-9]{16}$/R";http.user_agent; content: "WindowsPowerShell"; threshold: type limit, track by_dst, seconds 1300, count 1; classtype: command-and-control; reference:md5,cc4aeb24de3cf447f4902de124f61a59; reference:url,app.any.run/tasks/94d2285e-c039-4ae1-8fcb-debd62fdc096; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, id 3387061, malware_family Konni, created_at 2023_07_14; sid: 2; rev: 1;)
The r parameter is (Get-Date).Ticks.ToString();
I leave 63, until 2029 should be enough)
Regards, Jane