LgoogLoader, PikaBot, RedLine rules

Hi, today I have three rules in the ET open set.

The first to load the encrypted configuration of the LgoogLoader.

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] LgoogLoader";flow: established, to_server; http.method;content: "HEAD"; http.uri;content: ".CfgEncFile"; endswith; http.header;content: "Content-Length: 0"; http.user_agent; content: "Chrome"; bsize: 6; content:!"Referer|0d 0a|"; reference:md5,69525fa93fd47eb3c533afe3b1baba48; classtype: trojan-activity;sid: 1; rev: 1;)

The second rule is for the PikaBot loader and its requests for loading a DLL using a PowerShell script.

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] PikaBot";flow: established, to_server; http.method;content: "GET"; http.uri;pcre: "/^\/[a-zA-Z0-9]{1,8}(([0-9][A-Za-z])|([a-z][\dA-Z])|([A-Z][\da-z])|([a-z]\d[\da-z]))[a-zA-Z0-9]{0,8}\/[a-zA-Z0-9]{1,8}(([0-9][A-Za-z])|([a-z][\dA-Z])|([A-Z][\da-z])|([a-z]\d[\da-z]))[a-zA-Z0-9]{0,8}$/";http.host;pcre: "/^(?:(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])(:\d{2,5})?$/R";http.user_agent;content: "WindowsPowerShell"; http.header_names;content: "|0d0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|";startswith; reference:md5,26c1f8c5631a5b633c324e7986dc7054;  classtype: trojan-activity;sid: 2; rev: 1;)

And the third rule on the Redline stealer on the [MC-NMF] .NET Message Framing Protocol for authorization.

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] RedLine (MC-NMF Authorization)";flow: established, to_server;stream_size: server, =, 2;content: "|020B0173040B0161065608440A1E0082AB01400D|Authorization|0803|ns1|9920|"; classtype: trojan-activity; reference:md5,dda288278d0023242afff00556d97d60; sid: 3; rev: 1;)

Unfortunately, I cannot post more than two links, so I am attaching a link to the github.

Tweet about it:)

I wish you a good day and I’m glad to help make the world a little bit safer place, even if only in cyberspace!
Regards, Jane.

As a consumer of ET Open, I appreciate how you and others make your discoveries available for our use. Thank you, @Jane0sint!

Thanks Jane! These are great, will take a look and see about getting them out today. Thank you!

JT

I wanted to share how I was looking for a loader -
through sandbox search:
https://www.joesandbox.com/search?q=LgoogLoader
In all samples, the CfgEncFile URI in memory dump.
Sometimes I make mistakes in sample attribution
¯\(ツ)/¯ who doesn’t make mistakes?

Yeah not a big deal on naming, easy enough to change if we need to, naming updates happen quite frequently. The remaining two signatures should go out tomorrow (Thursday). It took a little while to go through samples and such so we didn’t get them all out today.

Thank you again for the submissions, good stuff!

JT

One more follow-up.

The new signatures are :
2045974 - ET MALWARE [ANY.RUN] LgoogLoader Retrieving Config File
2046045 - ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
2046046 - ET MALWARE [ANY.RUN] PikaBot Related Activity (GET)

The existing signature for connection initialization we moved from MALWARE to INFO due to the net.tcp connection being a standard library and not by itself indicative of MALWARE but of course is of interest. There are a number of follow on signatures that alert more specifically on the Redline exfil contents.

Was:
2043233 - ET MALWARE RedLine Stealer TCP CnC net.tcp Init

Now:
2043233 - ET INFO Microsoft net.tcp Connection Initialization Activity

JT

Hi, can I ask you to add a link to this discussion in the rules 2045974 2046045 2046046?
reference:url,community.emergingthreats.net/t/lgoogloader-pikabot-redline-rules

Updated signatures will go out today!

JT