Hi, we have updated Lumma http post and wrote new rules
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In";flow: established, to_server; http.method;content: "POST"; http.request_body;content: "act="; depth: 4;content: "&lid="; distance: 0;content: "&j="; distance: 0;content: "&ver="; distance: 0; isdataat: !5, relative; classtype: command-and-control; reference: md5,884478741e7046e6d0788b63c09df89f; reference: url, app.any.run/tasks/409f5138-3853-4910-80d4-3c380b969274; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family Lumma, created_at 2023_09_15; sid: 1; rev: 1;)
This is the general rule for check-in. Now I’ll write for exfiltration
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration";flow: established, to_server; http.method;content: "POST"; http.request_body;content: "Content-Disposition: form-data|3b 20|name=|22|act|22 0d 0a 0d 0a|send_message|0d 0a|--"; content: "Content-Disposition: form-data|3b 20|name=|22|hwid|22 0d 0a 0d 0a|"; content: "Content-Disposition: form-data|3b 20|name=|22|lid|22 0d 0a 0d 0a|"; content: "Content-Disposition: form-data|3b 20|name=|22|file|22 3b|"; threshold:type limit, seconds 30, count 1, track by_dst; classtype: command-and-control;reference: md5,884478741e7046e6d0788b63c09df89f;reference: url,app.any.run/tasks/409f5138-3853-4910-80d4-3c380b969274;metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family Lumma, created_at 2023_09_15;sid: 2; rev: 1;)
I didn’t write any extra rules, We’ll keep an eye on further changes. Thanks @g0njxa!
Best regards, Jane