Metastealer v.5 TLS

Hello, there is a proposal to detect a metastealer that operates TLS encapsulated in MC-NMF (.NET Message Framing Protocol). The principle of the rule is based on matching the default certificate in the connection. I’m not sure that there were no problems with products using this protocol; the testing was only done in the sandbox. There don’t seem to be any false positives.

ASN1 Decoder

The rule:

alert tcp $EXTERNAL_NET any -> any any (msg: "ET MALWARE [ANY.RUN] MetaStealer v.5 (MC-NMF TLS Server Certificate)"; flow: established, to_client; content: "|0a160303|";depth:4; content: "|30 82 01 25 30 81 d0 a0 03 02 01 02 02 10|";distance:0; content: "|30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 14 31 12 30 10 06 03 55 04 03 13 09 6c 6f 63 61 6c 68 6f 73 74 30 1e 17 0d|";distance:16;within:45; threshold: type both, track by_dst, seconds 360, count 1; classtype: command-and-control; reference:url,community.emergingthreats.net/t/metastealer-v-5-tls; metadata: created_at 2024_07_08, tag stealer, malware_family MetaStealer;sid: 1; rev: 1;)

Public submissions search:


To evaluate the work, a week ago I added such a rule with number 8001933 to the sandbox. There were no random samples, but I don’t have enough diverse internal traffic to evaluate.

Best regards, Jane 𖡼.𖤣𖥧𖡼.𖤣𖥧

1 Like

Hey @Jane0sint!

Thanks for the submission, I was taking some time reviewing the content today and didn’t get this in today’s release but I think its good to go and will get it in tomorrow.

As I was going through the signature content I thought that there may be a chance of false positives on traffic that had “localhost” in the certificate subject but after testing in our QA pcaps and other repositories I don’t see any FPs.

One thing I noticed in a few of the Any.run submissions is that encapsulated traffic had the the TLS SNI “?124” so I got a signature in for that today.

Screenshot 2024-07-08 at 3.03.43 PM

Thanks!
Isaac

2 Likes

Hello @Jane0sint!
Today we received a lot of messages with that rule, since working time started.
Is it correct to say, that the rule match is based on the content? I mean this one:
content:“|00 07 00 00 04 3f|124|00 0a|”
could you please explain, what does this content mean?
In our case, Suricata triggers on traffic from hosts that work with MS Azure on port 9354.
Thank you.

Hello, I see this rule and it is written in TLS SNI only, we will correct it now:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [ANY.RUN] MetaStealer v.5 CnC Activity (MC-NMF TLS SNI)"; flow:established,to_server; content:"|00 07 00 00 04 3f|124|00 0a|"; fast_pattern; reference:url,community.emergingthreats.net/t/metastealer-v-5-tls/1800; classtype:trojan-activity; sid:2054404; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state plaintext, created_at 2024_07_08, deployment Perimeter, malware_family MetaStealer, confidence High, signature_severity Major, updated_at 2024_07_08;)

PS: It does not take into account the encapsulation context

1 Like

The updated rule match the first stream bytes of the underlying protocol and inspects the suspicious Server Name Indication (SNI) for which you had false positives. Let’s look at FP in this implementation. Sorry for the inconvenience.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [ANY.RUN] MetaStealer v.5 CnC Activity (MC-NMF TLS SNI)"; flow:established,to_server, only_stream; content: "|00 01 00 01 02 02 1F|net.tcp://"; startswith; content: "|03 08 09 13|application/ssl-tls"; distance: 0; content:"|00 07 00 00 04 3f|124|00 0a|"; distance: 0; within: 200; fast_pattern; reference:url,community.emergingthreats.net/t/metastealer-v-5-tls/1800; classtype:trojan-activity; sid:2054404; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state plaintext, created_at 2024_07_08, deployment Perimeter, malware_family MetaStealer, confidence High, signature_severity Major, updated_at 2024_07_08;)

Jane

2 Likes

@Jane0sint Thanks for the expert review and my apologies for the false positives, I’ll fix this in today’s release.

@false_positive - My thought process was that hex tree of the TLS SNI would be unique enough but its definitely too loose and doesn’t take into account that the TLS traffic is obfuscated. This screenshot shows the tree where you can see that the hex values for the TLS SNI is 00 07 00 00 04 3f 31 32 34 which has a name of ?124 which is unique because usually the value there some be a host name such as google.com.

Suricata tls buffers that automatically restrict the detection logic to the actual part of the packet that contains the SNI value but I wasn’t able to make use of that buffer because the TLS traffic is encapsulated within MC-NMF (.NET Message Framing Protocol) traffic.

Screenshot 2024-07-09 at 12.47.06 PM

Please let me know if you have any questions and I’m happy to help!
Isaac

3 Likes

Hello @Jane0sint @ishaughnessy !
I applied fixed rule, and we received no alerts for the whole day.
It seems to be working as expected now.
Thanks for you help, much obliged!

3 Likes