New Signatures: BunnyLoader

alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORT (msg:“ET TROJAN BunnyLoader Initial Connection”; flow:established,to_server; content:“GET”; http_method; content:“/gate.php?ipaddress=”; http_uri; content:“&hostname=”; http_uri; content:“&version=”; http_uri; content:“&system=”; http_uri; content:“&privileges=”; http_uri; content:“&arch=”; http_uri; content:“&antivirus=”; http_uri; content"&enc_key="; http_uri; classtype:trojan-activity; reference:url,Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled; sid:155111; rev:1;)

alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORT (msg:“ET TROJAN BunnyLoader Stealer Module Activity”; flow:established,to_server; content:“POST”; http_method; content:“/gate.php”; http_uri; content:“User-Agent|3A| Uploader|0D 0A|”; http_header; classtype:trojan-activity; reference:url,Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled; sid:155112; rev:1;)

Kind Regards,
Kevin Ross

3 Likes

Hey @kevross33, thanks for the submission! Here are the sids that made it into today’s release.

2051676 - BunnyLoader Initial Connection (GET) 
2051677 - BunnyLoader Stealer Module Activity (POST) 


Thanks,
Isaac

1 Like