ObserverStealer

Rule Signatures
1

Hi all! A fairly new stealer was discovered today that leaves a note with an advertisement on the victim’s computer) This is very strange… I propose the following set of rules for detection:

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] ObserverStealer (Screenshot)";flow: established, to_server; http.method; content: "POST"; http.header; content: "X-Config: SCR|0d0a|"; content: "X-Session: "; pcre: "/^([0-9a-f]{8})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{12})/R";content: "X-ID: "; pcre: "/^([0-9a-f]{8})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{12})/R";http.header_names; content: "X-Session|0d 0a|X-Info|0d 0a|X-Config|0d 0a|X-ID"; classtype: credential-theft; reference:md5,c28cc92a7c78b96bec58fa3e5398074a; reference:url,app.any.run/tasks/5728c30e-00c1-4f87-9522-ff8b9e08fa32/; metadata:attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family ObserverStealer, created_at 2023_06_06; sid: 8000150; rev: 1;)

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] ObserverStealer (System Information)";flow: established, to_server; http.method; content: "POST"; http.header; content: "X-Config: SYS|0d0a|"; content: "X-Session: "; pcre: "/^([0-9a-f]{8})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{12})/R";content: "X-ID: "; pcre: "/^([0-9a-f]{8})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{12})/R";http.header_names; content: "X-Session|0d 0a|X-Info|0d 0a|X-Config|0d 0a|X-ID"; classtype: credential-theft; reference:md5,c28cc92a7c78b96bec58fa3e5398074a; reference:url,app.any.run/tasks/5728c30e-00c1-4f87-9522-ff8b9e08fa32/; metadata:attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family ObserverStealer, created_at 2023_06_06; sid: 8000151; rev: 1;)

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] ObserverStealer (Check-in)";flow: established, to_server; http.method; content: "POST"; http.header; content: "X-Config: HWID|0d0a|"; content: "X-Session: "; pcre: "/^([0-9a-f]{8})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{12})/R";content: "X-ID: "; pcre: "/^([0-9a-f]{8})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{12})/R";http.header_names; content: "X-Session|0d 0a|X-Info|0d 0a|X-Config|0d 0a|X-ID"; classtype: credential-theft; reference:md5,c28cc92a7c78b96bec58fa3e5398074a; reference:url,app.any.run/tasks/5728c30e-00c1-4f87-9522-ff8b9e08fa32/; metadata:attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family ObserverStealer, created_at 2023_06_06; sid: 8000152; rev: 1;)

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] ObserverStealer (Activity)";flow: established, to_server; http.method;content: "POST"; http.header;content: "X-Session: ";pcre: "/^([0-9a-f]{8})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{12})/R";content: "X-ID: ";content: !"|0d0a|"; within: 2;  pcre: "/^([0-9a-f]{8})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{12})/R";http.header_names;content: "X-Session|0d 0a|X-Info|0d 0a|X-Config|0d 0a|X-ID";threshold: type limit, track by_src, seconds 300, count 1; classtype: credential-theft;reference:md5,c28cc92a7c78b96bec58fa3e5398074a;reference:url,app.any.run/tasks/5728c30e-00c1-4f87-9522-ff8b9e08fa32/;metadata:attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family ObserverStealer, created_at 2023_06_06;sid: 8000153; rev: 1;)

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] ObserverStealer (Loading)";flow: established, to_server; http.method; content: "GET"; http.uri; content: "/s?id="; pcre: "/^([0-9a-f]{8})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{12})$/R";http.host; pcre: "/^(?:(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])(:\d{2,5})?$/R";http.header; content: "Accept: */*"; depth: 11; content: "Accept-Encoding: gzip, deflate"; distance: 0; content: "Connection: Keep-Alive"; distance: 0; isdataat: !3, relative; http.user_agent;content: "Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 6.3|3b| WOW64|3b| Trident/7.0|3b| .NET4.0C|3b| .NET4.0E|3b| .NET CLR 2.0.50727|3b| .NET CLR 3.0.30729|3b| .NET CLR 3.5.30729)";http.header_names; content: "Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; endswith; content:!"Referer|0d 0a|"; reference:md5,c28cc92a7c78b96bec58fa3e5398074a; reference:url,app.any.run/tasks/5728c30e-00c1-4f87-9522-ff8b9e08fa32/; metadata:attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family ObserverStealer, created_at 2023_06_06; classtype: trojan-activity; sid: 8000154; rev: 1;)

The note is posted on github at:

I will be grateful for the like)

Have a nice day, regards Jane.

1 Like
2

Hey Jane! We’ll get these out today and I’ll post the sids once I have them!

Thanks,
Isaac

2 Likes
3

@Jane0sint - Here are the sigs from today’s release:

2046150 - ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity (Screenshot)
2046151 - ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity (System Information)
2046152 - ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity (Check-in)
2046153 - ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity (Activity)
2046154 - ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity (END)
2046155 - ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Response

Regarding “ET MALWARE [ANY.RUN] ObserverStealer (Loading)”, I tried to be tricky and make a single signature catch both URI patterns but the performance didn’t make the cut for today so those sigs will go out tomorrow.

Patterns:

GET /s?id=a0c599e3-11b1-4e51-9a72-8a65e2eb442d HTTP/1.1
GET /?id=a0c599e3-11b1-4e51-9a72-8a65e2eb442d HTTP/1.1
2 Likes
4

Final sigs released today:

2046169 - ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity (Loading) M1
2046170 - ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity (Loading) M2
1 Like
5

oops, looks like I overdid the user agent a bit and now it only works on windows 10 :expressionless:
Suggest changes to the sid:2046170 rule:
http.user_agent;
content: “.NET”;

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity (Loading) M2";flow:established, to_server; http.method;content:"GET"; http.uri;content:"/s?id=";startswith; fast_pattern;pcre:"/^\/s\x3fid\x3d([0-9a-f]{8})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{12})$/"; http.host;pcre:"/^(?:(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])(:\d{2,5})?$/R"; http.accept;content:"|2a 2f 2a|"; bsize:3; http.accept_enc;content:"gzip|2c 20|deflate"; bsize:13; http.connection;content:"Keep-Alive"; bsize:10; http.user_agent;content: ".NET";reference:md5,c28cc92a7c78b96bec58fa3e5398074a;reference:url,community.emergingthreats.net/t/observerstealer/624;reference:url,app.any.run/tasks/5728c30e-00c1-4f87-9522-ff8b9e08fa32/; classtype:trojan-activity;sid:2046170; rev:2;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_06_07, deployment Perimeter, former_category MALWARE, malware_family ObserverStealer, confidence High, signature_severity Critical, updated_at 2023_06_07;)

I left our rule with a changed user agent for now, but we don’t have a lot of traffic and therefore I don’t see false positives, I don’t know about you.
Jane

1 Like
6

Thanks for the heads up, we made the suggested change to the signature which will go out in todays release.

JT

2 Likes