Hey Jane,
As always, thank you for the tip-up, the rules, and the pcaps to work with. I’ve made quite a few modifications to the initial rule you’ve submitted, and also have identified some more rules that could be used to identify this threat:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [ANY.RUN] PlanetStealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/submit/info"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; http.user_agent; content:"Go-http-client/"; http.request_body; content:"|22|owner_id|22 3a 22|"; content:"|22|bot_id|22 3a 22|"; content:"|22|build_id|22 3a 22|"; content:"|22|statistics|22 3a 7b 22|total_passwords|22 3a|"; fast_pattern; content:"|22|total_cookies|22 3a|"; content:"|22|total_cards|22 3a|"; content:"|22|total_autofills|22 3a|"; content:"|22|total_wallets|22 3a|"; content:"|22|total_bookmarks|22 3a|"; content:"|22|computer|22 3a 7b 22|username|22 3a 22|"; content:"|22|hostname|22 3a 22|"; content:"|22|hwid|22 3a 22|"; pcre:"/^[a-f0-9]{8}-([a-f0-9]{4}-){3}[a-f0-9]{12}\x22/R"; content:"|22|cpu|22 3a 22|"; content:"|22|gpu|22 3a 22|"; content:"|22|windows_version|22 3a 22|Windows"; content:"|22|country|22 3a 22|"; content:"|22|ip|22 3a 22|"; content:"|22|wallets|22 3a|"; content:"|22|credentials|22 3a|"; content:"|22|software|22 3a|"; content:"|22|file|22 3a|"; flowbits:set,ET.PlanetStealer.Checkin; classtype:trojan-activity; reference:md5,99a0225b149f9a918aaccafa73c42a1f; reference:url,community.emergingthreats.net/t/planetstealer; reference:url,app.any.run/tasks/a55c931e-99d7-4b32-8672-2b5733ae3dd4; sid:1; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PlanetStealer CnC Checkin - Server Response"; flow:established,to_client; flowbits:isset,ET.PlanetStealer.Checkin; http.stat_code; content:"200"; http.content_len; byte_test:0,=,66,0,string,dec; file.data; content:"|7b 22|success|22 3a|true|2c 22|callback|22 3a 22|"; fast_pattern; startswith; pcre:"/^[a-f0-9]{8}-([a-f0-9]{4}-){3}[a-f0-9]{12}\x22\x7d/R"; reference:md5,99a0225b149f9a918aaccafa73c42a1f; reference:url,community.emergingthreats.net/t/planetstealer; reference:url,app.any.run/tasks/a55c931e-99d7-4b32-8672-2b5733ae3dd4; classtype:trojan-activity; sid:2; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PlanetStealer Data Exfiltration Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/submit/file"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; http.user_agent; content:"Go-http-client/"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22|C|3a 5c 5c|Users|5c 5c|"; content:"|5c 5c|AppData|5c 5c|Local|5c 5c|Temp|5c 5c|"; fast_pattern; within:75; pcre:"/^[a-zA-Z0-9]{8}-[a-f0-9]{8}-([a-f0-9]{4}-){3}[a-f0-9]{12}/R"; content:".zip|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|PK"; within:100; content:"passwords.txt"; within:50; reference:md5,99a0225b149f9a918aaccafa73c42a1f; reference:url,community.emergingthreats.net/t/planetstealer; reference:url,app.any.run/tasks/a55c931e-99d7-4b32-8672-2b5733ae3dd4; classtype:trojan-activity; sid:3; rev:1;)
Rule one has been re-worked to include more content matchines in the http request body. Its probably excessive, but sometimes being through is fine. I also took the opportunity to set a flowbit for rule number two, an acknolwedgement from the server of the successful check-in/callback. Finally, I made a third rule to detect the data exfiltration (zip file upload).
This might be slightly overkill, but it never hurts to be thorough with detection rules. These rules should be made available with tonight’s rule release.
Thanks again for the submission, and happy hunting.
-Tony Robinson
̆̈