Used by ViceSociety/Rhysidia ransomware. More info here https://go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf (page 14). Additional Samples VirusTotal, VirusTotal

I have noticed even though when I edit it the escaped dots in the IP segment of the PCRE are escaped when viewed normally they are just shown as a dot with no backslash so this may need sorted if this remains the case.

This rule needs SSL decryption. It is focused on the anomalous Hostname header that is part of this tool.

alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“MALWARE-CNC PortStarter Backdoor Request”; flow:established,to_server; content:“GET”; http_method; urilen:1; content:“/”; http_uri; content:“Hostname|3A| “; http_header; content:!“User-Agent|3A|”; http_header; pcre:”/Hostname:\ \d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}|/H”; classtype:trojan-activity; reference:url,go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf; sid:198001; rev:1;)

Checked in traffic and this JA3 does not seem to appear in about a week of large network traffic with mix of OS.

alert tls $HOME_NET any → $EXTERNAL_NET any (msg:“ET JA3 PortStarter Backdoor TLS Fingerprint”; flow:established,to_server; ja3.hash; content:“19e29534fd49dd27d09234e639c4057e”; classtype:trojan-activity; reference:url,go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf; sid:198002; rev:1;)

Also found another sample VirusTotal. On behaviour tab under HTTP traffic (though it is HTTPS) there is the first request above but also another to ping 404

alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“MALWARE-CNC PortStarter Backdoor Request M2”; flow:established,to_server; content:“GET”; http_method; content:“/ping 404”; http_uri; fast_pattern:only; content:“Hostname|3A| “; http_header; content:!“User-Agent|3A|”; http_header; pcre:”/Hostname:\ \d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}|/H”; classtype:trojan-activity; reference:url,go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf; sid:198003; rev:1;)