PrivateLoader Signature

It looks like the POST is covered by 2049837 but the GET seems unique enough it might do okay too.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Private Loader Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/b"; startswith; fast_pattern; content:".php"; endswith;; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.user_agent; content:!"Linux"; http.header_names; content:"|0d 0a|Connection|0d 0a|"; startswith; content:!"Referer|0d 0a|"; reference:md5,362697c95a1c9964af1ab23ddfc29b04; classtype:trojan-activity; sid:1; rev:1;)

sandbox: privateloader | ecfe6fb22dff160829a258b0dc35703846e8eb30bc16e1ce549321736b89b448 | Triage

1 Like

thanks for the tip @jt42 ! Here’s the sid that went out today.

2052789 - ET MALWARE Private Loader Related Activity (GET)

Thanks @jt42 @ishaughnessy !

1 Like