RadX RAT

Rule Signatures
1

Hi guys! Here is an article in Russian about the new malware, we already have it in the sandbox, so I propose rules for Check-In and for KeepAlive.
https://www.facct.ru/blog/radx-rat/

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] RadX RAT HTTP POST Check-In";flow: established, to_server; http.method; content: "POST"; http.uri; content: "/add_user"; endswith; http.header; content: "Content-Type: application/json|3b| charset=utf-8";  http.header_names;  content:!"User-Agent|0d 0a|";http.request_body;content: "|22|video_card|22|"; depth: 1000; content: "|22|windows_version|22|"; depth: 1000; content: "|22|processor|22|"; depth: 1000; content: "|22|ram|22|"; depth: 1000;  reference: md5,f0bc8d8a0ecd2ff441c9a24f907bd9db;  reference: url,app.any.run/tasks/4fdde064-e353-4325-81ef-d85b22ee0f90; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family RadX,  created_at 2024_01_24; classtype: trojan-activity; sid: 1; rev: 1;)

The body of the requests contains JSON and I am not sure about the order of the keys, so I left them free in the range of up to 1000 characters.

And it also seems to me that it incorrectly calculates the identifier because it becomes negative

POST /check/-7635670199524603949 HTTP/1.1
Host: 193.106.95.60:1337
Content-Length: 0

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] RadX RAT HTTP POST Keep-Alive";flow: established, to_server; http.method; content: "POST"; http.uri; content: "/check/-"; http.header; content: "Content-Length: 0|0d0a|"; distance: 0; http.header_names; content: "|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; startswith;  reference: md5, f0bc8d8a0ecd2ff441c9a24f907bd9db;  reference: url, https://app.any.run/tasks/4fdde064-e353-4325-81ef-d85b22ee0f90; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family RadX,  created_at 2024_01_24; classtype: trojan-activity; sid: 2; rev: 1;)

I did not sign the rest of the activity; it seemed that this would be enough.
⋆┈┈。゚❃ུ۪ ❀ུ۪ ❁ུ۪ ❃ུ۪ ❀ུ۪ ゚。┈┈⋆
Jane

1 Like
2

Thanks! We will get these in for todays release.

JT

1 Like
3

Just made a couple minor tweaks to the submitted rules and these went out today,

2050419 - ET MALWARE [ANY.RUN] RadX RAT Check-In (POST)
2050420 - ET MALWARE [ANY.RUN] RadX RAT Keep-Alive Activity (POST)

Thanks Jane, very cool stuff!

JT

1 Like