Page 8 in reference is screenshot of the packet, does not open with JSON in body. Seems to replace HATVIBE.loader to then deploy subsequent payloads such as CHERRYSPY
alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“ET MALWARE APT28 Russia Macro Loader HTTP POST”; flow:established,to_server; content:“POST”; http_method; content:“{|22|compname|22 3A 22|”; http_client_body; content:“|22|username|22 3A 22|”; http_client_body; distance:0; content:“|22|region|22 3A 22|”; http_client_body; distance:0; content:“|22|resolution|22 3A 22|”; http_client_body; distance:0; content:“|22|language|22 3A 22|”; http_client_body; distance:0; content:“|22|system|22 3A 22|”; http_client_body; distance:0; classtype:trojan-activity; reference:url,go.recordedfuture.com/hubfs/reports/cta-2025-0522.pdf; reference:md5,919d1c4abd151525ec71d431f781306c; sid:199001; rev:1;)
Kind Regards,
Kevin Ross
Hey Kevin,
We’re always happy to see your contributions to the ruleset. I made a couple of very minor modifications:
- set
|22|compname|22 3a 22| as the fast_pattern. Seemed the most unique out of the choices available
- removed the
{ from the compname content match.
- removed
distance:0 from the other content matches
Why did I do 2 and 3? I’d like to account for situations in which the parameter order is changed. The rule might not perform quite as well, but perhaps it might result in catching a slightly wider net. Here are the rules I’ll be submitting, based on your submission:
snort:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“ET MALWARE APT28 Russia Macro Loader HTTP POST”; flow:established,to_server; content:“POST”; http_method; content:“|22|compname|22 3A 22|”; fast_pattern; http_client_body; content:“|22|username|22 3A 22|”; http_client_body; content:“|22|region|22 3A 22|”; http_client_body; content:“|22|resolution|22 3A 22|”; http_client_body; content:“|22|language|22 3A 22|”; http_client_body; content:“|22|system|22 3A 22|”; http_client_body; classtype:trojan-activity; reference:url,go.recordedfuture.com/hubfs/reports/cta-2025-0522.pdf; reference:md5,919d1c4abd151525ec71d431f781306c; sid:199001; rev:1;)
suricata:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:“ET MALWARE APT28 Russia Macro Loader HTTP POST”; flow:established,to_server; http.method; content:"POST"; http.request_body; content:“|22|compname|22 3A 22|”; fast_pattern; content:“|22|username|22 3A 22|”; content:“|22|region|22 3A 22|”; content:“|22|resolution|22 3A 22|”; content:“|22|language|22 3A 22|”; content:“|22|system|22 3A 22|”; classtype:trojan-activity; reference:url,go.recordedfuture.com/hubfs/reports/cta-2025-0522.pdf; reference:md5,919d1c4abd151525ec71d431f781306c; sid:199001; rev:1;)
Expect this rule to be out with the daily rule update today.
Thanks,
-Tony