SIG: ET MALWARE LitterDrifter Gamaredon.APT HTTP POST

kevross33 · May 22, 2025, 5:10pm

Sample and PCAP here 3cfb6514e51f40a4c325e04a35c174af4dab95167019e6aa36a2c422e35d7b72 | Triage
alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET MALWARE LitterDrifter Gamaredon.APT HTTP POST”; flow:established,to_server; http.method; content:“POST”; nocase; http.uri content:“/index.html=?”; nocase; http.user_agent; content:“|3B 3B|/.”; fast_pattern; http.user_agent; content:“/.”; distance:0; http.accept_lang; content:“ru-RU,ru|3B|”; nocase; classtype:trojan-activity; reference:url,Malware Spotlight - Into the Trash: Analyzing LitterDrifter - Check Point Research; reference:md5,6349dd85d9549f333117a84946972d06; sid:129001; rev:1;)

Kind Regards,
Kevin Ross

trobinson667 · May 22, 2025, 7:19pm

Hey Kevin,

Wanted to say thanks for the rule contribution. However, there is coverage in the ruleset that seems to cover this LitterDrifter activity:

2038973 ET TROJAN Gamaredon APT Backdoor Related Activity
2046701 Gamaredon APT Related CnC Activity (POST) M3

Also, from the triage capture, these anomalous rules triggered alongside the rules above:

2047092 ET TROJAN Gamaredon APT Related Domain in DNS Lookup (acaenaso .ru)
2044354 ET INFO User-Agent with Non Standard Characters

as well as one ETPRO INFO rule.

While we always appreciate contributions, I don’t think adding this rule will be necessary at this time.

Thanks again,

-Tony

Topic		Replies	Views
ET MALWARE Gamaredon.APT TryCloudFlare Activity Rule Signatures	2	158	January 7, 2025
SIG: ET MALWARE Gamaredon TryCloudFlare Activity - Known Delimiter in User-Agent Rule Signatures	1	48	May 22, 2025
New Signature: MalDoc/Gamaredon CnC Activity Rule Signatures etopen	1	206	May 19, 2023
SIGNATURE: MalDoc/Gamaredon CnC: (ADMIN- prepend) Rule Signatures	2	326	July 27, 2023
Daily Ruleset Update Summary 2022/09/20 Ruleset Updates	0	95	September 20, 2022

SIG: ET MALWARE LitterDrifter Gamaredon.APT HTTP POST

Related topics