SIG: ET MALWARE Possible Mints.Loader GET Request

Check reference for packets and samples. There is an existing mintsloader sig but relies on the old &s=mint where this varies now. Hopefully this should better match it with the key digits then S being any name but it ends on it in the URI.

The HTTP head is also quite minimalist with URI, User agent and Host and occasionally other headers too but as this could change I did not focus on this.

alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“ET MALWARE Possible Mints.Loader GET Request”; flow:established,to_server; content:“GET”; http_method; content:“.php?id=”; http_uri; content:“&key=”; http_uri; content:“*s=”; http_uri; content:“WindowsPowerShell/”; http_header; fast_pattern:only; pcre:“/&key=\d{10,}&s=[a-z0-9]{1,}$/Ui”; classtype:trojan-activity; reference:url,go.recordedfuture.com/hubfs/reports/cta-2025-0429.pdf; sid:156001; rev:1;)

Kind Regards,
Kevin

1 Like

yo @kevross33 - I’ll get this in today’s release and send you the sid shortly.

Thanks!
Isaac

after playing around I’ve found that the following sigs detect this traffic. I’ll update them to reflect the correct malfam.

ETPRO MALWARE Generic Stealer CnC Activity (POST) - 2860895
ET MALWARE AsyncRAT Victim Checkin - 2060670

-Isaac