SIG: ET MOBILE_MALWARE Android/InfamousChisel.InfoStealer APT28/SANDWORM Data Exfiltration

Hi,

Here is a rule created from page 17 of this report https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/infamous-chisel/NCSC-MAR-Infamous-Chisel.pdf. This infostealer specific detection use case in Ukraine.

Kind Regards,
Kevin Ross

alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“ET MOBILE_MALWARE Android/InfamousChisel.InfoStealer APT28/SANDWORM Data Exfiltration”; flow:established,to_server; content:“POST”; http_method; content:“/server.php?ver=”; http_uri; content:“&bid=”; http_uri; content:“&type=”; http_uri; content:“User-Agent|3A| curl/”; http_header; fast_pattern; content:“Path|3A|; http_header; content:!“Referer|3A|; http_header; pcre:”/^/server.php?ver=\d{1,}&bid=.*&type=(0|1)$/Ui”; classtype:trojan-activity; reference:url,www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/infamous-chisel/NCSC-MAR-Infamous-Chisel.pdf; reference:url,ssu.gov.ua/uploads/files/DKIB/technical-report.pdf; sid:111221; rev:1;)

Awesome, thanks Kevin! That report happened to be first on my list to peruse today. Appreciate the heads up, we will get this in for today.

JT

2047880 - ET MOBILE_MALWARE Android/InfamousChisel.InfoStealer APT28/SANDWORM Data Exfiltration went out in todays release. Thanks again!

JT