See reference for details. One note. on the sig it doesn’t appear to be showing the wildcard matching before and after the PCRE so that may need to be added (the asterisk) but we need to match the previous and ending of the fake user agent too.
Specifically this:
| User-Agent schema | Mozilla/5.0 … [SEP1][COMPUTER NAME][SEP2][SERIAL DISK HEXA][SEP3]/=[RANDOM]/= … |
|---|---|
| Fingerprint separators | Sep 1: ##, !!, ??, ==, ::Sep 2: _, @, #, =, %, ?, !Sep 3: ::, ? |
alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET TROJAN Gamaredon.APT GammaLoad Stage 1 User-Agent Structure”; flow:established,to_server; http_method; content:“GET”; http_user_agent; content:“/=”; http_user_agent; content:“/=”; distance:0; pcre:“/.(##|\!\!|\?\?|\=\=|\:\:).+?(_|@|#|\=|%|\?|\!).+?(\:\:|\?)/=./V”; classtype:trojan-activity; reference:url, FSB’s matryoshka #2/3: Gamaredon's Gammaload Malware ; sid:2000001; rev:1;)
Kind Regards,
Kevin Ross