SIG: ET TROJAN SocGholish/Ghostweaver PowerShell Boinc Download Request

kevross33 · March 4, 2025, 5:32pm

Below the backslashes on the pcre aren’t showing when I have submitted under this. It will need added if not present to the dot before php and ? in the URI.

alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET TROJAN SocGholish/Ghostweaver PowerShell Boinc Download Request”; flow:established,to_server; http_uri; content:“.php?s=boicn”; fast_pattern:only; http.user_agent; content:“WindowsPowerShell/”; pcre:“/.php?s=boicn$/Ui”; classtype:trojan-activity; reference:url,Don’t Ghost the SocGholish: GhostWeaver Backdoor | by TRAC Labs | Feb, 2025 | Medium; reference:url,Fake Browser Updates Lead to BOINC Volunteer Computing Software | Huntress; sid:152001; rev:1;)

Kind regards,
Kevin Ross

bingohotdog · March 4, 2025, 10:19pm

Hi Kevin,

Thank you for the signature. It should appear in today’s release.

On the topic of formatting signatures in Discourse, using the preformatted options would allow you to share the signatures as intended: Posting code or preformatted text.

Cheers!

rgonzalez · March 5, 2025, 11:09pm

Thanks @kevross33 @bingohotdog !

Topic		Replies	Views
New Signature: MalDoc/Gamaredon CnC Activity Rule Signatures etopen	1	200	May 19, 2023
NEW SIG: ET TROJAN Falsefont.Backdoor APT33 Initial Handshake Rule Signatures	1	221	March 22, 2024
Signature Mints Loader Rule Signatures	1	96	October 25, 2024
New Sig: ET TROJAN W32/Kazuar.Backdoor Turla APT Hardcoded Cookie Rule Signatures	1	364	November 20, 2023
New Signatures: BunnyLoader Rule Signatures	1	257	March 18, 2024

SIG: ET TROJAN SocGholish/Ghostweaver PowerShell Boinc Download Request

Related topics