SIG: W32/LitterDrifter.Loader Gamaredon USB Worm

Rule Signatures
1

Hi,

This sig is to try and match the C2 connection based on this Malware Spotlight - Into the Trash: Analyzing LitterDrifter - Check Point Research. This is after the Telegram dead drop resolution when it connects to the C2.

The aim is to match the URI but then the user agent structure below.

mozilla/5.0 (windows nt 6.1; wow64) applewebkit/537.36 (khtml, like gecko) chrome/88.0.4324.152 yabrowser/21.2.3.106 yowser/2.5 safari/537.36;;<computer_name>_<system_drive_serial>;;/.justly/.

So basically we are trying to match the ;;/. and terminating /. and then regex (which needs verified) to try and take it from ;;COMPUTERNAME_DISKSERIAL_HEX;;/.WORD/.

While word justly could be matched this is easy to change and when they did this in the URL previously it varied a lot so trying to avoid that hardcoding as not 100% we will maintain eyes on the various word changes given targeting of primarily Ukraine.

alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET TROJAN W32/LitterDrifter.Loader Gamaredon USB Worm”; flow:established,to_server; content:“/index.html=?”; http_uri; content:“|3B 3B|/.”; http.user_agent; fast_pattern; content:“/.”; http.user_agent; pcre:“/;;[^\r\n*_[a-f0-9]{4,};;/.[a-z]{2,}/.\r\n\r\n/Hmi”; classtype:trojan-activity; reference:url,Malware Spotlight - Into the Trash: Analyzing LitterDrifter - Check Point Research; sid:144111; rev:1;)

Kind Regards,
Kevin Ross

1 Like
2

So to be clear regex:

  • start from ;;
  • take a computer name of whatever it is
  • the _ separating the computer name and the disk serial (that is in hex)
  • ;;/. afterwards, random word and then user agent terminates with /.
1 Like
3

hey @kevross33 ! Thanks again for the signature submission!

I was playing around with this and @trobinson667 turned me on to some pcaps that he found which match the traffic in the blog and it looks like we have a signature in the current ruleset that detects this network request.

This is the signature that provides coverage:

sid: 2038973

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Backdoor Related Activity"; flow:established,to_server; http.protocol; content:"HTTP/1."; http.header; content:"user-agent|3a 20|mozilla/5.0"; fast_pattern; http.user_agent; content:"|3b 3b|"; content:"|3b 3b 2f|"; distance:0; content:"|2e|"; endswith; reference:md5,5c645e5dcb6bec4ab1bcb3f68421445a; classtype:trojan-activity; sid:2038973; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_09_26, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, performance_impact Low, signature_severity Major, updated_at 2022_09_26;)

Example Traffic:

POST /jew80/index.html=?80 HTTP/1.1
Accept: */*
user-agent: mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/90.0.4430.41 yabrowser/21.5.0.579 yowser/2.5 safari/537.36;;NLSRPE_A99D3FFC;;/.juvenile/.
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Encoding: gzip, deflate
Host: 192.168.79.244
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

Signature Feedback

I did some testing on the rule you submitted and made a changes that I wanted to share.

  1. In suricata signatures you need to replace all ; with |3b| (or \x3b in pcre) otherwise it will break the rule. This is because suricata uses ; as a deliminator between content matches and rule components. i.e. if you have content:"123;"; suricata will see this as content:"123 which is invalid because it doesn’t have a closing quote.

  2. In your pcre you can remove [^\r\n*, this is usually only used to match multiple lines in http headers but since this is all on the same line its not necessary.

  3. To match the hostname/drive serial (hex) I changed the pcre to [a-zA-Z0-9]{4,}_[A-F0-9]{4,}. To break it down, [a-zA-Z0-9]{4,}_ says the computer hostname can have a name containing four or more characters in ranges a-z and A-Z and digits 0-9 followed by a _. [A-F0-9]{4,} matches on the serial number.

  4. In pcre you need to escape / because it indicates the end of the pcre content. To escape you should use \/ or \x2f.

  5. In pcre by default . designates any single character. If you want to match on an actual period you can escape it by \. or \x2e.

  6. Instead of using /Hmi you can use /V which restricts the pcre to only run on the User Agent as opposed to the entire http header.

  7. If you use /V you can also use a $ to indicate what the end of the line is as opposed to using \r\n

Here is a list of the possible modifiers you can use to restrict pcre in case you are interested in seeing what is possible:

Screen Shot 2023-11-21 at 12.04.49 PM
Screen Shot 2023-11-21 at 12.04.49 PM701×872 132 KB

Regex testing

Here’s a link to Regex101 that explains my regex and and shows how it matches the User-Agent in the pcap.

https://regex101.com/r/SE6Rqy/1

Signature With Recommendations Applied

Ultimately this is the signature I came up with if you want to take a look.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/LitterDrifter.Loader Gamaredon USB Worm"; flow:established,to_server; content:"/index.html=?"; http_uri; content:"|3B 3B|/."; http_user_agent; fast_pattern; content:"/."; http_user_agent; pcre:"/\x3b\x3b[a-zA-Z0-9]{4,}_[A-F0-9]{4,}\x3b\x3b\/.[a-z]{2,}\/\x2e$/V"; classtype:trojan-activity; sid:144111; rev:1;)

PCAP For Testing

Gamaradon-pcap.pcap (1.8 KB)

Hopefully this is helpful and please let me know if you have any questions and I’m happy to help out! Happy Thanksgiving! :turkey:

Isaac

2 Likes