The aim is to match the URI but then the user agent structure below.
mozilla/5.0 (windows nt 6.1; wow64) applewebkit/537.36 (khtml, like gecko) chrome/88.0.4324.152 yabrowser/21.2.3.106 yowser/2.5 safari/537.36;;<computer_name>_<system_drive_serial>;;/.justly/.
So basically we are trying to match the ;;/. and terminating /. and then regex (which needs verified) to try and take it from ;;COMPUTERNAME_DISKSERIAL_HEX;;/.WORD/.
While word justly could be matched this is easy to change and when they did this in the URL previously it varied a lot so trying to avoid that hardcoding as not 100% we will maintain eyes on the various word changes given targeting of primarily Ukraine.
alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET TROJAN W32/LitterDrifter.Loader Gamaredon USB Worm”; flow:established,to_server; content:“/index.html=?”; http_uri; content:“|3B 3B|/.”; http.user_agent; fast_pattern; content:“/.”; http.user_agent; pcre:“/;;[^\r\n*_[a-f0-9]{4,};;/.[a-z]{2,}/.\r\n\r\n/Hmi”; classtype:trojan-activity; reference:url,Malware Spotlight - Into the Trash: Analyzing LitterDrifter - Check Point Research; sid:144111; rev:1;)
hey @kevross33 ! Thanks again for the signature submission!
I was playing around with this and @trobinson667 turned me on to some pcaps that he found which match the traffic in the blog and it looks like we have a signature in the current ruleset that detects this network request.
I did some testing on the rule you submitted and made a changes that I wanted to share.
In suricata signatures you need to replace all ; with |3b| (or \x3b in pcre) otherwise it will break the rule. This is because suricata uses ; as a deliminator between content matches and rule components. i.e. if you have content:"123;"; suricata will see this as content:"123 which is invalid because it doesn’t have a closing quote.
In your pcre you can remove [^\r\n*, this is usually only used to match multiple lines in http headers but since this is all on the same line its not necessary.
To match the hostname/drive serial (hex) I changed the pcre to [a-zA-Z0-9]{4,}_[A-F0-9]{4,}. To break it down, [a-zA-Z0-9]{4,}_ says the computer hostname can have a name containing four or more characters in ranges a-z and A-Z and digits 0-9 followed by a _. [A-F0-9]{4,} matches on the serial number.
In pcre you need to escape / because it indicates the end of the pcre content. To escape you should use \/ or \x2f.
In pcre by default . designates any single character. If you want to match on an actual period you can escape it by \. or \x2e.
Instead of using /Hmi you can use /V which restricts the pcre to only run on the User Agent as opposed to the entire http header.
If you use /V you can also use a $ to indicate what the end of the line is as opposed to using \r\n