Signature: CleanUp Loader

kevross33 · October 9, 2024, 4:54pm

More info here https://go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf. This request is made over HTTPS so requires decryption to see.

alert tcp $HOME_NET any → EXTERNAL_NET $HTTP_PORTS (msg:“ET MALWARE CleanUp Loader Request”; flow:established,to_server; content:“POST”; http_method; content:“/api/”; http_uri; depth:5; content:“User-Agent|3A| HTTPGET”; http_header; pcre:“/^/api/(connectivity|session|connect)$/U”; classtype:trojan-activity; reference:url,go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf; sid:134001; rev:1;)

Kind Regards,
Kevin Ross

ishaughnessy · October 9, 2024, 5:40pm

Hey @kevross33!

Thanks for the tip, we’ll get this in today’s release!

-Isaac

ishaughnessy · October 9, 2024, 8:39pm

@kevross33 - Here’s the sid for the rule that went out today.

2056580 - ET MALWARE CleanUp Loader HTTP Request (GET)

Topic		Replies	Views
SIGS: Zloader Rule Signatures	2	80	December 17, 2024
PrivateLoader Signature Rule Signatures	2	168	May 20, 2024
New Signatures: BunnyLoader Rule Signatures	1	250	March 18, 2024
PortStarter Backdoor Sigs Rule Signatures	1	43	October 10, 2024
Signature Mints Loader Rule Signatures	1	73	October 25, 2024

Signature: CleanUp Loader

Related topics