Signature: ET TROJAN Possible HijackLoader Second Stage PNG

Here is a possible signature for IDAT/HijackLoader. These PNG configuration files are downloaded over HTTPS.

In the crowdstrike blog it suggests the string is IDAT followed by four magic bytes and then the XOR key. However; in the rapid9 blog in the image they have of the bytes following the IDAT string the magic bytes are different. As such this signature is simplified to look for the string IDAT in a PNG. I am not sure if this simplification will cause false positives.

alert tcp $EXTERNAL_NET $HTTP_PORTS → $HOME_NET any (msg:“ET TROJAN Possible HijackLoader Second Stage PNG”; flow:established,to_client; file_data; content:“|89|PNG|OD OA 1A 0A|”; within:8; content:“IDAT”; distance:0; classtype:trojan-activity; reference:url,HijackLoader Expands Techniques to Improve Defense Evasion; reference:url,Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers | Rapid7 Blog; reference:url,Unveiling UAC-0184: The Steganography Saga of the IDAT Loader Delivering Remcos RAT to a Ukraine Entity in Finland; sid:198881; rev:1;)

Kind Regards,
Kevin Ross

Kind Regards,
Kevin

2 Likes

Thanks Kevin! We will see about getting this in for todays release.

JT

Unfortunately it looks like the png sig has a bit too high of a false positive hit rate for us to put into the set. As you said though this one doesn’t lend a lot of options for tuning either.

From the one article you referenced though, Unveiling UAC-0184: The Steganography Saga of the IDAT Loader Delivering Remcos RAT to a Ukraine Entity in Finland, we were able to get a sig from there around the user-agent they mentioned seeing. So that will go out today.

Thanks again for the heads up and submission.

JT

It may be possible to use IDAT|C6 A5 79 EA| as the string because that appears in the recent crowdstrike article and also the morphisec article too. There may be other magic byte sequences but having this may result in a lower FP rate if we coudl try that?

For sure, I will see what that looks like in QA and see about getting that out for today.

JT

2051761 - ET MALWARE Possible HijackLoader Second Stage PNG Retrieval went out today

2051698 - ET MALWARE Win32/IDAT Loader Related Activity is the sig that went out yesterday

Thanks again!

JT

1 Like