SIGS: Android/TrickMo.Banker

kevross33 · October 29, 2024, 2:46pm

alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“ET MOBILE_MALWARE Android/TrickMo.Banker POST Request”; flow:established,to_server; content:“POST”; http_method; content:“|22|id|22|”; http_client_body; content:“|22|imsi|22|”; http_client_body; distance:0; content:“|22|imei|22|”; http_client_body; distance:0; content:“|22|phone|22|”; http_client_body; distance:0; content:“|22|operator|22|”; http_client_body; distance:0; content:“|22|aid|22|”; http_client_body; distance:0; content:“|22|model|22|”; http_client_body; distance:0; content:“|22|brand|22|”; http_client_body; distance:0; content:“|22|version|22|”; http_client_body; distance:0; content:“|22|build|22|”; http_client_body; distance:0; content:“|22|battery|22|”; http_client_body; distance:0; content:“|22|wifi|22|”; http_client_body; distance:0; content:“|22|w_time|22|”; http_client_body; distance:0; content:“|22|smsApp|22|”; http_client_body; distance:0; content:“|22|smsAppPackage|22|”; http_client_body; distance:0; content:“|22|clickerConfig|22|”; http_client_body; distance:0; content:“|22|signal|22|”; http_client_body; distance:0; content:“|22|installedApps|22|”; http_client_body; distance:0; classtype:trojan-activity; reference:url,A new TrickMo saga: from Banking Trojan to Victim's Data Leak | Cleafy Labs; sid:132111; rev:1;)
alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“ET MOBILE_MALWARE Android/TrickMo.Banker GET Config Request”; flow:established,to_server; content:“GET”; http_method; content:“/config?hash=”; http_uri; depth:13; content:“AID|3A| “; http_header; flowbits:set,et.trickmoconfig; classtype:trojan-activity; reference:url,A new TrickMo saga: from Banking Trojan to Victim's Data Leak | Cleafy Labs; sid:132112; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS → $HOME_NET any (msg:“ET MOBILE_MALWARE Android/TrickMo.Banker Config Response”; flow:established,to_client; flowbits:isset,et.trickmoconfig; file_data; content:”|22|name|22|”; distance:0; content:“|22|eventPackageName|22|”; distance:0; content:“|22|filters|22|”; distance:0; content:“|22|actions|22|”; distance:0; classtype:trojan-activity; reference:url,A new TrickMo saga: from Banking Trojan to Victim's Data Leak | Cleafy Labs; sid:132113; rev:1;)

Kind Regards,
Kevin Ross

trobinson667 · October 29, 2024, 5:36pm

Greetings and Thank you very much for your rule submission. I’ve made some slight changes here and there for better perf/compatibility with suri 4 through suri 7, but otherwise, please look forward towards these rules being present in tonight’s rule release.

Cheers,

Tony

rgonzalez · October 29, 2024, 7:10pm

Thanks @kevross33 @trobinson667 !

Topic		Replies	Views
SIGS: ET TROJAN TinyTurlaNG Turla APT Rule Signatures	2	264	February 16, 2024
Mekotio Rule Signatures	2	368	August 24, 2023
SIGS: Kapeka/ICYWELL Backdoor APT44/Sandworm Part 2 Rule Signatures	1	136	April 18, 2024
NEW SIG: ET TROJAN Falsefont.Backdoor APT33 Initial Handshake Rule Signatures	1	212	March 22, 2024
SIG: ET MOBILE_MALWARE Android/InfamousChisel.InfoStealer APT28/SANDWORM Data Exfiltration Rule Signatures	2	348	September 1, 2023

SIGS: Android/TrickMo.Banker

Related topics