Hi,
Sigs for Kapeka backdoor (what Mandiant refer to as ICYWELL). The responses will be over HTTPS only too so would require decryption to be useful. Splitting the sigs across two posts as can only do 8 links in a post apparantly.
alert tcp $EXTERNAL_NET $HTTP_PORTS → $HOME_NET any (msg:“ET TROJAN Kapeka/ICYWELL Backdoor APT44/Sandworm Execute Command Server Response”; flow:established,to_client; file_data; content:“|3A| |22|Execute command|22|,”; classtype:trojan-activity; reference:url,labs.withsecure.com/content/dam/labs/docs/WithSecure-Research-Kapeka.pdf; reference:url,services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf; sid:167111; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS → $HOME_NET any (msg:“ET TROJAN Kapeka/ICYWELL Backdoor APT44/Sandworm Read From File Server Response”; flow:established,to_client; file_data; content:“|3A| |22|Read from file|22|,”; content:“|3A| |22|C|3A|//”; distance:0; classtype:trojan-activity; reference:url,labs.withsecure.com/content/dam/labs/docs/WithSecure-Research-Kapeka.pdf; reference:url,services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf; sid:167112; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS → $HOME_NET any (msg:“ET TROJAN Kapeka/ICYWELL Backdoor APT44/Sandworm Write To File Server Response”; flow:established,to_client; file_data; content:“|3A| |22|Write to file|22|,”; content:“|3A| |22|C|3A|//”; distance:0; classtype:trojan-activity; reference:url,labs.withsecure.com/content/dam/labs/docs/WithSecure-Research-Kapeka.pdf; reference:url,services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf; sid:167113; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS → $HOME_NET any (msg:“ET TROJAN Kapeka/ICYWELL Backdoor APT44/Sandworm Uninstall Backdoor Server Response”; flow:established,to_client; file_data; content:“|3A| |22|Uninstall backdoor|22|,”; classtype:trojan-activity; reference:url,labs.withsecure.com/content/dam/labs/docs/WithSecure-Research-Kapeka.pdf; reference:url,services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf; sid:167114; rev:1;)