Just as seen this a lot over several years in their malware, loaders and recently in even their trycloudflare domains but while we have signatures for specific cases combined with this delimiter we aren’t actually looking for just this unusual delimiter being present in traffic.
The header has appeared both in cleartext HTTP but also HTTPS traffic (such as recently using trycloudflare domains which are https)
Specific cases for user agent, cookie which have been seen but also a http.header one in case they use it elsewhere. Also URI one.
Kind regards,
Kevin Ross
alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET MALWARE Possible Gamaredon APT Delimiter In HTTP User-Agent”; flow:established,to_server; http.user_agent; content:“|3a 3a|/.”; fast_pattern:only; classtype:trojan-activity; sid:154551; rev:1;)
alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET MALWARE Possible Gamaredon APT Delimiter In HTTP Cookie”; flow:established,to_server; http.cookie; content:“|3a 3a|/.”; fast_pattern:only; classtype:trojan-activity; sid:154552; rev:1;)
alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET MALWARE Possible Gamaredon APT Delimiter In HTTP Header”; flow:established,to_server; http.header; content:“|3a 3a|/.”; fast_pattern:only; classtype:trojan-activity; sid:154553; rev:1;)
alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET MALWARE Possible Gamaredon APT Delimiter In HTTP URI”; flow:established,to_server; http.uri; content:“|3a 3a|/.”; fast_pattern:only; classtype:trojan-activity; sid:154554; rev:1;)
!