SIGS: TerraStealerV2

kevross33 · May 2, 2025, 10:35am

Hi,

NOTE: %2A is * as when done in this page it ends up putting the fields into bold. so it should be ** wrapping the new user one after text and then for the others it comes after like VALUE: asterisk asterisk

Two sigs based on the report in the reference. Packets shown on page 5 & 6. As it is to wetransfers and telegram HTTPS decryption will be required.

Now the two elements I am unsure of:

Sig 1: If the client body is normalized by HTTP. I assume it will be so &text=%2A%2ANew%20User%20Ran%20the%20Application%2A%2A should be actually &test=New User Ran the Application. So structure would be this (from report)
New User Ran the Application
Username: Admin
PC Name: UUHJKMQK
IP Address:

Is a multi-part stream with ZIPs sent (PK) and then various fields like content:“form-data|3B| name=|22|pcname|22|”; http_client_body; which I have focused on. Just verify these are right.

alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“ET MALWARE TerraStealerV2 Initial To Telegram API”; flow:established,to_server; content:“POST”; http_method; content:“/sendMessage?chat_id=”; http_uri; content:“Host|3A| api.telegram.org”; http_header; fast_pattern:6,16; content:“chat_id=”; http_client_body; depth:8; content:“&text=%2A%2ANew%20User%20Ran%20the%20Application%2A%2A”; http_client_body; distance:0; content:“Username%3A%2A%2A”; distance:0; content:“PC%20Name%3A%2A%2A”; distance:0; content:“IP%20Address%3A%2A%2A”; distance:0; classtype:trojan-activity; reference:url,go.recordedfuture.com/hubfs/reports/cta-2025-0501.pdf; sid:155001; rev:1;)

alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“ET MALWARE TerraStealerV2 WeTransfers Data Exfiltration”; content:“POST”; http_method; content:“/uplo.php”; http_uri; depth:9; content:“Host|3A| wetransfers.io”; http_header; fast_pattern:6,14; content:“form-data|3B| name=|22|pcname|22|”; http_client_body; content:“form-data|3B| name=|22|username|22|”; http_client_body; distance:0; content:“form-data|3B| name=|22|totalwallets|22|”; http_client_body; distance:0; content:“form-data|3B| name=|22|ip|22|”; http_client_body; distance:0; ; classtype:trojan-activity; reference:url,go.recordedfuture.com/hubfs/reports/cta-2025-0501.pdf; sid:155002; rev:1;)

Kind Regards,
Kevin Ross

ishaughnessy · May 2, 2025, 4:26pm

Morning @kevross33 !

I’ll take a look at these today and share the sids once they are available.

Thanks for the tip!
Isaac

ishaughnessy · May 2, 2025, 8:43pm

@kevross33

2062074 - ET MALWARE TerraStealerV2 New Victim Checkin via Telegram API
2062097 - ET MALWARE TerraStealerV2 Data Exfil via WeTransfers
2062101 - ET MALWARE TerraStealerV2 Victim Checkin via Telegram API (Wallet Count)
2062102 - ET MALWARE TerraStealerV2 CnC Telegram Bot Response

Have a Great weekend!
Isaac

Topic		Replies	Views
SIG: W32/LitterDrifter.Loader Gamaredon USB Worm Rule Signatures	2	195	November 21, 2023
Poverty Stealer Rule Signatures	12	925	September 17, 2024
SIGS:Kapeka/ICYWELL Backdoor APT44/Sandworm Part 1 Rule Signatures	2	252	April 19, 2024
GCleaner Sig Submission Rule Signatures	1	443	January 31, 2023
ObserverStealer Rule Signatures	5	591	June 23, 2023

SIGS: TerraStealerV2

Related topics