SIGS: Zloader

These signatures require TLS decryption.

alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET TROJAN Zloader Known User-Agent”; flow:established,to_server; http.user_agent; content:“PresidentPutin”; classtype:trojan-activity; reference:url,Technical Analysis of Zloader 2.9.0.4 | ThreatLabz; sid:192001; rev:1;)

alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET TROJAN Zloader HTTP POST Rand Header”; content:“POST”; http_method; urilen:1; content:“/”; http_uri; content:"Rand|3A| "; http_header; content:!“Referer|3A|”; http_header; classtype:trojan-activity; reference:url,Technical Analysis of Zloader 2.9.0.4 | ThreatLabz; sid:192002; rev:1;)

Kind Regards,
Kevin Ross

2 Likes

Hey @kevross33 !

Thanks for the signatures! These went out in today’s release with the following names/sids:

2058299 - ET MALWARE Zloader User-Agent Observed (PresidentPutin)
2058300 - ET MALWARE Zloader CnC Activity (POST)

Happy Holidays!
Isaac :christmas_tree: :gift:

1 Like

Thanks @kevross33 @ishaughnessy !