In mid-2023 some new kind of malware was discovered being spread on the internet, and its functionality was via PUT requests to a C2

Analysis 0af720cebd22dd81eb2d8ad327d65c9bd4bdb7b7f3c50c400f270e7c19af5f19.exe (MD5: 67A90F4A4BCE7DCE31F34E172728F717) Malicious activity - Interactive analysis ANY.RUN

It was also observed later on the Privateloader PPI campaign and started to be detected as Smartloader by Anyrun Sandbox.

Some other variants of the malware were found later
Analysis Malicious activity - Interactive analysis ANY.RUN

But nobody reported this changes, and detection went to 0. Seems like it is being spread again, and herrcore made some analysis of the new builds found:

I detonated the sample shared on the blog and the activity match the Smartloader traffic, with some kind of new variant
Interactive Online Malware Analysis Sandbox - ANY.RUN

So if some rule detection could be add to this malware would be very cool, to detect new builds in the future!

ping @Jane0sint for the old smartloader detection rules

1 Like

hey @g0njxa thanks for the samples! We got the following sigs in today’s release!


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SmartLoader CnC Activity"; flow:established,to_server; urilen:>47; http.method; content:"PUT"; http.uri; content:"/loader/"; startswith; fast_pattern; pcre:"/^(?:[a-zA-Z0-9]{40,43})$/R";; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; http.request_body; content:"|7b 22|data|22 3a 20|"; startswith; http.content_type; content:"application/json"; bsize:16; http.header_names; content:!"Referer|0d 0a|"; reference:url,; classtype:trojan-activity; sid:2; rev:1;)


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SmartLoader CnC Exfil (screen.bmp)"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"/loader/screen/"; startswith; http.request_body; content:"filename|3d 22|screen|2e|bmp|22 0d 0a 0d 0a 42 4d|"; fast_pattern; content:"name|3d 22|data|22 0d 0a 0d 0a 7b 22|data|22 3a 20|"; reference:url,; classtype:trojan-activity; sid:1; rev:1;)