g0njxa
March 4, 2024, 3:49pm
1
In mid-2023 some new kind of malware was discovered being spread on the internet, and its functionality was via PUT requests to a C2
Analysis 0af720cebd22dd81eb2d8ad327d65c9bd4bdb7b7f3c50c400f270e7c19af5f19.exe (MD5: 67A90F4A4BCE7DCE31F34E172728F717) Malicious activity - Interactive analysis ANY.RUN
It was also observed later on the Privateloader PPI campaign and started to be detected as Smartloader by Anyrun Sandbox.
Some other variants of the malware were found laterAnalysis https://mega.nz/file/M7dnQRKJ#Cbayb7AjZn-yW5PJEP8F9GfeeF15Q9ADMEnVXgR1JXk Malicious activity - Interactive analysis ANY.RUN
But nobody reported this changes, and detection went to 0. Seems like it is being spread again, and herrcore made some analysis of the new builds found:
I detonated the sample shared on the blog and the activity match the Smartloader traffic, with some kind of new variantInteractive Online Malware Analysis Sandbox - ANY.RUN
So if some rule detection could be add to this malware would be very cool, to detect new builds in the future!
ping @Jane0sint for the old smartloader detection rules
1 Like
hey @g0njxa thanks for the samples! We got the following sigs in today’s release!
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SmartLoader CnC Activity"; flow:established,to_server; urilen:>47; http.method; content:"PUT"; http.uri; content:"/loader/"; startswith; fast_pattern; pcre:"/^(?:[a-zA-Z0-9]{40,43})$/R"; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; http.request_body; content:"|7b 22|data|22 3a 20|"; startswith; http.content_type; content:"application/json"; bsize:16; http.header_names; content:!"Referer|0d 0a|"; reference:url,community.emergingthreats.net/t/smartloader/1428; classtype:trojan-activity; sid:2; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SmartLoader CnC Exfil (screen.bmp)"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"/loader/screen/"; startswith; http.request_body; content:"filename|3d 22|screen|2e|bmp|22 0d 0a 0d 0a 42 4d|"; fast_pattern; content:"name|3d 22|data|22 0d 0a 0d 0a 7b 22|data|22 3a 20|"; reference:url,community.emergingthreats.net/t/smartloader/1428; classtype:trojan-activity; sid:1; rev:1;)
2 Likes