Hello! We thought for a while and discussed what we saw,
and as a result I wrote the following rule:
alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] StatusRecorder";flow: established, to_server; stream_size: server, =, 1; content: "$$$$$$WALLETS_START$$$$$$"; classtype: credential-theft; reference:md5,b0a77120cb81694bac9120cbeb337b89; reference:url,app.any.run/tasks/0d0744a8-c186-4fe7-95d9-bdd483e8e6ad; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family StatusRecorder, created_at 2023_06_24; sid: 1; rev: 1;)
We do not know how widespread this threat will be in the future, but we want to put up a barrier now.
Best regards, Jane.