Hi, I decided to dedicate this rule to our good friend and researcher @James_inthe_box. He discovered the clipper and we wanted to come up with a name, so I decided))
Apparently, the request is hardcoded in the traffic, so I have three rules, two of which are for http and one for tcp:
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] TheBoxClipper (addbild)";flow: established, to_server; http.request_line; content: "GET /addbild/"; pcre: "/\/[a-f0-9]{32}$/R"; classtype: trojan-activity; reference: md5,6cf851bf1c9f18c57e8567ee19a1269f; reference: url,app.any.run/tasks/5e18a292-b42e-4b64-931b-be3319aadaa3; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family TheBoxClipper, created_at 2023_08_29; sid: 1; rev: 1;)
alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] TheBoxClipper (getkeys)";flow: established, to_server; stream_size: server, =, 1; stream_size: client, <, 33; dsize: < 32; content: "GET /getkeys/";content: "|0d0a0d0a|"; distance: 0; isdataat:!1, relative; classtype: trojan-activity;reference: md5,6cf851bf1c9f18c57e8567ee19a1269f;reference: url,app.any.run/tasks/5e18a292-b42e-4b64-931b-be3319aadaa3;metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family TheBoxClipper, created_at 2023_08_29;sid: 2; rev: 1;)
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] TheBoxClipper (updatebildchange)";flow: established, to_server; http.request_line;content: "GET /updatebildchange/";pcre: "/\/[a-f0-9]{32}$/R"; classtype: trojan-activity;reference: md5,6cf851bf1c9f18c57e8567ee19a1269f;reference: url,app.any.run/tasks/5e18a292-b42e-4b64-931b-be3319aadaa3;metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family TheBoxClipper, created_at 2023_08_29;sid: 3; rev: 1;)
Here I checked the triggering of the rules:
Jane (^-^)/
