WhiteSnake

Hi, I noticed that Whitesnake has changed the protocol a little, let’s write the rules!

image
image

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP Request";
flow: established, to_server; http.method;
content: "POST"; 
http.uri;
content: "/sendData?pk=";
content: "&ta="; distance: 0;
content: "&un="; distance: 0;
content: "&pc="; distance: 0;
content: "&co="; distance: 0;
content: "&wa="; distance: 0;
content: "&be="; distance: 0; 
http.header_names;
content: "|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|";startswith;
reference: md5,5302fff6311dab7554eaf7902c2aaa61;
reference: url,app.any.run/tasks/5dc1cfaa-5470-4708-92d8-b8703b47c1f7;
metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family WhiteSnake, tag stealer,  created_at 2024_01_29; classtype: trojan-activity;
sid: 1; rev: 1;)
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP POST Report Exfiltration";
flow: established, to_server; http.method;
content: "POST"; http.header_names;
content: "|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; startswith;
http.request_body;
content: "WSR$"; depth: 4;
reference: md5,5302fff6311dab7554eaf7902c2aaa61;
reference: url,app.any.run/tasks/5dc1cfaa-5470-4708-92d8-b8703b47c1f7;
metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family WhiteSnake, tag stealer,  created_at 2024_01_29; classtype: trojan-activity;
sid: 2; rev: 1;)

𖡼𖤣𖥧𖡼𓋼𖤣𖥧𓋼𓍊 Jane

1 Like

Nice catch, Jane! Adding these soon :robot:

:hotdog:

2 Likes

Yesterday’s released contained these rules:
2050601 - ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP Request (malware.rules)
2050602 - ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP POST Report Exfiltration (malware.rules)

Thanks again, Jane. The team always appreciates your contributions.

2 Likes