Hi, I noticed that Whitesnake has changed the protocol a little, let’s write the rules!
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP Request";
flow: established, to_server; http.method;
content: "POST";
http.uri;
content: "/sendData?pk=";
content: "&ta="; distance: 0;
content: "&un="; distance: 0;
content: "&pc="; distance: 0;
content: "&co="; distance: 0;
content: "&wa="; distance: 0;
content: "&be="; distance: 0;
http.header_names;
content: "|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|";startswith;
reference: md5,5302fff6311dab7554eaf7902c2aaa61;
reference: url,app.any.run/tasks/5dc1cfaa-5470-4708-92d8-b8703b47c1f7;
metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family WhiteSnake, tag stealer, created_at 2024_01_29; classtype: trojan-activity;
sid: 1; rev: 1;)
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP POST Report Exfiltration";
flow: established, to_server; http.method;
content: "POST"; http.header_names;
content: "|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; startswith;
http.request_body;
content: "WSR$"; depth: 4;
reference: md5,5302fff6311dab7554eaf7902c2aaa61;
reference: url,app.any.run/tasks/5dc1cfaa-5470-4708-92d8-b8703b47c1f7;
metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family WhiteSnake, tag stealer, created_at 2024_01_29; classtype: trojan-activity;
sid: 2; rev: 1;)
𖡼𖤣𖥧𖡼𓋼𖤣𖥧𓋼𓍊 Jane
…
