Wrong malware family attribution 123Stealer

Rule Signatures
1

Hi!

Our network malware detection team discovered potential incorrect attribution of a malware family in the signatures:
ET MALWARE 123Stealer Victim CnC Checkin (POST) sid: 2066685
ET MALWARE 123Stealer Victim CnC Checkin (GET) sid: 2066687
ET MALWARE 123Stealer CnC Command Inbound (Ping) sid: 2066688

We suspect that they were developed based on the tweet https://x.com/solostalking/status/2001147307056918840, which mentions the malicious C2 with 123Stealer admin page.

However, I’d like to point your attention to the Sysdig report (EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks | Sysdig), which provides examples of C2 communication protocols that match the signatures:
sid 2066685 is not shown in the report and is the result of the received payload.
sid 2066687 is shown in the report (Section “C2 traffic patterns and command execution”).

Also, tweet mentions TCP port 3003, while in the sandboxes, samples communicate on port 3000.

Reference runs in public Sandboxes:

изображение
изображение1209×795 25.9 KB

изображение
изображение1384×890 92.9 KB

Perhaps it’s worth renaming the specified signatures to EtherRAT?

Best regards,
Evgeny Bechkalo, AVLab Positive Technologies

1 Like
2

Hey Evgeny!

Thanks for the thorough analysis! When I originally wrote the rule I attributed this to 123Stealer because of the C2 panel that was hosted on the dst IP 91.215.85[.]42. This Sysdig report is excellent.

I’ve updated the rule names, metadata, and flowbits in today’s release. Thanks again for taking the time to reach out! :fire:

-Isaac

2 Likes