[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] SIG: ET TROJAN W32/Tesla.Keylogger CnC Beacon
From: Jack Mott <jmott () emergingthreats ! net>
Date: 2016-08-31 16:54:00
Message-ID: CAHHK96EY1d5eTA9xHDMGHJ=A=8Y+W9x8cYVHjQNpzNmA0jqMWw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Kevin,
Thanks for the sig! We have coverage for this threat in the ETPRO ruleset
(2816570) but will move this one into OPEN.
Best,
Jack
On Wed, Aug 31, 2016 at 10:46 AM, Kevin Ross <kevross33@googlemail.com>
wrote:
> Info about the CnC structure here: www.zscaler.com/blogs/
> research/agent-tesla-keylogger-delivered-using-cybersquatting
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN
> W32/Tesla.Keylogger CnC Beacon"; flow:established,to_server;
> content:"POST"; http_method; content:".php"; http_uri; content:"type=";
> http_client_body; depth:5; content:"&hwid="; http_client_body; distance:0;
> content:"&time="; http_client_body; distance:0; content:"&pcname=";
> http_client_body; distance:0; content:"&logdata="; http_client_body;
> distance:0; content:"&screen="; http_client_body; distance:0;
> content:"&ipadd="; http_client_body; distance:0; content:"&wbscreen=";
> http_client_body; distance:0; content:"&client="; http_client_body;
> distance:0; content:"&link="; http_client_body; distance:0;
> content:"&username="; http_client_body; distance:0; content:"&password=";
> http_client_body; distance:0; content:"&screen_name="; http_client_body;
> distance:0; content:"&site_username="; http_client_body; distance:0;
> classtype:trojan-activity; reference:url,www.zscaler.com/
> blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting;
> sid:167711; rev:1;)
>
>
> Kind Regards,
> Kevin Ross
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
[Attachment #5 (text/html)]
<div dir="ltr">Hi Kevin,<div><br></div><div>Thanks for the sig! We have coverage for \
this threat in the ETPRO ruleset (2816570) but will move this one into \
OPEN.</div><div><br></div><div>Best,</div><div><br></div><div>Jack</div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 31, 2016 at 10:46 AM, \
Kevin Ross <span dir="ltr"><<a href="mailto:kevross33@googlemail.com" \
target="_blank">kevross33@googlemail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div><div>Info about the CnC structure here: \
<a href="http://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting" \
target="_blank">www.zscaler.com/blogs/<wbr>research/agent-tesla-<wbr>keylogger-delivered-using-<wbr>cybersquatting</a></div><div><br>alert \
http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Tesla.Keylogger \
CnC Beacon"; flow:established,to_server; content:"POST"; http_method; \
content:".php"; http_uri; content:"type="; http_client_body; \
depth:5; content:"&hwid="; http_client_body; distance:0; \
content:"&time="; http_client_body; distance:0; \
content:"&pcname="; http_client_body; distance:0; \
content:"&logdata="; http_client_body; distance:0; \
content:"&screen="; http_client_body; distance:0; \
content:"&ipadd="; http_client_body; distance:0; \
content:"&wbscreen="; http_client_body; distance:0; \
content:"&client="; http_client_body; distance:0; \
content:"&link="; http_client_body; distance:0; \
content:"&username="; http_client_body; distance:0; \
content:"&password="; http_client_body; distance:0; \
content:"&screen_name="; http_client_body; distance:0; \
content:"&site_username="; http_client_body; distance:0; \
classtype:trojan-activity; reference:url,<a \
href="http://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting" \
target="_blank">www.zscaler.com/<wbr>blogs/research/agent-tesla-<wbr>keylogger-delivered-using-<wbr>cybersquatting</a>; \
sid:167711; rev:1;)<br><br><br></div>Kind Regards,<br></div>Kevin Ross<br></div> \
<br>______________________________<wbr>_________________<br> Emerging-sigs mailing \
list<br> <a href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.<wbr>emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
rel="noreferrer" target="_blank">https://lists.emergingthreats.<wbr>net/mailman/listinfo/emerging-<wbr>sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreats.net" rel="noreferrer" \
target="_blank">http://www.emergingthreats.net</a><br> <br>
<br></blockquote></div><br></div>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic