[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] SIDESHOW CnC Sig
From: Isaac Shaughnessy <ishaughnessy () emergingthreats ! net>
Date: 2023-03-14 18:33:10
Message-ID: ece8105b-33a3-7481-2726-1a833e087e26 () emergingthreats ! net
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks Travis! We'll get this in today's release.
-Isaac
On 3/14/23 11:51 AM, Travis Green wrote:
> Hey team, I was reading up on LIGHTSHOW group & their tools, and ran
> across a hardcoded parameter in the authentication phase of the
> SIDESHOW backdoor:
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE
> SIDESHOW CnC Authentication"; flow:established,to_server; http.uri;
> content:"1"; startswith; content:"=pAJ9dk4OVq85jxKWoNfw1AG2C&";
> distance:0; fast_pattern; content:"="; distance:0;
> pcre:"/[0-9a-f]{16}$/Ri";reference:md5,abd91676a814f4b50ec357ca1584567e;
> reference:url,www.mandiant.com/resources/blog/lightshow-north-korea-unc2970
> <http://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970>;
> classtype:command-and-control; sid:7704264; rev:1;)
>
> Note that there are C2 domains for this and other tools listed in the
> article by Mandiant in case you would like to add those as well.
>
> -Travis
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Prohttp://www.emergingthreats.net
>
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Thanks Travis! We'll get this in today's release.</p>
<p><br>
</p>
<p>-Isaac<br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 3/14/23 11:51 AM, Travis Green
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CADgHDQomqzDB9QFF9OXF-xDJ_EwXnuCNzTX9ZXDfCxrKzZRn=A@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hey team, I was reading up on LIGHTSHOW group &
their tools, and ran across a hardcoded parameter in the
authentication phase of the SIDESHOW backdoor:<br>
<br>
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET
MALWARE SIDESHOW CnC Authentication";
flow:established,to_server; http.uri; content:"1"; startswith;
content:"=pAJ9dk4OVq85jxKWoNfw1AG2C&"; distance:0;
fast_pattern; content:"="; distance:0;
pcre:"/[0-9a-f]{16}$/Ri";reference:md5,abd91676a814f4b50ec357ca1584567e;
reference:url,<a
href="http://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970"
moz-do-not-send="true">www.mandiant.com/resources/blog/lightshow-north-korea-unc2970</a>;
classtype:command-and-control; sid:7704264; rev:1;)<br>
<div><br>
</div>
<div>Note that there are C2 domains for this and other tools
listed in the article by Mandiant in case you would like to
add those as well.</div>
<br>
<div>-Travis</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" \
wrap="">_______________________________________________ Emerging-sigs mailing list
<a class="moz-txt-link-abbreviated" \
href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.emergingthreats.net</a>
<a class="moz-txt-link-freetext" \
href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
class="moz-txt-link-freetext" \
href="http://www.emergingthreats.net">http://www.emergingthreats.net</a>
</pre>
</blockquote>
</body>
</html>
[Attachment #6 (text/plain)]
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic