ET MALWARE ZharkBot CnC Exfil in HTTP URI

SID: 2054414Rev: 1109 views
Sourceet/open
CreatedJuly 9, 2024
UpdatedJuly 9, 2024
Classificationtrojan-activity
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZharkBot CnC Exfil in HTTP URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|api|3f|id|3d|"; fast_pattern; content:"&us="; distance:0; content:"&mn="; distance:0; content:"&os="; distance:0; content:"&bld="; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; nocase; reference:url,research.openanalysis.net/zharkbot/rust/triage/2024/07/07/zharkbot.html; classtype:trojan-activity; sid:2054414; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state plaintext, created_at 2024_07_09, deployment Perimeter, malware_family ZharkBOT, confidence Medium, signature_severity Critical, tag c2, updated_at 2024_07_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)

References

urlresearch.openanalysis.net/zharkbot/rust/triage/2024/07/07/zharkbot.html

Metadata

affected productWindows_XP_Vista_7_8_10_Server_32_64_Bit
attack targetClient_Endpoint
tls stateplaintext
created at2024_07_09
deploymentPerimeter
malware familyZharkBOT
confidenceMedium
signature severityCritical
tagc2
updated at2024_07_09
mitre tactic idTA0011
mitre tactic nameCommand_And_Control
mitre technique idT1071
mitre technique nameApplication_Layer_Protocol

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!