ET MALWARE Win32/BugSleep CnC Checkin

SID: 2057160Rev: 312 views

Sourceet/open

CreatedOctober 30, 2024

UpdatedNovember 1, 2024

Classificationtrojan-activity

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32/BugSleep CnC Checkin"; flow:established,to_server; flowbits:noalert; xbits:set,ET.BugSleep.C2,track ip_dst,expire 60; content:"|fd fd fd|"; offset:1; depth:3; fast_pattern; content:"|2c|"; within:255; reference:url,blog.talosintelligence.com/writing-a-bugsleep-c2-server/; reference:url,blog.sekoia.io/muddywater-replaces-atera-by-custom-muddyrot-implant-in-a-recent-campaign/; reference:url,research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/; classtype:trojan-activity; sid:2057160; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_and_Server, tls_state plaintext, created_at 2024_10_30, deployment Perimeter, deployment Internal, malware_family Win32_BugSleep, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_11_01; target:src_ip;)

References

url	blog.talosintelligence.com/writing-a-bugsleep-c2-server/
url	blog.sekoia.io/muddywater-replaces-atera-by-custom-muddyrot-implant-in-a-recent-campaign/
url	research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/

Metadata

affected productWindows_11

attack targetClient_and_Server

tls stateplaintext

created at2024_10_30

deploymentInternal

malware familyWin32_BugSleep

performance impactLow

confidenceHigh

signature severityMajor

updated at2024_11_01

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!