ET MALWARE Win32/BugSleep Command Response From C2

SID: 2057161Rev: 113 views

Sourceet/open

CreatedOctober 30, 2024

UpdatedOctober 30, 2024

Classificationtrojan-activity

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Win32/BugSleep Command Response From C2"; flow:established,to_client; xbits:isset,ET.BugSleep.C2,track ip_src; content:"|03 03 03|"; offset:5; depth:3; fast_pattern; pcre:"/^.{4}[\x01\x02\x03\x04\x05\x06\x07\x09\x0a\x0b\x0c\x0d\x0e\x61\x62\x63\x64\x65\x66]\x03\x03\x03/"; reference:url,blog.talosintelligence.com/writing-a-bugsleep-c2-server/; reference:url,blog.sekoia.io/muddywater-replaces-atera-by-custom-muddyrot-implant-in-a-recent-campaign/; reference:url,research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/; classtype:trojan-activity; sid:2057161; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_and_Server, tls_state plaintext, created_at 2024_10_30, deployment Perimeter, deployment Internal, malware_family Win32_BugSleep, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_10_30; target:dest_ip;)

References

url	blog.talosintelligence.com/writing-a-bugsleep-c2-server/
url	blog.sekoia.io/muddywater-replaces-atera-by-custom-muddyrot-implant-in-a-recent-campaign/
url	research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/

Metadata

affected productWindows_11

attack targetClient_and_Server

tls stateplaintext

created at2024_10_30

deploymentInternal

malware familyWin32_BugSleep

performance impactLow

confidenceHigh

signature severityMajor

updated at2024_10_30

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!