ET MALWARE OtterCookie File Exfiltration M1

SID: 2060638Rev: 135 views
History
Sourceet/open
CreatedMarch 5, 2025
UpdatedMarch 5, 2025
Classificationcommand-and-control
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OtterCookie File Exfiltration M1"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/upload"; http.user_agent; content:"curl"; startswith; http.header_names; content:"|0d 0a|path|0d 0a|"; nocase; content:"|0d 0a|hostname|0d 0a|"; nocase; content:"|0d 0a|userkey|0d 0a|"; nocase; http.header; content:"path|3a 20|C|3a 5c|Users|5c|"; fast_pattern; content:"|0d 0a|userkey|3a|"; http.request_body; content:"name|3d 22|file|22 3b 20|filename|3d 22|"; reference:url,jp.security.ntt/tech_blog/en-contagious-interview-ottercookie; classtype:command-and-control; sid:2060638; rev:1; metadata:attack_target Client_Endpoint, tls_state plaintext, created_at 2025_03_05, deployment Perimeter, malware_family OtterCookie, confidence High, signature_severity Critical, tag c2, updated_at 2025_03_05, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1567, mitre_technique_name Exfiltration_Over_Web_Service; target:src_ip;)

References

urljp.security.ntt/tech_blog/en-contagious-interview-ottercookie

Metadata

attack targetClient_Endpoint
tls stateplaintext
created at2025_03_05
deploymentPerimeter
malware familyOtterCookie
confidenceHigh
signature severityCritical
tagc2
updated at2025_03_05
mitre tactic idTA0010
mitre tactic nameExfiltration
mitre technique idT1567
mitre technique nameExfiltration_Over_Web_Service

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!