Backdoor OSCelestial RAT

[Y M <snort () outlook com>]

Hello,


The below rules are for the OSCelestial RAT. I left the OS (Win, Osx, etc.) at the beginning of the rules' messages 
since the sample in question seems to be targeting multiple OSes. The sample was successfully tested on Windows, OS X, 
and Linux (Ubuntu). Other OSes were not tested.


The last rule may be an overkill but the pattern was obvious to be missed out. Pcap is available.


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Backdoor.OSCelestial variant outbound connection"; 
flow:to_server,established; content:"|70 73 72 00|"; content:"|17|com.net.LoginDataPacket"; distance:0; within:24; 
metadata:ruleset community; 
reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/; 
classtype:trojan-activity; sid:1000867; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Backdoor.OSCelestial variant outbound connection"; 
flow:to_server,established; content:"|70 73 72 00|"; content:"|11|com.net.LoginData"; distance:0; within:18; 
content:"|0E|identification"; content:"|08|maccaddr"; distance:7; within:9; content:"|0F|operatingsystem"; distance:7; 
within:16; content:"|06|pcname"; distance:7; within:7; content:"|08|username"; distance:7; within:9; 
content:"|07|version"; distance:7; within:8; metadata:ruleset community; 
reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/; 
classtype:trojan-activity; sid:1000868; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Backdoor.OSCelestial variant inbound connection"; 
flow:to_client,established; dsize:>800; content:"|1B|com.net.DynamicPluginPacket"; fast_pattern:only; content:"|00 
14|com.oscp.client.HRDP"; content:"|00 26|net.oscp.client.networking.OpenWebsite"; content:"|00 28|"; distance:1; 
content:".UploadExecute"; distance:25; within:15; content:"|00 27|"; distance:1; content:".ReverseProxy"; distance:25; 
within:14; content:"|00 2A|"; distance:1; content:".DownloadExecute"; distance:25; within:17; content:"|00 29|"; 
distance:1; content:".KeystrokeLogger"; distance:24; within:17; content:"|00 27|"; distance:1; content:".JarInjector"; 
distance:26; within:13; content:"|00 2B|"; distance:1; content:".JarInjectUpload"; distance:26; within:17; content:"|00 
21|"; distance:1; content:".Explorer"; distance:24; within:10; content:"|00 25|"; distance:1; content:".RemoteChat"; 
distance:25; within:12; content:"|00 25|"; distance:1; content:".MessageBox"; distance:25; within:12; content:"|00 
23|"; distance:1; content:".DesktopView"; distance:22; within:13; content:"|00 29|"; distance:1; 
content:".PasswordRecovery"; distance:23; within:18; content:"|00 21|"; distance:1; content:".WebcamView"; distance:21; 
within:12; content:"|00 27|"; content:".Terminal"; distance:23; within:10; metadata:ruleset community; 
reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/; 
classtype:trojan-activity; sid:1000869; rev:1;)


Thank you.

YM

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!