""ET MOBILE_MALWARE Kimsuky AppleSeed CnC Checkin""

SID: 2033059

Revision: 1

Class Type: trojan-activity

Metadata: affected_product Android, attack_target Mobile_Client, created_at 2021_06_01, deployment Perimeter, updated_at 2021_06_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel

Reference:

  • md5

  • 4626ed60dfc8deaf75477bc06bd39be7

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

  • Value: "POST"

  • Value: ".php?m="

  • Value: "&p1="

  • Value: "&p2="

  • Value: "Android"

  • Value: "Content-Length|3a 20|0|0d 0a|"

  • Value: !"Referer|3a 20|"

Within: 4

PCRE: "/^User-Agent\x3a\x20[^\r\n]+Android/Hmi"

Special Options:

  • http_method

  • fast_pattern

  • http_uri

  • http_uri

  • http_uri

  • http_header

  • http_header

  • http_header

source