SigmaHQ/rules/proxy/proxy_ua_malware.yml

title: Malware User Agent
id: 5c84856b-55a5-45f1-826f-13f37250cf4e
status: experimental
description: Detects suspicious user agent strings used by malware in proxy logs
references:
    - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
    - http://www.botopedia.org/search?searchword=scan&searchphrase=all
    - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
    - https://perishablepress.com/blacklist/ua-2013.txt
    - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
author: Florian Roth
date: 2017/07/08
modified: 2020/09/03
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
      c-useragent:
        # RATs
        - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0'  # DargonOK
        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)'  # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
        - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)'  # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
        - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  1.1.4322)'  # Used by PlugX - old - https://goo.gl/Yfjtk5
        - 'HttpBrowser/1.0'  # HTTPBrowser RAT
        - '*<|>*'  # Houdini / Iniduoh / njRAT
        - 'nsis_inetc (mozilla)'  # ZeroAccess
        - 'Wget/1.9+cvs-stable (Red Hat modified)'  # Dyre / Upatre
        # Ghost419 https://goo.gl/rW1yvZ
        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'

        # Malware
        - '*zeroup*'  # W32/Renos.Downloader
        - 'Mozilla/5.0 (Windows NT 5.1 ; v.*'  # Kazy
        - '* adlib/*'  # https://goo.gl/gcAHoh
        - '* tiny'  # Trojan Downloader
        - '* BGroom *'  # Trojan Downloader
        - '* changhuatong'
        - '* CholTBAgent'
        - 'Mozilla/5.0 WinInet'
        - 'RookIE/1.0'
        - 'M'  # HkMain
        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'  # Egamipload - old UA - probable prone to false positives
        - 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)'  # Yakes
        - 'backdoorbot'
        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)'  # Sality
        - 'Opera/8.81 (Windows NT 6.0; U; en)'  # Sality
        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)'  # Sality
        - 'Opera'  # Trojan Keragany
        - 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)'  # Fareit
        - 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)'  # Webshell's back connect
        - 'MSIE'  # Toby web shell
        - '*(Charon; Inferno)'  # Loki Bot
        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)'  # Fareit / Pony
        - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'  # https://goo.gl/g43qjs
        - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)'  # MacControl malware https://goo.gl/sqY3Ja https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again
        - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)'  # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/
        # Ursnif
        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'
        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'
        # Emotet
        - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)'  # https://twitter.com/webbthewombat/status/1225827092132179968
        # Others
        - '* pxyscand*'
        - '* asd'
        - '* mdms'
        - 'sample'
        - 'nocase'
        - 'Moxilla'
        - 'Win32 *'
        - '*Microsoft Internet Explorer*'
        - 'agent *'
        - 'AutoIt'  # Suspicious - base-lining recommended
        - 'IczelionDownLoad'
    condition: selection
fields:
    - ClientIP
    - c-uri
    - c-useragent
falsepositives:
    - Unknown
level: high
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`title: Malware User Agent`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 5c84856b-55a5-45f1-826f-13f37250cf4e`
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`status: experimental`
			`description: Detects suspicious user agent strings used by malware in proxy logs`
Change "reference" to "references" to match new schema 2018-01-27 23:12:19 +00:00			`references:`
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`- http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules`
			`- http://www.botopedia.org/search?searchword=scan&searchphrase=all`
			`- https://networkraptor.blogspot.com/2015/01/user-agent-strings.html`
			`- https://perishablepress.com/blacklist/ua-2013.txt`
			`- https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents`
			`author: Florian Roth`
fix: fixed missing date fields in proxy rules 2020-01-30 14:20:52 +00:00			`date: 2017/07/08`
att&ck tags review: application, apt, cloud, generic, proxy 2020-09-03 14:16:47 +00:00			`modified: 2020/09/03`
			`tags:`
			`- attack.command_and_control`
			`- attack.t1071.001`
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`logsource:`
Fixed rules * Replaced unspecified logsource attribute 'type' with 'category' * Usage of service 'auth' for linux logs 2017-09-10 22:35:52 +00:00			`category: proxy`
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`detection:`
			`selection:`
Fixed proxy rule field names 2019-12-06 23:11:33 +00:00			`c-useragent:`
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`# RATs`
			`- 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DargonOK`
			`- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439`
			`- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439`
			`- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)' # Used by PlugX - old - https://goo.gl/Yfjtk5`
			`- 'HttpBrowser/1.0' # HTTPBrowser RAT`
			`- '<\|>' # Houdini / Iniduoh / njRAT`
			`- 'nsis_inetc (mozilla)' # ZeroAccess`
			`- 'Wget/1.9+cvs-stable (Red Hat modified)' # Dyre / Upatre`
Rule: Proxy UAs - malware - Ghost419 https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/ 2018-02-03 13:47:04 +00:00			`# Ghost419 https://goo.gl/rW1yvZ`
			`- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'`

User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`# Malware`
			`- 'zeroup' # W32/Renos.Downloader`
			`- 'Mozilla/5.0 (Windows NT 5.1 ; v.*' # Kazy`
			`- '* adlib/*' # https://goo.gl/gcAHoh`
			`- '* tiny' # Trojan Downloader`
			`- '* BGroom *' # Trojan Downloader`
			`- '* changhuatong'`
			`- '* CholTBAgent'`
			`- 'Mozilla/5.0 WinInet'`
			`- 'RookIE/1.0'`
			`- 'M' # HkMain`
			`- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' # Egamipload - old UA - probable prone to false positives`
			`- 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)' # Yakes`
			`- 'backdoorbot'`
			`- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality`
			`- 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality`
			`- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality`
			`- 'Opera' # Trojan Keragany`
			`- 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)' # Fareit`
			`- 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)' # Webshell's back connect`
			`- 'MSIE' # Toby web shell`
Rule update: Proxy UA > Loki Bot 2018-02-12 09:08:32 +00:00			`- '*(Charon; Inferno)' # Loki Bot`
Rule: Pony / Fareit UA 2018-03-01 08:28:04 +00:00			`- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony`
rule: new malware UA 2018-10-10 13:27:44 +00:00			`- 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://goo.gl/g43qjs`
Rule: proxy user agents updated with MacControl user agent 2018-12-17 13:18:03 +00:00			`- 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://goo.gl/sqY3Ja https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again`
rule: proxy malware ua - Zebrocy 2019-10-26 12:20:29 +00:00			`- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/`
Added Ursnif user agents 2019-11-12 07:52:37 +00:00			`# Ursnif`
			`- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'`
			`- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'`
rule: added Emotet UA https://twitter.com/webbthewombat/status/1225827092132179968 2020-02-08 09:37:56 +00:00			`# Emotet`
			`- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968`
fix: fixed missing date fields in proxy rules 2020-01-30 14:20:52 +00:00			`# Others`
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`- '* pxyscand*'`
			`- '* asd'`
			`- '* mdms'`
			`- 'sample'`
			`- 'nocase'`
			`- 'Moxilla'`
			`- 'Win32 *'`
			`- 'Microsoft Internet Explorer'`
			`- 'agent *'`
			`- 'AutoIt' # Suspicious - base-lining recommended`
			`- 'IczelionDownLoad'`
			`condition: selection`
Added field names to first rules 2017-09-12 21:54:04 +00:00			`fields:`
			`- ClientIP`
Fixed proxy rule field names 2019-12-06 23:11:33 +00:00			`- c-uri`
			`- c-useragent`
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`falsepositives:`
			`- Unknown`
			`level: high`