blue-team-tools/rules/web/proxy_generic/proxy_ua_malware.yml

title: Malware User Agent
id: 5c84856b-55a5-45f1-826f-13f37250cf4e
status: test
description: Detects suspicious user agent strings used by malware in proxy logs
references:
    - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
    - http://www.botopedia.org/search?searchword=scan&searchphrase=all
    - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
    - https://perishablepress.com/blacklist/ua-2013.txt
    - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
    - https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q
    - https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large
    - https://twitter.com/crep1x/status/1635034100213112833
author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017/07/08
modified: 2023/04/12
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent:
        # RATs
            - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DargonOK
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  1.1.4322)' # Used by PlugX - old - https://goo.gl/Yfjtk5
            - 'HttpBrowser/1.0' # HTTPBrowser RAT
            - '*<|>*' # Houdini / Iniduoh / njRAT
            - 'nsis_inetc (mozilla)' # ZeroAccess
            - 'Wget/1.9+cvs-stable (Red Hat modified)' # Dyre / Upatre
        # Ghost419 https://goo.gl/rW1yvZ
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'
        # Malware
            - '*zeroup*' # W32/Renos.Downloader
            - 'Mozilla/5.0 (Windows NT 5.1 ; v.*' # Kazy
            - '* adlib/*' # https://goo.gl/gcAHoh
            - '* tiny' # Trojan Downloader
            - '* BGroom *' # Trojan Downloader
            - '* changhuatong'
            - '* CholTBAgent'
            - 'Mozilla/5.0 WinInet'
            - 'RookIE/1.0'
            - 'M' # HkMain
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' # Egamipload - old UA - probable prone to false positives
            - 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)' # Yakes
            - 'backdoorbot'
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality
            - 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality
            - 'Opera' # Trojan Keragany
            - 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)' # Fareit
            - 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)' # Webshell's back connect
            - 'MSIE' # Toby web shell
            - '*(Charon; Inferno)' # Loki Bot
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony
            - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://goo.gl/g43qjs
            - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://goo.gl/sqY3Ja https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again
            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/
        # Ursnif
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'
        # Emotet
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968
        # Lockbit (https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q)
            - 'Mozilla/5.0 (Windows NT 6.1)'
            - 'AppleWebkit/587.38 (KHTML, like Gecko)'
            - 'Chrome/91.0.4472.77'
            - 'Safari/537.36'
            - 'Edge/91.0.864.37'
            - 'Firefox/89.0'
            - 'Gecko/20100101'
        # Others
            - '* pxyscand*'
            - '* asd'
            - '* mdms'
            - 'sample'
            - 'nocase'
            - 'Moxilla'
            - 'Win32 *'
            - '*Microsoft Internet Explorer*'
            - 'agent *'
            - 'AutoIt' # Suspicious - base-lining recommended
            - 'IczelionDownLoad'
            - 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # https://unit42.paloaltonetworks.com/thor-plugx-variant/
            - 'record' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
            - 'mozzzzzzzzzzz' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0' # Quasar RAT UA https://twitter.com/malmoeb/status/1559994820692672519?s=20&t=g3tkNL09dZZWbFN10qDVjg
            - 'Havana/0.1' # https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update
            - 'antSword/v2.1' # AntSword Webshell UA
            - 'rqwrwqrqwrqw'  # Racoon Stealer
            - 'qwrqrwrqwrqwr'  # Racoon Stealer
            - 'rc2.0/client'  # Racoon Stealer
            - 'TakeMyPainBack'  # Racoon Stealer
            - 'xxx' # Racoon Stealer
            - '20112211' # Racoon Stealer
            - '23591' # Racoon Stealer
            - '901785252112' # Racoon Stealer
            - '1235125521512' # Racoon Stealer
            - '125122112551' # Racoon Stealer
            - 'B1D3N_RIM_MY_ASS' # Racoon Stealer
            - 'AYAYAYAY1337' # Racoon Stealer
            - 'iMightJustPayMySelfForAFeature' # Racoon Stealer
            - 'ForAFeature' # Racoon Stealer
            - 'Ares_ldr_v_*' # AresLoader
            # - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106' # seen used by AresLoader
            - 'Microsoft Internet Explorer' # https://github.com/silence-is-best/c2db
            - 'CLCTR' # https://github.com/silence-is-best/c2db
            - 'uploader' # https://github.com/silence-is-best/c2db
            - 'agent' # https://github.com/silence-is-best/c2db
            - 'License' # https://github.com/silence-is-best/c2db
            - 'vb wininet' # https://github.com/silence-is-best/c2db
            - 'Client' # https://github.com/silence-is-best/c2db
            - 'Lilith-Bot/3.0' # Lilith Stealer - https://twitter.com/suyog41/status/1558051450797690880
            - 'svc/1.0' # SVC Loader - https://twitter.com/suyog41/status/1558051450797690880
            - 'WSHRAT' # WSHRAT - https://twitter.com/suyog41/status/1558051450797690880
            - 'ZeroStresser Botnet/1.5' # Zerobot - https://twitter.com/suyog41/status/1558051450797690880
            - 'OK' #Nymaim - https://twitter.com/suyog41/status/1558051450797690880
            - 'Project1sqlite' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
            - 'Project1' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
    condition: selection
fields:
    - ClientIP
    - c-uri
    - c-useragent
falsepositives:
    - Unknown
level: high