From 69308b035aabf33f811684dbd6d98245bbc30a99 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 5 Sep 2022 16:50:26 +0200
Subject: [PATCH] rule: havana ransomware UA

---
 rules/proxy/proxy_ua_malware.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/proxy/proxy_ua_malware.yml b/rules/proxy/proxy_ua_malware.yml
index 776098a02..793bf6d05 100644
--- a/rules/proxy/proxy_ua_malware.yml
+++ b/rules/proxy/proxy_ua_malware.yml
@@ -10,7 +10,7 @@ references:
   - https://perishablepress.com/blacklist/ua-2013.txt
   - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
 date: 2017/07/08
-modified: 2021/11/27
+modified: 2022/09/05
 logsource:
   category: proxy
 detection:
@@ -75,6 +75,7 @@ detection:
       - 'record'  # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
       - 'mozzzzzzzzzzz'  # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
       - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0'  # Quasar RAT UA https://twitter.com/malmoeb/status/1559994820692672519?s=20&t=g3tkNL09dZZWbFN10qDVjg
+      - 'Havana/0.1'  # https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update
   condition: selection
 fields:
   - ClientIP