<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="color: rgb(0, 0, 0); font-family: Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols; font-size: 12pt;" dir="ltr">
<p style="margin-top:0; margin-bottom:0"><span style="font-size:11pt">Hi,</span></p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0"><span style="font-size:11pt">The below signatures are of the UDPOS point-of-sale malware. Pcap is available for this one. Opted for a rule per message as opposed to bundling message types into two rules.</span></p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0"></p>
<div><span style="font-size:11pt"><span style="font-family:Consolas,Courier,monospace; font-size:10pt">alert
</span><span style="font-family:Consolas,Courier,monospace; font-size:10pt">tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.UDPOS external IP address check attempt"; flow:to_server,established; content:"User-Agent|3A 20|Browser|0D
 0A|"; fast_pattern:only; http_header; content:"/index.php?"; http_uri; content:"udpool="; distance:0; http_uri; metadata:ruleset community, service http; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection;
 classtype:trojan-activity; sid:9000025; rev:1;)</span></span></div>
<span style="font-size:11pt"><span style="font-family:Consolas,Courier,monospace; font-size:10pt"></span></span>
<div><br>
<span style="font-family:Consolas,Courier,monospace; font-size:10pt">alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|03|bin";
 offset:16; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; pcre:"/[a-f0-9]{15}\x03bin(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/";
 metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity;
 sid:9000026; rev:1;)</span></div>
<span style="font-family:Consolas,Courier,monospace; font-size:10pt"></span>
<div><br>
<span style="font-family:Consolas,Courier,monospace; font-size:10pt">alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|03|trp";
 offset:16; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; pcre:"/[a-f0-9]{15}\x03trp(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/";
 metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity;
 sid:9000027; rev:1;)</span></div>
<span style="font-family:Consolas,Courier,monospace; font-size:10pt"></span>
<div><br>
<span style="font-family:Consolas,Courier,monospace; font-size:10pt">alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|04|info";
 offset:16; byte_test:1,<,40,0,relative; byte_jump:1,0,relative; byte_test:1,<,40,0,relative; byte_jump:1,0,relative; byte_test:1,<40,35,0,relative; byte_jump:1,0,relative; byte_test:1,<=,40,0,relative; pcre:"/[a-f0-9]{15}\x04info(([\x10-\x28][a-f0-9]{10,40}){4}).+\x00\x00/";
 metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity;
 sid:9000028; rev:1;)</span></div>
<span style="font-family:Consolas,Courier,monospace; font-size:10pt"></span>
<div><br>
<span style="font-family:Consolas,Courier,monospace; font-size:10pt">alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|04|ping";
 offset:16; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; pcre:"/[a-f0-9]{15}\x04ping(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/";
 metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity;
 sid:9000029; rev:1;)</span></div>
<div><span style="font-family:Consolas,Courier,monospace; font-size:10pt"></span><br>
<span style="font-family:Consolas,Courier,monospace; font-size:10pt">alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS data exfiltration via DNS attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|"; content:"|04|note";
 offset:16; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; byte_jump:1,0,relative; byte_test:1,<=,31,0,relative; pcre:"/[a-f0-9]{15}\x04note(([\x10-\x1f][a-f0-9]{10,31}){4}).+\x00\x00/";
 metadata:ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity;
 sid:9000030; rev:1;)</span></div>
<p></p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0"><span style="font-size:11pt">Thanks.</span></p>
<p style="margin-top:0; margin-bottom:0"><span style="font-size:11pt">YM</span></p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
</div>
</body>
</html>