Hi,

I am not sure if the communication is over HTTP or HTTPS, and I don't have pcaps to verify. I am putting these together since they originate from the same source and are interrelated.

# --------------------
# Date: 2018-06-08
# Title: PLEAD Downloader Used by BlackTech
# Tests: syntax only
# Reference:
#     - https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html
#     - https://www.lac.co.jp/lacwatch/people/20180425_001625.html
#     - https://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0)"; fast_pattern:only; http_header; content:".png"; http_uri; content:!"Connection"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html; classtype:trojan-activity; sid:8000105; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?id="; fast_pattern:only; http_uri; content:"Accept: */*|0D 0A|"; http_header; content:!"="; http_cookie; content:!"|3B|"; http_cookie; content:!"Accept-"; http_header; content:!"Referer"; http_header; pcre:"/\/index\.php\x3fid\x3d[0-9]{10}$/U"; metadata:ruleset community, service http; reference:url,blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html; classtype:trojan-activity; sid:8000106; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/index.php?id="; fast_pattern:only; http_uri; content:"Accept: */*|0D 0A|"; http_header; content:"Content-Type: application/x-www-form-urlencoded"; http_header; content:!"Accept-"; http_header; content:!"Referer"; http_header; content:!"Cookie"; http_header; pcre:"/\/index\.php\x3fid\x3d[0-9]{10}$/U"; metadata:ruleset community, service http; reference:url,blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html; classtype:trojan-activity; sid:8000107; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TSCookie outbound connection attempt"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Win32)"; fast_pattern:only; http_header; content:"/Default.aspx"; http_uri; content:"Accept: */*|0D 0A|"; http_header; content:!"="; http_cookie; content:!"|3B|"; http_cookie; content:!"Accept-"; http_header; content:!"Referer"; metadata:ruleset community, service http; reference:url,blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html; classtype:trojan-activity; sid:8000108; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TSCookie outbound connection attempt"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Win32)"; fast_pattern:only; http_header; content:"/Default.aspx"; http_uri; content:"Accept: */*|0D 0A|"; http_header; content:"Content-Type: application/x-www-form-urlencoded"; http_header; content:!"Accept-"; http_header; content:!"Referer"; http_header; content:!"Cookie"; http_header; metadata:ruleset community, service http; reference:url,blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html; classtype:trojan-activity; sid:8000109; rev:1;)


Thanks.
YM