Yara rules and network detection for Operation Hangover

May 23, 2013  |  Jaime Blasco

Last week, our friends from Norman published a great report on a cyber espionage campaign named Operation Hangover. 

We have released some Yara rules to detect most of the payloads mentioned on the paper. You can download the rules from our Github space:

 

Captura de pantalla 2013-05-23 a la(s) 12.20.00

 

On the other hand the Hangover attackers have been using several payloads with network capabilities to steal data including documents, keystrokes and downloading other payloads.  Following are some examples of network traffic performed by these payloads:

- Smackdown Minapro

 

Captura de pantalla 2013-05-23 a la(s) 12.31.30

 

- Hangover

 

Captura de pantalla 2013-05-23 a la(s) 12.33.32

 

- Several keyloggers and data harvesters

 

Captura de pantalla 2013-05-23 a la(s) 12.37.43

 

Some of the network requests made by these payloads were covered by Snort rules (Emerging Threats) months before the Operation Hangover was uncovered) so our product was alerting on these connections from at least several weeks.

 

Captura de pantalla 2013-05-23 a la(s) 12.42.49

 

AlienVault Unified Security Management (USM) will detect all the threats mentioned on the blog post (and it’s available as a Free 30 day trial download).

Share this with others

Tags: malware, apt, hangover

Get price Free trial