Yara rules and network detection for Operation Hangover

May 23, 2013 | Jaime Blasco

Last week, our friends from Norman published a great report on a cyber espionage campaign named Operation Hangover. 

We have released some Yara rules to detect most of the payloads mentioned on the paper. You can download the rules from our Github space:


Captura de pantalla 2013-05-23 a la(s) 12.20.00


On the other hand the Hangover attackers have been using several payloads with network capabilities to steal data including documents, keystrokes and downloading other payloads.  Following are some examples of network traffic performed by these payloads:

- Smackdown Minapro


Captura de pantalla 2013-05-23 a la(s) 12.31.30


- Hangover


Captura de pantalla 2013-05-23 a la(s) 12.33.32


- Several keyloggers and data harvesters


Captura de pantalla 2013-05-23 a la(s) 12.37.43


Some of the network requests made by these payloads were covered by Snort rules (Emerging Threats) months before the Operation Hangover was uncovered) so our product was alerting on these connections from at least several weeks.


Captura de pantalla 2013-05-23 a la(s) 12.42.49


AlienVault Unified Security Management (USM) will detect all the threats mentioned on the blog post (and it’s available as a Free 30 day trial download).

Jaime Blasco

About the Author: Jaime Blasco

Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AT&T Cybersecurity, Jaime leads the Alien Labs Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AT&T, Jaime was Chief Scientist at AlienVault. Prior to that, he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.

Read more posts from Jaime Blasco ›


Get the latest security news in your inbox.

Subscribe via email


Get price Free trial