APT_CyberCriminal_Campagin_Collections/2019/2019.12.19.Operation_Wocao/operation-wocao_ioc/suricata.rules

alert tcp any any -> any any (msg:"FOX-SRT - Backdoor - CMD exec"; content:"__PARAMETERS|0000|cmd.exe /Q /c"; fast_pattern; content:"|5c5c|127.0.0.1|5c|ADMIN|245c6e|"; classtype:trojan-activity; priority:1; reference:url,https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/; sid:21002456; rev:1;)

alert tcp any any -> any any (msg:"FOX-SRT - IOC - XServer/Agent - Powershell Dropper for XServer"; content:"action=allow |7c| out-null|0a|Add-Type $x|0a|netsh advfirewall firewall delete rule name=powershell |7c| out-null|3b0a0a|[xserver]::Main($args)|3b0a|"; fast_pattern:only; classtype:trojan-activity; priority:1; reference:url,https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/; sid:21002460; rev:2;)

alert tcp any !1080 -> any any (msg:"FOX-SRT - IOC - XServer/Agent - Possible XServer Backdoor ProxyTransmit REPLY_OK"; dsize:10; content:"|05000001000000000000|"; fast_pattern:only; classtype:trojan-activity; priority:3; reference:url,https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/; sid:21002453; rev:4;)

alert tcp any any -> any any (msg:"FOX-SRT - IOC - XServer/Agent - Possible XServer Backdoor ProxyTransmit REPLY_ERROR"; dsize:10; content:"|05050001000000000000|"; fast_pattern:only; classtype:trojan-activity; priority:3; reference:url,https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/; sid:21002454; rev:3;)

alert tcp any any -> any !1080 (msg:"FOX-SRT - IOC - XServer/Agent - Possible XServer Start SOCKS5 Proxy mode (ProxyTransmit)"; stream_size:server,=,1; stream_size:client,=,4; dsize:3; content:"|050100|"; fast_pattern:only; classtype:attempted-admin; reference:url,https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/; priority:3; sid:21002457; 

alert tcp any any -> any any (msg:"FOX-SRT - IOC – XServer/Agent - Suspicious Root SNI in SSL Client Hello"; flow:established; content:"|1603|"; depth:2; content:"|01|"; distance:3; within:1; content:"|000000090007000004|Root"; fast_pattern; threshold: type limit, track by_src, seconds 300, count 1; classtype:trojan-activity; priority:1; reference:url,https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/; sid:21002432; rev:1;)

alert tcp any any -> any any (msg:"FOX-SRT - IOC – XServer/Agent - Suspicious O=Root/OU=Root/CN=Root Certificate"; flow:established; content:"|060355040a0c04526f6f74310d300b060355040b0c04526f6f74310d300b06035504030c04526f6f74|"; fast_pattern:only; threshold: type limit, track by_src, seconds 300, count 1; classtype:trojan-activity; priority:1; reference:url,https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/; sid:21002433; rev:1;)

alert tcp any any -> any any (msg:"FOX-SRT - IOC – XServer/Agent - Suspicious C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=Root CA Certificate"; flow:established; content:"|3057310b30090603550406130255533113301106035504080c0a536f6d652d53746174653121301f060355040a0c18496e7465726e6574205769646769747320507479204c74643110300e06035504030c07526f6f74204341|"; fast_pattern:only; threshold: type limit, track by_src, seconds 300, count 1; classtype:trojan-activity; priority:1; reference:url,https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/; sid:21002455; rev:2;)