Description
- This signature looks for POST requests to a webservers gate.php with no referer which is a known form of bot command and control/ trojan activity staging. With this request tied to multiple different types of generic malware, it is impossible to directly determine which through just a post to gate.php. The next logical step is to determine correlating DNS requests and external hostnames to determine which malware the machine is infected with. Once the exact infection is determined then remediation can be performed.
Vector
- HTTP 80
Known False Positive Indicators
- This falsely trips on some mobile/pc games, specifically a casino game called 'Vegas Casino'. In the user-agent field, you will see 'VegasCasino/' this is a known indicator of this signature tripping falsely. You will also see a correlating DNS request for (d2umaha7wj35g2.cloudfront.net) as well as the host in the payload.
Affected Host
Any/All (Associated Malware is generic and affected host could vary)
Classification
- Malware
Sentinel Signature
-
TROJAN Trojan Generic - POST To gate.php with no referer
DNS Calls
- Correlating DNS requests can be found in logs to assist in FP verification
Comments
0 comments
Please sign in to leave a comment.