This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Detecting Slugin Backdoor Trojan Checkins

RSAAdmin
Beginner
Beginner
‎2014-01-17 11:32 AM

The Slugin Backdoor Trojan is a veteran piece of malware that has been around for about three years or more.  Once a host is infected by the malware, it will reach out to a webserver and notify the cyber criminal that an infected host is alive on the internet, along with other local machine information.  This is what the notification traffic looks like:

 

slugin1.JPG.jpg

Do you see the query string that follows the question mark in the get request?  That is base64 encoded traffic.  This is what it looks like decoded:

 

ab0c2945-f56e-4976-812b-7d27ee8efcb3|az|2.1.12|5.1.3|COMPUTER-2QIWNS|user|1

As you can see, there is a unique identifier followed by version information, the computer name and information about the current logged in user.

 

The original sample of the infector file can be located here at VirusTotal.  As you can see there is wide agreement that this malware is "Slugin.A"

 

On a network, an infected host simply tries to checkin to the control server once.  This is what it looks like in SecurityAnalytics:

 

slugin2.JPG.jpg
slugin3.JPG.jpg

This is enough meta to explore whether or not this threat follows a predictable pattern.  I created a custom drill looking across our entire malware database for:

action=get && filename='process.php' && directory='/api' && query begins 'xy='

 

This is the result I saw:

 

slugin4.JPG.jpg

The behavior is indeed consistent across multiple Command Hosts.  But rather than using the complex drill above, it turns out that a simpler approach is to simply create a rule for the user-agent string of "pcicompliant/3.33"

 

It should be remarked that malware that masquerades as PCI Compliant traffic seems like an insidiously clever idea.  However, with Security Analytics, it makes that traffic stick out like a sore thumb, which is what brought it to my attention in the first place.

 

All hosts shown above have been added to the FirstWatch C2 Domains list, and the malicious user-agent string should be added as a standalone rule or appended to the Malicious UA Strings feed previously posted here.

 

The rule would be called Slugin Trojan Traffic Detected and its contents would be:

client='pcicompliant/3.33'

 

Good luck and happy hunting.  A pcap is attached for demonstration and testing purposes.

slugin-traffic.pcap
slugin-traffic.pcap
© 2022 RSA Security LLC or its affiliates. All rights reserved.