trickbot false positive? about chopchop HOT 11 CLOSED

Hello ! It looks like your server answer with a status code of 200 when Chopchop asks for "/images/imgpaper.png" and others.
Can you please try this command to see if it still answer with a status_code of 200 :
"curl -D - https://xxxxxxxxx.xxxxxxxxx/ico/VidT6cErs"
Thanks !

hi,
thx for the reply, all the files are here, i ve downloded them and i ll do some forensic and get back to you in case they are false positiv or not
thxx a lot!
#asmpowa #mesbeauxparentshabitentennezat

from chopchop.

Hi nocomp, Hi Paul,
I've solved this issue by adding new settings in the rules
I've dowloaded sample of trickbot payload and I've tried on Apache, but I've not the same headers when Nginx. For more accuracy I've created 2 rules.
See my last pull request

from chopchop.

Hello ! It looks like your server answer with a status code of 200 when Chopchop asks for "/images/imgpaper.png" and others.
Can you please try this command to see if it still answer with a status_code of 200 :
"curl -D - https://xxxxxxxxx.xxxxxxxxx/ico/VidT6cErs"
Thanks !

from chopchop.

Those rules have been created by @woundride in order to test the presence of "Trickbot" trojan based on specific files (and in our case - images).

If you got this output, it means all those requests got a status_code of 200 either because:

1. the file is present (and might be benign)
2. the webserver sent a 200 for some reasons.

Feel free to let us know in any case. Happy to help!

from chopchop.

ce qui est bizarre, is that if i http these files i get 404 but i can wget them.
can you explain pls? fellin confused

from chopchop.

Perfect!

You are more than welcome. I will close the ticket for the moment but feel free to re-open it if you think that those are false positives and see how we can tweak that.

#YellowArmyPowa :)

from chopchop.

hi paul, last question,
can you pls explain me howcome i can wget http://server.com/images/redcar.png but if i http it, i get a 404, and on the server there is no such file?
drives me nuts...
deobfuscating all js atm ... #whataday...

thxx for your time!

from chopchop.

i am just an abrutti, it s a user agent mater, désolé
thx for the great tool
#63powa

from chopchop.

hi paul,
a quick update regarding the detection:

from what i read, chopchop detect if such file exist, if yes (200) we get a detection warning.

for example, if you scan http://179.150.226.35.bc.googleusercontent.com:90/
you ll get

| http://179.150.226.35.bc.googleusercontent.com:90/ | /tmui/login.jsp/..;/tmui/system/user/authproperties.jsp | High | F5 BIG-IP - CVE-2020-5902 | Apply patch - F5 K52145254 |
| http://179.150.226.35.bc.googleusercontent.com:90/ | /images/imgpaper.png | High | Possible Trickbot Trojan Payload hosting imgpaper.png | Make sure your system is'nt compromised |
| http://179.150.226.35.bc.googleusercontent.com:90/ | /images/cursor.png | High | Possible Trickbot Trojan Payload hosting cursor.png | Make sure your system is'nt compromised |
| http://179.150.226.35.bc.googleusercontent.com:90/ | /images/redcar.png | High | Possible Trickbot Trojan Payload hosting redcar.png | Make sure your system is'nt compromised |
| http://179.150.226.35.bc.googleusercontent.com:90/ | /ico/VidT6cErs | High | Possible Trickbot Trojan Payload hosting VidT6cErs | Make sure your system is'nt compromised |

Then i ve had a look to the source of the detection rule,
https://urlhaus.abuse.ch/browse.php?search=%2Fimages%2Fimgpaper.png

i ve downloaded imgpaper from one of these sites, and run it in a sandbox, it s a pe executable
when i inspect the same file on the link i gave you above, it s html inside, like you weget index.php

any idea what is happening????

thxx for your time

from chopchop.

Interesting, I guess that's because the webapp (and the underlying reverse proxy) mess up by sending other status code (we could expect a 404 for a resource not found) like a 200 for a non-existing resource.

from chopchop.

i agree paul, i ve pressed the red button due to warning kind, i had to take a decision, no regrets, but happy to see it was a false positive at the end
any way of imporving detection rules?
let me know if i can help

from chopchop.