ImBetter C2 Panel 1f52021a

Detects the ImBetter stealer C2 panel page.

Using the SVG data we can confidentially detect the SVG element that is used for the login page logo.

References

IOK Rule (edit)

title: ImBetter C2 Panel 1f52021a 
description: | 
  Detects the `ImBetter` stealer C2 panel page. 

  Using the SVG data we can confidentially detect 
  the SVG element that is used for the login page 
  logo. 

references: 
  - https://www.bridewell.com/insights/blogs/detail/threat-advisory-bridewell-malware-impersonating-online-tools-and-video-games
  - https://twitter.com/bridewellsec/status/1631349963840970757 

detection: 

  svgData: 
    html|contains|all:  
      - 'M6 19C6 16.7909 8.68629 15 12 15C15.3137 15 18 16.7909 18 19'  
      - 'M12 12C14.2091 12 16 10.2091 16 8C16 5.79086 14.2091 4 12 4C9.79086 4 8 5.79086 8 8C8 10.2091 9.79086 12 12 12Z' 

  authScript: 
    requests|contains: 'auf.js' 

  imageFile: 
    requests|contains: '114cd0fcfa927565b082.png' 

  condition: svgData and (authScript or imageFile) 


tags: 
  - threat_actor.arv6 
  - malware.imbetter
  - malware