Jump to content

Library/plugin for Malware obscuring HTTP GET/POST data


Recommended Posts

Hi all,
Wasn't sure if there was a better location for posting this - happy to be corrected...

As a SOC Analyst I deal will lots of malware/PUPs. Recently we have seen a lot of (probably) PUPs sending data using a particular pattern.
I want to be able to decode it to check if any of the data is exfiltrated data from the client networks.

In short:
[+] Have any of you seen this format for data being sent via HTTP POST or GET requests?
[+] Do you recognise it as using a particular library/substitution/method?
[+] Can you advise how I can decode it?

I'm pretty sure it's just a plain substitution cipher, with pairs of characters matching a-z, A-Z, 0-9 (plus some symbols)
I've seen 68 different char pairs with a fairly normal frequency distribution.

I can't post the data from our client network in case it is confidential, but through Googling I've found a variety of samples on malware sites and on VirusTotal.
Here are some to see if they jog anyone's memory:
From some example URIs like this one it is the encoded parameter "cd="

More examples:

It is interesting to note that some of the POST data from our logs is much longer than these samples, but always uses the same sets of character pairs.


Many thanks for your help!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.