The MedussaHTTP v20190812 rule detects potential HTTP-based lateral movement or command and control activity by identifying suspicious HTTP traffic patterns that may indicate an adversary exfiltrating data or establishing a persistent communication channel. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts that may evade traditional detection methods.
YARA Rule
rule MedussaHTTP_2019
{
meta:
author = "J from THL <[email protected]>"
date = "2019-08-12"
reference1 = "https://app.any.run/tasks/68c8f400-eba5-4d6c-b1f1-8b07d4c014a4/"
reference2 = "https://www.netscout.com/blog/asert/medusahttp-ddos-slithers-back-spotlight"
reference3 = "https://twitter.com/malware_traffic/status/1161034462983008261"
version = 1
maltype = "Bot"
filetype = "memory"
description = "MedussaHTTP v20190812"
strings:
$text01 = "|check|" ascii
$text02 = "POST!" ascii
$text03 = "httpactive" ascii
$text04 = "httpstrong" ascii
$text05 = "httppost" ascii
$text06 = "slavicdragon" ascii
$text07 = "slavicnodragon" ascii
$text08 = "smartflood" ascii
$text09 = "stop-all" ascii
$text10 = "botkill" ascii
$text11 = "updatehash" ascii
$text12 = "xyz=" ascii
$text13 = "abc=" ascii
condition:
9 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 13 string patterns in its detection logic.
Scenario: Legitimate scheduled backup job using rsync or Veeam
Filter/Exclusion: Check for process.name containing rsync, veeam, or backup and filter by process.parent.name being a known backup service or system process.
Scenario: System update via yum or apt with HTTP traffic
Filter/Exclusion: Filter by process.name containing yum or apt and exclude traffic to known package repositories (e.g., repo.packagemanager.org, archive.ubuntu.com).
Scenario: Admin performing remote management via SSH with HTTP-based management tools (e.g., Ansible, SaltStack)
Filter/Exclusion: Check for process.name containing ansible, salt, or ssh and ensure the traffic is not from a known internal management IP range.
Scenario: Internal monitoring tool (e.g., Prometheus, Grafana) pulling metrics over HTTP
Filter/Exclusion: Filter by process.name containing prometheus, grafana, or telegraf and verify the destination IP is within the internal monitoring network.
Scenario: Legitimate software update via Windows Update or WSUS using HTTP
Filter/Exclusion: Check for process.name containing wuauserv or wsus and filter by destination IP being a known internal WSUS server.