Trojan.Gatak Post-Compromise

HTTP Method = POST
Content-type = image/png
Regex HTTP URI for “\/[a-z]{4,8}\/[a-z]{3,10}\?[a-z_]{3,9}=[0-9]{2,8}&[a-z]{6,9}=[a-zA-Z0-9_*]{30,}$”

Content-type is *usually* “image/png”, but not always in my testing.

Examples:

famous.famoustattoos.net/booking/read?page=120&ylozseub=ZJRWYZFTYdqbPn*V22pQtQnJ25FsE6ucGAyeRJBo
popa.morgatory.com/sound/cat?n=18&ysqaux=ZJRWYZFTYdspwzffvaxjR25YJX0rngGx
bog.judaicabyjosh.com/insight/flourence?banner_id=386514&ysqaux=ZJRWYZFTYdspwzffvaxjR25YJX0rngGx
famous.famoustattoos.net/booking/read?page=120&ysqaux=ZJRWYZFTYdspwzffvaxjR25YJX0rngGx
igg.niksonic.com/booking/read?page=120&ysqaux=ZJRWYZFTYdspwzffvaxjR25YJX0rngGx
surio.cubicksplace.com/sound/cat?n=18&ysqaux=ZJRWYZFTYdspwzffvaxjR25YJX0rngGx
inc.kevinmilligangallery.com/insight/flourencebanner_id=386514&ysqaux=ZJRWYZFTYdspwzffvaxjR25YJX0rngGx

Reference: Symantec – Trojan.Gatak

Comments are closed.