NF – IOC – Classic-STUN Binding Request – Used by Dyre Malware

The rule detects UDP traffic containing a "Classic-STUN Binding Request" message associated with the Dyre malware. Dyre is a trojan that targets financial institutions and is known for its credential-stealing capabilities (www.secureworks.com/cyber-threat-intelligence/threats/dyre-banking-trojan).

Categories:

ID Number

5003006

Signature

alert udp $HOME_NET any -> $EXTERNAL_NET 3478 (msg:"NF - IOC - Classic-STUN Binding Request - Used by Dyre Malware)"; dsize:28; content:"|00 01|"; depth:2; content:!"|21 12 a4 42|"; depth:4; detection_filter:track by_dst, count 1, seconds 15; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/dyre-banking-trojan; reference:url,networkforensic.dk; metadata:30062015; classtype:trojan-activity; sid:5003006; rev:2;)

MITRE ATT&CK Technique

-

Severity

High

Recommendations/Investigative actions

Authorize the Link. If the link was approved in terms of the IP addresses and ports - archive and baseline the rule. If not - check the connection and investigate the relevant IP address, check if the IP address is new on the network and if there are additional alerts related to this IP address.