montysecurity
commented
3 months ago This one is interesting. I am seeing a sort of hash collision with the html_hash field. The supplied HTML hash matches the intended "RESPONSE" page
But it also appears to match a version of the pFSense login page.
Now obviously the response headers are different.
SpiceRAT:
pFSense:
Given this I will add the response hash as an additional condition that must be met. So the search will be "http.headers_hash:1955818171 http.html_hash:114440660". I will added this and you should see the IPs in the next update cycle
Commit: https://github.com/montysecurity/C2-Tracker/commit/3c755c8bb29b173c6280dda7638bf51a72e4f349
https://hunt.io/blog/the-secret-ingredient-unearthing-suspected-spicerat-infrastructure-via-html-response
http.html_hash:114440660 https://www.shodan.io/search?query=http.html_hash%3A114440660
This is the most stable response I can find for the SpiceRAT C2 in Shodan. It catches the HTTP/Port 80 C2 but doesn't cover the TLS versions. Those are harder to boil into one query, though I suspect its possible.