Onimai RAT C2 SSL Certificate - Detect

ID: onimai-rat-c2

Severity: info

Author: worldwidefuckfest

Tags: c2,ir,osint,malware,onimai,rat

Description

Onimai is a relatively new closed-source Remote Administration Trojan (RAT) based on Quasar.

YAML Source

id: onimai-rat-c2

info:
  name: Onimai RAT C2 SSL Certificate - Detect
  author: worldwidefuckfest
  severity: info
  description: |
    Onimai is a relatively new closed-source Remote Administration Trojan (RAT) based on Quasar.
  metadata:
    verified: true
    max-request: 1
    shodan-query: ssl.cert.subject.cn:"Onimai Academies CA"
    censys-query: 'services.tls.certificates.leaf_data.subject.common_name: {"Onimai Academies CA"}'
  tags: c2,ir,osint,malware,onimai,rat

ssl:
  - address: "{{Host}}:{{Port}}"

    matchers:
      - type: word
        part: issuer_cn
        words:
          - "Onimai Academies CA"

    extractors:
      - type: json
        json:
          - " .issuer_cn"
# digest: 4b0a00483046022100f94c4cadf3710302fe73f0962b049c7584bee5a9c66b9e609839400242d28f23022100cdb7f0706cad407227856bfb0fea49f2762b856526ac1afa475bf1c55ef80c31:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "ssl/c2/onimai-rat-c2.yaml"

View on Github