ET MALWARE APT29 Implant8 - MAL_REFERER
Sourceet/open
Fileemerging-malware.rules
CreatedFebruary 17, 2017
UpdatedApril 20, 2024
Classificationtargeted-activity
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT29 Implant8 - MAL_REFERER"; flow:established,to_server ; http.method; content:"GET"; http.referer; content:"https|3a 2f 2f|www|2e|google|2e|com|2f|url|3f|sa|3d|t|26|rct|3d|j|26|q|3d 26|esrc|3d|s|26|source|3d|web|26|cd|3d|"; startswith; pcre:"/^(?:[02-9]|1[01]?)&ved=0C[A-L]{2}QFjA[A-L]&url=/R" ; content:"&ei="; distance:0; pcre:"/^[A-Za-z0-9]{20,22}&usg=[A-Za-z0-9_]{34}&bvm=bv\.81[1-7]{6}\,d\.[A-Za-z0-9_]{3}$/R" ; content:"&bvm=bv.81"; fast_pattern; content:"|2c|d."; distance:6; within:3; isdataat:!4,relative ; http.header_names; to_lowercase; content:!"cookie|0d 0a|"; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity ; classtype:targeted-activity; sid:2024004; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, malware_family APT29_Implant8, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_04_20;)
Metadata
affected productWindows_XP_Vista_7_8_10_Server_32_64_Bit
attack targetClient_Endpoint
created at2017_02_17
deploymentPerimeter
malware familyAPT29_Implant8
performance impactLow
confidenceHigh
signature severityMajor
updated at2024_04_20
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!