ET MALWARE Possible Raspberry Robin Activity M2 (GET)
Sourceet/open
Fileemerging-malware.rules
CreatedApril 27, 2023
UpdatedApril 3, 2024
Classificationtrojan-activity
alert http1 $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Possible Raspberry Robin Activity M2 (GET)"; flow:established,to_server ; urilen:39<>59; http.method; content:"GET"; http.uri; content:!"|2e|"; http.header; content:"Connection|3a 20|Keep|2d|Alive|0d 0a|Accept|3a 20 2a 2f 2a 0d 0a|User|2d|Agent|3a 20|Windows|20|Installer|0d 0a|Host|3a 20|"; startswith; fast_pattern; http.header_names; bsize:42; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,f5e6ffec3c33e9c84e11d6101d181c4e ; reference:md5,131243c786a2efed6e7f35dabfef4be8 ; reference:md5,b7d6f079a6b084c1c8293ab4cd54b585 ; reference:md5,d1993684f055e9cfd964d35952f570f8 ; reference:md5,3329ad32799c142d6cd5e7f6a1dff755 ; reference:url,twitter.com/BushidoToken/status/1646855931945205763 ; reference:url,redcanary.com/blog/raspberry-robin ; classtype:trojan-activity; sid:2045212; rev:3; metadata:attack_target Client_Endpoint, created_at 2023_04_27, deployment Perimeter, performance_impact Low, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_03; target:src_ip;)
References
| md5 | f5e6ffec3c33e9c84e11d6101d181c4e |
| md5 | 131243c786a2efed6e7f35dabfef4be8 |
| md5 | b7d6f079a6b084c1c8293ab4cd54b585 |
| md5 | d1993684f055e9cfd964d35952f570f8 |
| md5 | 3329ad32799c142d6cd5e7f6a1dff755 |
| url | twitter.com/BushidoToken/status/1646855931945205763 |
| url | redcanary.com/blog/raspberry-robin |
Metadata
attack targetClient_Endpoint
created at2023_04_27
deploymentPerimeter
performance impactLow
confidenceLow
signature severityMajor
tagDescription_Generated_By_Proofpoint_Nexus
updated at2024_04_03
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!