ET RETIRED TA453 IIS Credential Stealer Module/Backdoor Headers in HTTP Request
Sourceet/open
Fileemerging-retired.rules
CreatedApril 27, 2023
UpdatedApril 17, 2025
Classificationtrojan-activity
alert http any any -> $HOME_NET any (msg:"ET RETIRED TA453 IIS Credential Stealer Module/Backdoor Headers in HTTP Request"; flow:established,to_server ; http.header_names; to_lowercase; content:"|0d 0a|x-beserver-pd|0d 0a|"; fast_pattern; content:"|0d 0a|x-verify-request|0d 0a|"; reference:url,www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/ ; reference:md5,95c6fdc4f537bccca3079d94e65bc0b0 ; classtype:trojan-activity; sid:2045223; rev:3; metadata:affected_product Microsoft_IIS, attack_target Web_Server, created_at 2023_04_27, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category MALWARE, malware_family TA453, performance_impact Low, confidence High, signature_severity Major, updated_at 2025_04_17, reviewed_at 2025_04_17; target:dest_ip;)
References
| url | www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/ |
| md5 | 95c6fdc4f537bccca3079d94e65bc0b0 |
Metadata
affected productMicrosoft_IIS
attack targetWeb_Server
created at2023_04_27
deploymentSSLDecrypt
former categoryMALWARE
malware familyTA453
performance impactLow
confidenceHigh
signature severityMajor
updated at2025_04_17
reviewed at2025_04_17
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!