ET MALWARE Suspected Blackmoon Related Activity (GET)

7.0.35.0SID: 2046635Rev: 2Enabled10 views
Sourceet/open
Fileemerging-malware.rules
CreatedJune 23, 2023
UpdatedMarch 27, 2024
Classificationtrojan-activity
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Blackmoon Related Activity (GET)"; flow:established,to_server; flowbits:set,ET.blackmoon; urilen:<25; http.method; content:"GET"; http.uri; content:"/post/"; startswith; content:"_"; distance:8; within:1; http.user_agent; bsize:50; content:"Mozilla/4.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1)"; http.host; content:".lofter.com"; endswith; fast_pattern; reference:md5,26e28b0d5e50624d2597ae65cdd41dd5; reference:md5,f2827328571b9c292a1a3759e94c7b4a; reference:md5,53d082f3320b5c6cfd264d1b30298094; reference:url,threatpost.com/blackmoon-banking-trojan-using-new-infection-technique/125425/; classtype:trojan-activity; sid:2046635; rev:2; metadata:attack_target Client_Endpoint, created_at 2023_06_23, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_27; target:src_ip;)

References

md5
26e28b0d5e50624d2597ae65cdd41dd5
md5
f2827328571b9c292a1a3759e94c7b4a
md5
53d082f3320b5c6cfd264d1b30298094
urlthreatpost.com/blackmoon-banking-trojan-using-new-infection-technique/125425/

Metadata

attack targetClient_Endpoint
created at2023_06_23
deploymentSSLDecrypt
performance impactLow
confidenceMedium
signature severityMajor
tagDescription_Generated_By_Proofpoint_Nexus
updated at2024_03_27

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!