ET MALWARE CHAOS RAT/AlfaC2 Client Checkin

7.0.35.0SID: 2046872Rev: 2Enabled8 views
Sourceet/open
Fileemerging-malware.rules
CreatedJuly 20, 2023
UpdatedApril 27, 2024
Classificationcommand-and-control
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CHAOS RAT/AlfaC2 Client Checkin"; flow:established,to_server; http.uri; bsize:7; content:"/client"; http.user_agent; content:"Go-http-client/"; startswith; http.header_names; to_lowercase; content:"|0d 0a|x-client|0d 0a|"; fast_pattern; http.request_header; header_lowercase; bsize:18; content:"upgrade|3a 20|websocket"; http.request_header; header_lowercase; content:"x-client|3a 20|"; startswith; pcre:"/^(?:[a-f0-9]{2}\x3a){5}[a-f0-9]{2}$/R"; http.cookie; content:"jwt="; startswith; content:".eyJhdXRob3JpemVkIj"; distance:0; content:!"|3b|"; distance:0; reference:md5,d0ea84204096109f18a2201fae1c4f30; reference:url,github.com/tiagorlampert/CHAOS; classtype:command-and-control; sid:2046872; rev:2; metadata:attack_target Client_and_Server, created_at 2023_07_20, deployment Perimeter, malware_family CHAOS, performance_impact Low, confidence High, signature_severity Critical, tag RemoteAccessTool, updated_at 2024_04_27; target:src_ip;)

References

md5
d0ea84204096109f18a2201fae1c4f30
urlgithub.com/tiagorlampert/CHAOS

Metadata

attack targetClient_and_Server
created at2023_07_20
deploymentPerimeter
malware familyCHAOS
performance impactLow
confidenceHigh
signature severityCritical
tagRemoteAccessTool
updated at2024_04_27

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!