alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN
PlugX? Checkin"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\/[A-F0-9]{24}$/U"; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; depth:13; pcre:"/^[A-Z]{4}/RH"; content:"1|3a 20|0|0d 0a|"; fast_pattern; http_header; within:6; content:!"Referer"; http_header; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:6; metadata:created_at 2013_11_13, former_category MALWARE, updated_at 2020_12_10;)
Added 2020-12-11 18:27:46 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN
PlugX? Checkin"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\/[A-F0-9]{24}$/U"; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; depth:13; pcre:"/^[A-Z]{4}/RH"; content:"1|3a 20|0|0d 0a|"; fast_pattern; http_header; within:6; content:!"Referer"; http_header; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:6; metadata:created_at 2013_11_13, former_category MALWARE, updated_at 2020_04_29;)
Added 2020-08-05 19:09:25 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN
PlugX? Checkin"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\/[A-F0-9]{24}$/U"; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; depth:13; pcre:"/^[A-Z]{4}/RH"; content:"1|3a 20|0|0d 0a|"; fast_pattern; http_header; within:6; content:!"Referer"; http_header; metadata: former_category MALWARE; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:6; metadata:created_at 2013_11_13, updated_at 2020_04_29;)
Added 2020-04-30 19:07:46 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN
PlugX? Checkin"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\/[A-F0-9]{24}$/U"; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; depth:13; pcre:"/^[A-Z]{4}/RH"; content:"1|3a 20|0|0d 0a|"; fast_pattern; http_header; within:6; content:!"Referer"; http_header; metadata: former_category MALWARE; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:6; metadata:created_at 2013_11_13, updated_at 2020_04_29;)
Added 2020-04-29 19:34:24 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN
PlugX? Checkin"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\/[A-F0-9]{24}$/U"; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; depth:13; pcre:"/^[A-Z]{4}/RH"; content:"1|3a 20|0|0d 0a|"; fast_pattern; http_header; within:6; content:!"Referer"; http_header; metadata: former_category MALWARE; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:6; metadata:created_at 2013_11_13, updated_at 2013_11_13;)
Added 2019-09-26 19:57:30 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN
PlugX? Checkin"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\/[A-F0-9]{24}$/U"; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; depth:13; pcre:"/^[A-Z]{4}/RH"; content:"1|3a 20|0|0d 0a|"; fast_pattern; http_header; within:6; content:!"Referer"; http_header; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:6; metadata:created_at 2013_11_13, updated_at 2013_11_13;)
Added 2018-09-13 19:48:00 UTC
Added 2018-09-13 17:58:11 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN
PlugX? Checkin"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\/[A-F0-9]{24}$/U"; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; depth:13; pcre:"/^[A-Z]{4}/RH"; content:"1|3a 20|0|0d 0a|"; fast_pattern; http_header; within:6; content:!"Referer"; http_header; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:6; metadata:created_at 2013_11_13, updated_at 2013_11_13;)
Added 2017-08-07 21:11:39 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN
PlugX? Checkin"; flow:to_server,established; content:"POST "; depth:5; pcre:"/^\/[A-F0-9]{24} HTTP\/1\.1/R"; content:"|0d 0a|Accept|3a 20 2a 2f 2a 0d 0a|"; within:15; pcre:"/^[A-Z]{4}/R"; content:"1|3a 20|0|0d 0a|"; fast_pattern; within:6; content:!"Referer"; distance:0; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:5;)
Added 2014-04-16 18:55:39 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN
PlugX? Checkin"; flow:to_server,established; content:"POST "; depth:5; pcre:"/^\/[A-F0-9]{24} HTTP\/1\.1/R"; content:"|0d 0a|Accept|3a 20 2a 2f 2a 0d 0a|"; within:15; pcre:"/^[A-Z]{4}/R"; content:"1|3a 20|0|0d 0a|"; fast_pattern; within:6; content:!"Referer"; distance:0; content:!"Accept"; distance:0; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:4;)
Added 2013-11-14 17:11:12 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN
PlugX? Checkin"; flow:to_server,established; content:"POST "; depth:5; pcre:"/^[A-F0-9]+? HTTP\/1\.1/R"; content:"|0d 0a|Accept|3a 20 2a 2f 2a 0d 0a|FZLK1|3a| "; within:22; fast_pattern:10,12; content:!"Referer"; distance:0; content:!"Accept"; distance:0; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:3;)
Added 2013-11-13 18:51:07 UTC