alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible PlugX? Common Header Struct"; flow:established,to_server; content:"POST"; http_method; content:!".googleapis.com"; http_host; isdataat:!1,relative; content:"|3a 20|61456|0d 0a|"; http_header; fast_pattern; content:!"Dickson/"; http_user_agent; depth:8; http_content_len; content:!"61456"; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:url,fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html; reference:url,alienvault.com/open-threat-exchange/blog/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explo; reference:url,securelist.com/blog/incidents/57197/the-rush-for-cve-2013-3906-a-hot-commodity/; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; classtype:trojan-activity; sid:2018228; rev:7; metadata:created_at 2014_03_06, updated_at 2019_03_21;)

Added 2019-03-21 18:36:57 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible PlugX? Common Header Struct"; flow:established,to_server; content:"POST"; http_method; content:"|3a 20|61456|0d 0a|"; http_header; fast_pattern; content:!"Dickson/"; http_user_agent; depth:8; http_content_len; content:!"61456"; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:url,fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html; reference:url,alienvault.com/open-threat-exchange/blog/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explo; reference:url,securelist.com/blog/incidents/57197/the-rush-for-cve-2013-3906-a-hot-commodity/; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; classtype:trojan-activity; sid:2018228; rev:6; metadata:created_at 2014_03_06, updated_at 2018_04_23;)

Added 2018-09-13 19:48:32 UTC


Added 2018-09-13 17:58:30 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible PlugX? Common Header Struct"; flow:established,to_server; content:"POST"; http_method; content:"|3a 20|61456|0d 0a|"; http_header; fast_pattern; content:!"Dickson/"; http_user_agent; depth:8; http_content_len; content:!"61456"; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:url,fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html; reference:url,alienvault.com/open-threat-exchange/blog/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explo; reference:url,securelist.com/blog/incidents/57197/the-rush-for-cve-2013-3906-a-hot-commodity/; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; classtype:trojan-activity; sid:2018228; rev:6; metadata:created_at 2014_03_06, updated_at 2018_04_23;)

Added 2018-04-24 17:14:17 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible PlugX? Common Header Struct"; flow:established,to_server; content:"POST"; http_method; content:"|3a 20|61456|0d 0a|"; http_header; fast_pattern; http_content_len; content:!"61456"; http_header_names; content:!"Referer"; reference:url,fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html; reference:url,alienvault.com/open-threat-exchange/blog/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explo; reference:url,securelist.com/blog/incidents/57197/the-rush-for-cve-2013-3906-a-hot-commodity/; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; classtype:trojan-activity; sid:2018228; rev:5; metadata:created_at 2014_03_06, updated_at 2014_03_06;)

Added 2017-11-30 16:40:54 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible PlugX? Common Header Struct"; flow:established,to_server; content:"POST"; http_method; content:"|3a 20|61456|0d 0a|"; http_header; content:!"Content-Length|3a 20|61456|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^[^\r\n\x3a]+\x3a\x2061456\r$/Hm"; reference:url,fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html; reference:url,alienvault.com/open-threat-exchange/blog/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explo; reference:url,securelist.com/blog/incidents/57197/the-rush-for-cve-2013-3906-a-hot-commodity/; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; classtype:trojan-activity; sid:2018228; rev:4; metadata:created_at 2014_03_06, updated_at 2014_03_06;)

Added 2017-08-07 21:12:17 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible PlugX? Common Header Struct"; flow:established,to_server; content:"POST"; http_method; content:"|3a 20|61456|0d 0a|"; http_header; content:!"Content-Length|3a 20|61456|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^[^\r\n\x3a]+\x3a\x2061456\r$/Hm"; reference:url,fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html; reference:url,alienvault.com/open-threat-exchange/blog/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explo; reference:url,securelist.com/blog/incidents/57197/the-rush-for-cve-2013-3906-a-hot-commodity/; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; classtype:trojan-activity; sid:2018228; rev:4;)

Added 2016-01-05 18:51:32 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"ET TROJAN Possible PlugX? Common Header Struct"; flow:established,to_server; content:"POST"; http_method; content:"|3a 20|61456|0d 0a|"; http_header; content:!"Content-Length|3a 20|61456|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^[^\r\n\x3a]+\x3a\x2061456\r$/Hm"; reference:url,fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html; reference:url,alienvault.com/open-threat-exchange/blog/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explo; reference:url,securelist.com/blog/incidents/57197/the-rush-for-cve-2013-3906-a-hot-commodity/; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; classtype:trojan-activity; sid:2018228; rev:3;)

Added 2014-11-14 18:33:16 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"ET TROJAN Possible PlugX? Common Header Struct"; flow:established,to_server; content:"POST"; http_method; content:"|3a 20|61456|0d 0a|"; http_header; content:!"Content-Length|3a 20|61456|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^[^\r\n\x3a]+\x3a\x2061456\r$/Hm"; classtype:trojan-activity; sid:2018228; rev:3;)

Added 2014-11-13 22:18:28 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible PlugX? Common Header Struct"; flow:established,to_server; content:"POST"; http_method; content:"|3a 20|61456|0d 0a|"; http_header; fast_pattern:only; content:!"Referer|3a 20|"; http_header; pcre:"/^[^\r\n\x3a]+\d\x3a\x2061456\r\n\r\n$/Hm"; classtype:trojan-activity; sid:2018228; rev:2;)

Added 2014-03-06 16:26:30 UTC


Topic revision: r1 - 2019-03-21 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats