alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Emissary External IP Lookup"; flow:established,to_server; urilen:12; content:"GET"; http_method; content:"/index.shtml"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Win32)"; http_user_agent; depth:41; isdataat:!1,relative; content:"Host|3a 20|"; http_header; content:"b4secure.com|0d 0a|"; distance:0; http_header; fast_pattern; pcre:"/^Host\x3a[^\r\n]+(?:www\.)?b4secure\.com\r$/Hmi"; metadata: former_category MALWARE; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-psa-conference-invite-used-lure-operation-lotus-blossom-actors/; classtype:policy-violation; sid:2023470; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, signature_severity Major, created_at 2016_10_31, malware_family Emissary, malware_family Lotus_Blossom, updated_at 2019_10_24;)

Added 2019-10-25 19:12:51 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Emissary External IP Lookup"; flow:established,to_server; urilen:12; content:"GET"; http_method; content:"/index.shtml"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Win32)|0d 0a|"; http_header; content:"Host|3a 20|"; http_header; content:"b4secure.com|0d 0a|"; distance:0; http_header; fast_pattern; pcre:"/^Host\x3a[^\r\n]+(?:www\.)?b4secure\.com\r$/Hmi"; metadata: former_category MALWARE; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-psa-conference-invite-used-lure-operation-lotus-blossom-actors/; classtype:policy-violation; sid:2023470; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, signature_severity Major, created_at 2016_10_31, malware_family Emissary, malware_family Lotus_Blossom, updated_at 2016_10_31;)

Added 2019-09-26 19:58:16 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Emissary External IP Lookup"; flow:established,to_server; urilen:12; content:"GET"; http_method; content:"/index.shtml"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Win32)|0d 0a|"; http_header; content:"Host|3a 20|"; http_header; content:"b4secure.com|0d 0a|"; distance:0; http_header; fast_pattern; pcre:"/^Host\x3a[^\r\n]+(?:www\.)?b4secure\.com\r$/Hmi"; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-psa-conference-invite-used-lure-operation-lotus-blossom-actors/; classtype:policy-violation; sid:2023470; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, signature_severity Major, created_at 2016_10_31, malware_family Emissary, malware_family Lotus_Blossom, updated_at 2016_10_31;)

Added 2018-09-13 19:53:09 UTC


Added 2018-09-13 18:01:15 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Emissary External IP Lookup"; flow:established,to_server; urilen:12; content:"GET"; http_method; content:"/index.shtml"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Win32)|0d 0a|"; http_header; content:"Host|3a 20|"; http_header; content:"b4secure.com|0d 0a|"; distance:0; http_header; fast_pattern; pcre:"/^Host\x3a[^\r\n]+(?:www\.)?b4secure\.com\r$/Hmi"; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-psa-conference-invite-used-lure-operation-lotus-blossom-actors/; classtype:policy-violation; sid:2023470; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, signature_severity Major, created_at 2016_10_31, malware_family Emissary, malware_family Lotus_Blossom, updated_at 2016_10_31;)

Added 2017-08-07 21:18:37 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Emissary External IP Lookup"; flow:established,to_server; urilen:12; content:"GET"; http_method; content:"/index.shtml"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Win32)|0d 0a|"; http_header; content:"Host|3a 20|"; http_header; content:"b4secure.com|0d 0a|"; distance:0; http_header; fast_pattern; pcre:"/^Host\x3a[^\r\n]+(?:www\.)?b4secure\.com\r$/Hmi"; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-psa-conference-invite-used-lure-operation-lotus-blossom-actors/; classtype:policy-violation; sid:2023470; rev:2;)

Added 2016-10-31 17:35:56 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Emissary External IP Lookup"; flow:established,to_server; urilen:12; content:"GET"; http_method; content:"/index.shtml"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Win32)|0d 0a|"; http_header; content:"Host|3a 20|"; http_header; content:"b4secure.com|0d 0a|"; distance:0; http_header; fast_pattern; pcre:"/^Host\x3a[^\r\n]+(?:www\.)?b4secure\.com\r$/Hmi"; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-psa-conference-invite-used-lure-operation-lotus-blossom-actors/; classtype:policy-violation; sid:2023470; rev:2;)

Added 2016-10-31 17:28:59 UTC


Topic revision: r1 - 2019-10-25 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats