alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/OceanLotus.D Requesting Commands from CnC?"; flow:established,to_server; content:"GET"; http_method; content:".css"; http_uri; isdataat:!1,relative; content:"curl/"; http_user_agent; content:"m_pixel_ratio="; fast_pattern; http_cookie; depth:14; pcre:"/^[a-f0-9]{32}\x3b$/CR"; http_header_names; content:"Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|"; content:!"Referer"; content:!"Cache"; content:!"Accept-"; threshold:type limit, count 1, seconds 30, track by_src; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:trojan-activity; sid:2025465; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)

Added 2020-11-04 18:49:47 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/OceanLotus.D Requesting Commands from CnC?"; flow:established,to_server; content:"GET"; http_method; content:".css"; http_uri; isdataat:!1,relative; content:"curl/"; http_user_agent; content:"m_pixel_ratio="; fast_pattern; http_cookie; depth:14; pcre:"/^[a-f0-9]{32}\x3b$/CR"; http_header_names; content:"Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|"; content:!"Referer"; content:!"Cache"; content:!"Accept-"; threshold:type limit, count 1, seconds 30, track by_src; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:trojan-activity; sid:2025465; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_04;)

Added 2020-08-05 19:14:35 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/OceanLotus.D Requesting Commands from CnC?"; flow:established,to_server; content:"GET"; http_method; content:".css"; http_uri; isdataat:!1,relative; content:"curl/"; http_user_agent; content:"m_pixel_ratio="; fast_pattern; http_cookie; depth:14; pcre:"/^[a-f0-9]{32}\x3b$/CR"; http_header_names; content:"Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|"; content:!"Referer"; content:!"Cache"; content:!"Accept-"; threshold:type limit, count 1, seconds 30, track by_src; metadata: former_category MALWARE; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:trojan-activity; sid:2025465; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_05, performance_impact Low, updated_at 2020_03_04;)

Added 2020-03-04 19:16:55 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/OceanLotus.D Requesting Commands from CnC?"; flow:established,to_server; content:"GET"; http_method; content:".css"; http_uri; isdataat:!1,relative; content:"curl/"; http_user_agent; content:"|0d 0a|Cookie|3a 20|m_pixel_ratio="; fast_pattern; pcre:"/^m_pixel_ratio=[a-f0-9]{32}\x3b$/C"; http_header_names; content:"Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|"; content:!"Referer"; content:!"Cache"; content:!"Accept-"; threshold:type limit, count 1, seconds 30, track by_src; metadata: former_category MALWARE; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:trojan-activity; sid:2025465; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_05, performance_impact Low, updated_at 2019_09_28;)

Added 2019-10-01 08:28:59 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/OceanLotus.D Requesting Commands from CnC?"; flow:established,to_server; content:"GET"; http_method; content:".css"; http_uri; isdataat:!1,relative; content:"curl/"; http_user_agent; content:"|0d 0a|Cookie|3a 20|m_pixel_ratio="; fast_pattern; pcre:"/^m_pixel_ratio=[a-f0-9]{32}\x3b$/C"; http_header_names; content:"Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|"; content:!"Referer"; content:!"Cache"; content:!"Accept-"; threshold:type limit, count 1, seconds 30, track by_src; metadata: former_category MALWARE; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:trojan-activity; sid:2025465; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_05, performance_impact Low, updated_at 2019_09_28;)

Added 2019-10-01 04:23:24 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/OceanLotus.D Requesting Commands from CnC?"; flow:established,to_server; content:"GET"; http_method; content:".css"; http_uri; isdataat:!1,relative; content:"curl/"; http_user_agent; content:"|0d 0a|Cookie|3a 20|m_pixel_ratio="; fast_pattern; pcre:"/^m_pixel_ratio=[a-f0-9]{32}\x3b$/C"; http_header_names; content:"Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|"; content:!"Referer"; content:!"Cache"; content:!"Accept-"; threshold:type limit, count 1, seconds 30, track by_src; metadata: former_category MALWARE; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:trojan-activity; sid:2025465; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_05, performance_impact Low, updated_at 2018_04_05;)

Added 2019-09-19 19:26:54 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/OceanLotus.D Requesting Commands from CnC?"; flow:established,to_server; content:"GET"; http_method; content:".css"; http_uri; isdataat:!1,relative; content:"curl/"; http_user_agent; content:"|0d 0a|Cookie|3a 20|m_pixel_ratio="; fast_pattern; pcre:"/^m_pixel_ratio=[a-f0-9]{32}\x3b$/C"; http_header_names; content:"Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|"; content:!"Referer"; content:!"Cache"; content:!"Accept-"; threshold:type limit, count 1, seconds 30, track by_src; metadata: former_category TROJAN; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:trojan-activity; sid:2025465; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_05, performance_impact Low, updated_at 2018_04_05;)

Added 2018-09-13 19:54:38 UTC


Added 2018-09-13 18:02:06 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/OceanLotus.D Requesting Commands from CnC?"; flow:established,to_server; content:"GET"; http_method; content:".css"; http_uri; isdataat:!1,relative; content:"curl/"; http_user_agent; content:"|0d 0a|Cookie|3a 20|m_pixel_ratio="; fast_pattern; pcre:"/^m_pixel_ratio=[a-f0-9]{32}\x3b$/C"; http_header_names; content:"Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|"; content:!"Referer"; content:!"Cache"; content:!"Accept-"; threshold:type limit, count 1, seconds 30, track by_src; metadata: former_category TROJAN; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:trojan-activity; sid:2025465; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_05, performance_impact Low, updated_at 2018_04_05;)

Added 2018-04-05 17:13:16 UTC



This topic: Main > 2025465
Topic revision: r1 - 2020-11-04 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats