alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bisonal CnC? Checkin"; flow:established,to_server; content:".txt"; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.1.4322|0d 0a|Host|3a 20|"; depth:88; fast_pattern; http_header; pcre:"/^\/[a-z]{4}(?:\d{1,3}\.){3}\d{1,3}[a-z]{6}\.txt/U"; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; reference:url,blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html; classtype:trojan-activity; sid:2025922; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category MALWARE, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)

Added 2020-11-17 18:19:13 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bisonal CnC? Checkin"; flow:established,to_server; content:".txt"; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.1.4322|0d 0a|Host|3a 20|"; depth:88; fast_pattern; http_header; pcre:"/^\/[a-z]{4}(?:\d{1,3}\.){3}\d{1,3}[a-z]{6}\.txt/U"; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; reference:url,blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html; classtype:trojan-activity; sid:2025922; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category MALWARE, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_05_07;)

Added 2020-08-05 19:15:01 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bisonal CnC? Checkin"; flow:established,to_server; content:".txt"; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.1.4322|0d 0a|Host|3a 20|"; depth:88; fast_pattern; http_header; pcre:"/^\/[a-z]{4}(?:\d{1,3}\.){3}\d{1,3}[a-z]{6}\.txt/U"; metadata: former_category MALWARE; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; reference:url,blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html; classtype:trojan-activity; sid:2025922; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2020_05_07;)

Added 2020-05-07 18:41:39 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bisonal CnC? Checkin"; flow:established,to_server; content:".txt"; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.1.4322|0d 0a|Host|3a 20|"; depth:88; fast_pattern; http_header; pcre:"/^\/[a-z]{4}(?:\d{1,3}\.){3}\d{1,3}[a-z]{6}\.txt/U"; http_header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:49; isdataat:!1,relative; metadata: former_category MALWARE; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; reference:url,blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html; classtype:trojan-activity; sid:2025922; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2020_03_06;)

Added 2020-03-06 18:55:21 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bisonal CnC? Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/ks8d"; http_uri; depth:5; content:"akspbu.txt"; http_uri; isdataat:!1,relative; content:"Mozilla/4.0|20 28|compatible|3b|MSIE|20|6.0|3b|"; http_user_agent; content:"|81 b2 a8 97 7e a3 1b 91|"; http_client_body; depth:8; fast_pattern; isdataat:!1,relative; pcre:"/^\/ks8d(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)akspbu\.txt$/Ui"; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category MALWARE; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2019_09_28;)

Added 2019-10-01 08:29:03 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bisonal CnC? Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/ks8d"; http_uri; depth:5; content:"akspbu.txt"; http_uri; isdataat:!1,relative; content:"Mozilla/4.0|20 28|compatible|3b|MSIE|20|6.0|3b|"; http_user_agent; content:"|81 b2 a8 97 7e a3 1b 91|"; http_client_body; depth:8; fast_pattern; isdataat:!1,relative; pcre:"/^\/ks8d(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)akspbu\.txt$/Ui"; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category MALWARE; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2019_09_28;)

Added 2019-10-01 04:23:28 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bisonal CnC? Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/ks8d"; http_uri; depth:5; content:"akspbu.txt"; http_uri; isdataat:!1,relative; content:"Mozilla/4.0|20 28|compatible|3b|MSIE|20|6.0|3b|"; http_user_agent; content:"|81 b2 a8 97 7e a3 1b 91|"; http_client_body; depth:8; fast_pattern; isdataat:!1,relative; pcre:"/^\/ks8d(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)akspbu\.txt$/Ui"; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category MALWARE; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2018_07_31;)

Added 2019-09-19 19:26:56 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bisonal CnC? Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/ks8d"; http_uri; depth:5; content:"akspbu.txt"; http_uri; isdataat:!1,relative; content:"Mozilla/4.0|20 28|compatible|3b|MSIE|20|6.0|3b|"; http_user_agent; content:"|81 b2 a8 97 7e a3 1b 91|"; http_client_body; depth:8; fast_pattern; isdataat:!1,relative; pcre:"/^\/ks8d(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)akspbu\.txt$/Ui"; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2018_07_31;)

Added 2018-09-13 19:55:01 UTC


Added 2018-09-13 18:02:21 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bisonal CnC? Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/ks8d"; http_uri; depth:5; content:"akspbu.txt"; http_uri; isdataat:!1,relative; content:"Mozilla/4.0|20 28|compatible|3b|MSIE|20|6.0|3b|"; http_user_agent; content:"|81 b2 a8 97 7e a3 1b 91|"; http_client_body; depth:8; fast_pattern; isdataat:!1,relative; pcre:"/^\/ks8d(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)akspbu\.txt$/Ui"; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2018_07_31;)

Added 2018-07-31 17:02:44 UTC


Topic revision: r1 - 2020-11-17 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats