alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Lightspy Implant CnC?"; flow:established,to_server; content:"|0d 0a 0d 0a|udid="; fast_pattern;content:"POST"; http_method; content:"/update_device"; isdataat:!1,relative; http_uri; content:"|20|Android|20|"; http_user_agent; content:"udid="; depth:5; http_client_body; content:"&brand="; distance:0; http_client_body; content:"&model="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; content:"&osversion="; nocase; distance:0; http_client_body; content:"&x="; distance:0; http_client_body; content:"&y="; distance:0; http_client_body; content:"&sdcard="; distance:0; http_client_body; content:"&cid="; distance:0; http_client_body; http_content_type; content:"application/x-www-form-urlencoded"; depth:33; isdataat:!1,relative; reference:md5,fadff5b601f6fca588007660934129eb; reference:url,securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/; classtype:trojan-activity; sid:2029765; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_30, deployment Perimeter, former_category MOBILE_MALWARE, malware_family lightspy, performance_impact Low, signature_severity Major, updated_at 2020_03_30;)

Added 2021-07-15 18:32:37 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Lightspy Implant CnC?"; flow:established,to_server; content:"|0d 0a 0d 0a|udid="; fast_pattern;content:"POST"; http_method; content:"/update_device"; isdataat:!1,relative; http_uri; content:"|20|Android|20|"; http_user_agent; content:"udid="; depth:5; http_client_body; content:"&brand="; distance:0; http_client_body; content:"&model="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; content:"&osversion="; nocase; distance:0; http_client_body; content:"&x="; distance:0; http_client_body; content:"&y="; distance:0; http_client_body; content:"&sdcard="; distance:0; http_client_body; content:"&cid="; distance:0; http_client_body; http_content_type; content:"application/x-www-form-urlencoded"; depth:33; isdataat:!1,relative; reference:md5,fadff5b601f6fca588007660934129eb; reference:url,https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/; classtype:trojan-activity; sid:2029765; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_30, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_30;)

Added 2020-08-05 19:17:51 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Lightspy Implant CnC?"; flow:established,to_server; content:"|0d 0a 0d 0a|udid="; fast_pattern;content:"POST"; http_method; content:"/update_device"; isdataat:!1,relative; http_uri; content:"|20|Android|20|"; http_user_agent; content:"udid="; depth:5; http_client_body; content:"&brand="; distance:0; http_client_body; content:"&model="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; content:"&osversion="; nocase; distance:0; http_client_body; content:"&x="; distance:0; http_client_body; content:"&y="; distance:0; http_client_body; content:"&sdcard="; distance:0; http_client_body; content:"&cid="; distance:0; http_client_body; http_content_type; content:"application/x-www-form-urlencoded"; depth:33; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,fadff5b601f6fca588007660934129eb; reference:url,https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/; classtype:trojan-activity; sid:2029765; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_03_30, performance_impact Low, updated_at 2020_03_30;)

Added 2020-03-30 20:48:53 UTC


Topic revision: r1 - 2021-07-15 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats