alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Suspected SPECULOOS Backdoor CnC? Init Packet Masquerading as SNI Request to live .com"; dsize:186; content:"|16 03 01 00 b5 01 00 00 b1 03 01|"; depth:11;content:"|00 00 48 c0 0a c0 14 00 88 00 87 00 3900 38 c0 0f c0 05 00 84 00 35 c0 07 c0 09 c0 11 c0 13 00 45 00 44 00 66 00 33 00 32 c0 0c c0 0ec0 02 c0 04 00 96 00 41 00 04 00 05 00 2f c0 08c0 12 00 16 00 13 c0 0d c0 03 fe ff 00 0a 02 0100 00 3f 00 00 00 13 00 11 00 00 0e 6c 6f 67 696e 2e 6c 69 76 65 2e 63 6f 6d ff 01 00 01 00 000a 00 08 00 06 00 17 00 18 00 19 00 0b 00 02 01 00 00 23 00 00 33 74 00 00 00 05 00 05 01 00 0000 00|"; distance:32; within:143; fast_pattern; isdataat:!1,relative; reference:url,unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/; classtype:trojan-activity; sid:2029910; rev:4; metadata:attack_target Client_Endpoint, created_at 2020_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_12;)

Added 2020-11-12 18:23:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Suspected SPECULOOS Backdoor CnC? Init Packet Masquerading as SNI Request to live .com"; dsize:186; content:"|16 03 01 00 b5 01 00 00 b1 03 01|"; depth:11;content:"|00 00 48 c0 0a c0 14 00 88 00 87 00 3900 38 c0 0f c0 05 00 84 00 35 c0 07 c0 09 c0 11 c0 13 00 45 00 44 00 66 00 33 00 32 c0 0c c0 0ec0 02 c0 04 00 96 00 41 00 04 00 05 00 2f c0 08c0 12 00 16 00 13 c0 0d c0 03 fe ff 00 0a 02 0100 00 3f 00 00 00 13 00 11 00 00 0e 6c 6f 67 696e 2e 6c 69 76 65 2e 63 6f 6d ff 01 00 01 00 000a 00 08 00 06 00 17 00 18 00 19 00 0b 00 02 01 00 00 23 00 00 33 74 00 00 00 05 00 05 01 00 0000 00|"; distance:32; within:143; isdataat:!1,relative; fast_pattern; reference:url,unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/; classtype:trojan-activity; sid:2029910; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_16;)

Added 2020-08-05 19:17:59 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Suspected SPECULOOS Backdoor CnC? Init Packet Masquerading as SNI Request to live .com"; dsize:186; content:"|16 03 01 00 b5 01 00 00 b1 03 01|"; depth:11;content:"|00 00 48 c0 0a c0 14 00 88 00 87 00 3900 38 c0 0f c0 05 00 84 00 35 c0 07 c0 09 c0 11 c0 13 00 45 00 44 00 66 00 33 00 32 c0 0c c0 0ec0 02 c0 04 00 96 00 41 00 04 00 05 00 2f c0 08c0 12 00 16 00 13 c0 0d c0 03 fe ff 00 0a 02 0100 00 3f 00 00 00 13 00 11 00 00 0e 6c 6f 67 696e 2e 6c 69 76 65 2e 63 6f 6d ff 01 00 01 00 000a 00 08 00 06 00 17 00 18 00 19 00 0b 00 02 01 00 00 23 00 00 33 74 00 00 00 05 00 05 01 00 0000 00|"; distance:32; within:143; isdataat:!1,relative; fast_pattern; metadata: former_category MALWARE; reference:url,unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/; classtype:trojan-activity; sid:2029910; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_04_14, updated_at 2020_04_16;)

Added 2020-04-16 19:05:38 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Suspected SPECULOOS Backdoor CnC? Init Packet Masquerading as SNI Request to live .com"; flow:established,to_server; content:"|16 03 01 00 B5 01 00 00 B1 03 01 00 00 00 00 00|"; depth:16; content:"|6C 6F 67 69 6E 2E 6C 69 76 65 2E 63 6F 6D FF 01|"; fast_pattern; distance:110; content:"|18 00 19 00 0B 00 02 01 00 00 23 00 00 33 74 00 00 00 05 00 05 01 00 00 00 00 00 00 00 00 00 00|"; distance:0; metadata: former_category MALWARE; reference:url,unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/; classtype:trojan-activity; sid:2029910; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_04_14, updated_at 2020_04_14;)

Added 2020-04-14 19:20:53 UTC


Topic revision: r1 - 2020-11-12 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats