Versions (4)
Version DetailsCurrent
Rev: 6 • Apr 22, 2015, 12:00 PMET MALWARE CozyDuke APT HTTP GET CnC Beacon
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CozyDuke APT HTTP GET CnC Beacon"; flow:established,to_server; flowbits:set,ET.CozyDuke.HTTP; http.method; content:"GET"; http.uri; content:".php?"; fast_pattern; pcre:"/[A-Z]{100}(?:&\w+=[a-zA-Z0-9/+=]+){0,2}$/"; http.header_names; content:!"|0d 0a|Accept"; content:!"|0d 0a|Referer|0d 0a|"; content:"|0d 0a|User-Agent|0d 0a|"; startswith; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:targeted-activity; sid:2020963; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, performance_impact Significant, signature_severity Major, tag c2, updated_at 2024_04_29, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
Apr 22, 2015, 12:00 PM
Apr 29, 2024, 12:00 PM
Sep 21, 2024, 3:00 AM
May 30, 2025, 12:04 AM
rules/emerging-malware.rules