Versions (3)
Version DetailsCurrent
Rev: 1 • Jan 12, 2016, 12:00 PMET COINMINER CoinMiner Malicious Authline Seen in JAR Backdoor
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Malicious Authline Seen in JAR Backdoor"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|CGX2U2oeocN3DTJhyPG2cPg7xpRRTzNZkz|22 2c 20 22|"; distance:0; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html; classtype:coin-mining; sid:2022349; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_01_12, deployment Perimeter, confidence High, signature_severity Major, tag Coinminer, updated_at 2019_07_26, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
Jan 12, 2016, 12:00 PM
Jul 26, 2019, 12:00 PM
Sep 21, 2024, 3:00 AM
May 30, 2025, 12:04 AM
rules/emerging-coinminer.rules