Versions (2)
Version DetailsCurrent
Rev: 7 • Aug 8, 2016, 12:00 PMET MALWARE ProjectSauron Remsec DNS Lookup (we .q.tcow.eu)
alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (we .q.tcow.eu)"; dns.query; content:"we"; depth:2; content:".q.tcow.eu"; nocase; fast_pattern; endswith; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023027; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, deprecation_reason Age, malware_family APT_ProjectSauron_Remsec, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2024_04_04, reviewed_at 2024_04_04;)
Aug 8, 2016, 12:00 PM
Apr 4, 2024, 12:00 PM
Sep 21, 2024, 3:00 AM
May 30, 2025, 12:04 AM
rules/emerging-malware.rules