Rule History

SID: 2028622 • Source: et/open

Versions (3)

Version DetailsCurrent

Rev: 3 • Sep 25, 2019, 12:00 PM

Message:

ET MOBILE_MALWARE MOONSHINE payload C2 activity

Rule:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE MOONSHINE payload C2 activity"; flow:established,to_server; http.uri; content:"/ws?whisky_id|3d|"; fast_pattern; http.header; content:"Upgrade|3a 20|websocket"; http.user_agent; content:"hots|20|scot"; depth:9; reference:url,citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits; classtype:trojan-activity; sid:2028622; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_09_25, deployment Perimeter, malware_family Android_Moonshine, confidence High, signature_severity Critical, tag Android, updated_at 2020_09_02;)

Created:

Sep 25, 2019, 12:00 PM

Updated:

Sep 2, 2020, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

May 30, 2025, 12:04 AM

Filename:

rules/emerging-mobile_malware.rules