Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lemon_Duck Powershell CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?"; content:"&"; distance:0; content:"-"; distance:8; within:1; content:"&"; distance:0; content:"|3a|"; distance:2; within:1; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; http.user_agent; content:"Lemon-Duck-"; startswith; fast_pattern; http.header_names; content:!"Referer"; reference:md5,de18418e8b62e03d1feb1f9c5a53b6a0; reference:url,trapx.com/wp-content/uploads/2020/02/TrapX-Labs-Manufacturing-IOT-Report.pdf; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-malware-pcastle-zeroes-back-in-on-china-now-uses-multilayered-fileless-arrival-techniques/; classtype:command-and-control; sid:2029848; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, malware_family Lemon_Duck, confidence High, signature_severity Major, updated_at 2020_04_09;)