Versions (4)
Version DetailsCurrent
Rev: 1 • Mar 4, 2021, 12:00 PMET MALWARE SUNSHUTTLE CnC Activity
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SUNSHUTTLE CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.cookie; content:"HjELmFxKJc="; fast_pattern; content:"P5hCrabkKf="; content:"iN678zYrXMJZ="; reference:url,www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html; classtype:command-and-control; sid:2031811; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_04, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_03_04;)
Mar 4, 2021, 12:00 PM
Mar 4, 2021, 12:00 PM
Sep 21, 2024, 3:00 AM
Sep 15, 2025, 9:36 PM
rules/emerging-malware.rules