Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Android Infostealer CnC Check-In"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/socket.io/?"; fast_pattern; startswith; content:"model="; content:"EIO="; content:"id="; content:"transport="; content:"release="; content:"manf="; reference:url,lab52.io/blog/complete-dissection-of-an-apk-with-a-suspicious-c2-server/; reference:md5,4f5617ec4668e3406f9bd82dfcf6df6b; classtype:command-and-control; sid:2035770; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_04_06;)