Versions (3)
Version DetailsCurrent
Rev: 1 • Aug 16, 2022, 12:00 PMET MALWARE RShell Backdoor Keepalive
alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RShell Backdoor Keepalive"; flow:established,to_server; dsize:25; content:"|19 00 00 00 02 74 79 70 65 00 0a 00 00 00 6b 65 65 70 61 6c 69 76 65 00 00|"; fast_pattern; threshold:type limit, track by_src, seconds 500, count 1; reference:url,blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos; reference:url,www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html; classtype:command-and-control; sid:2038536; rev:1; metadata:attack_target Client_and_Server, created_at 2022_08_16, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_08_16;)
Aug 16, 2022, 12:00 PM
Aug 16, 2022, 12:00 PM
Sep 21, 2024, 3:00 AM
Sep 21, 2024, 3:00 AM
rules/emerging-malware.rules