Versions (5)
Version DetailsCurrent
Rev: 2 • Aug 16, 2022, 12:00 PMET RETIRED RShell Backdoor Initial CnC Checkin
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET RETIRED RShell Backdoor Initial CnC Checkin"; flow:to_server,established; content:"|00 00 00 02|guid|00 25 00 00 00|"; offset:1; fast_pattern; pcre:"/^[a-f0-9]{8}-(?:[a-f0-9]{4}-){3}[a-f0-9]{12}/R"; content:"|00 02|hostname"; distance:0; content:"|00 02|lan"; distance:0; content:"|00 02|type"; distance:0; content:"login"; distance:0; content:"|00 02|username"; distance:0; content:"|00 02|version"; distance:0; reference:url,blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos; reference:url,www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html; classtype:command-and-control; sid:2038540; rev:2; metadata:attack_target Client_and_Server, created_at 2022_08_16, deployment Perimeter, former_category MALWARE, malware_family Rshell, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_09_17, reviewed_at 2024_09_17;)Aug 16, 2022, 12:00 PM
Sep 17, 2024, 12:00 PM
Sep 21, 2024, 3:00 AM
Sep 1, 2025, 8:35 PM
rules/emerging-retired.rules