Rule History

alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Polonium APT CREEPYSNAIL Backdoor Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ui/chk?mactok="; fast_pattern; startswith; pcre:"/^[A-F0-9]{32}$/R"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:md5,63efa4524e50beeedb68f7eebaadcc5c; reference:url,www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/; classtype:trojan-activity; sid:2039151; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_10_11, deployment Perimeter, malware_family Polonium, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_10_11;)