Rule History

SID: 2042189 • Source: et/open

Versions (4)

Version DetailsCurrent

Rev: 2 • Dec 7, 2022, 12:00 PM

Message:

ET MALWARE Impersoni-fake-ator backdoor CnC Checkin

Rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Impersoni-fake-ator backdoor CnC Checkin"; flow:established,to_server; content:"|d1 57 f4 37|"; startswith; fast_pattern; content:"|02 00 00 00|"; distance:4; byte_jump:4,0, relative, little, post_offset -1; isdataat:!2,relative; reference:url,www.bitdefender.com/files/News/CaseStudies/study/426/Bitdefender-PR-Whitepaper-BackdoorDiplomacy-creat6507-en-EN.pdf; classtype:trojan-activity; sid:2042189; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_12_07, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_12_13;)

Created:

Dec 7, 2022, 12:00 PM

Updated:

Dec 13, 2022, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

Aug 27, 2025, 9:35 PM

Filename:

rules/emerging-malware.rules