Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ViperSoftX HTTP CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:72; content:"/api/v1/"; startswith; fast_pattern; content:!"?"; pcre:"/^\/api\/v1\/[A-F0-9]{64}$/"; http.user_agent; content:"WindowsPowerShell"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; threshold:type limit, count 1, seconds 120, track by_src; reference:url,chris.partridge.tech/2022/evolution-of-vipersoftx-dga/; reference:url,decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/; classtype:trojan-activity; sid:2043167; rev:1; metadata:created_at 2023_01_03, malware_family ViperSoftX, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_01_03;)