Versions (3)
Version DetailsCurrent
Rev: 1 • Feb 6, 2023, 12:00 PMET MALWARE NginxSpy Magic Bytes M2 (Inbound)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE NginxSpy Magic Bytes M2 (Inbound)"; flow:established,to_server; flowbits:isset,ET.nginxspy; content:"|e5 cf ff 02 b1 69 20 69 75 15 99 45 20 2e 0a 10 e3 10 b3 70 8d 6d ab 54 52 79 f0 1b 78 5e d1 46|"; fast_pattern; reference:url,jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_4_peter-jr-wei_en.pdf; classtype:trojan-activity; sid:2044123; rev:1; metadata:attack_target Web_Server, created_at 2023_02_06, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_02_06; target:dest_ip;)
Feb 6, 2023, 12:00 PM
Feb 6, 2023, 12:00 PM
Feb 6, 2023, 10:00 PM
Aug 25, 2025, 9:35 PM
rules/emerging-malware.rules