Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Stealth Soldier Backdoor Related Activity M1 (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Server/Request"; bsize:15; fast_pattern; http.header_names; content:!"Referer"; content:"|0d 0a|IndexError|0d 0a|User-Agent|0d 0a|"; http.user_agent; content:"Stealth Soldier"; reference:md5,0db6239ad0755392c31a09e58773cd3b; reference:md5,a418886a31852be25064d3573f2bc87d; reference:md5,1ea8a827ad4c565b1c2ae43b0a020092; reference:url,research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/; classtype:trojan-activity; sid:2046204; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_06_12, deployment Perimeter, performance_impact Low, confidence High, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_06_12; target:src_ip;)