Versions (3)
Version DetailsCurrent
Rev: 2 • Jul 31, 2023, 12:00 PMET MALWARE Pupy DNS Request without SPI M4
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pupy DNS Request without SPI M4"; dns.query; bsize:>42; content:!".webcfs"; content:"9."; offset:31; depth:27; content:"9."; fast_pattern; within:57; content:"."; distance:0; pcre:"/^(?:[a-z0-8\-]{8}){3,7}[a-z0-8\-]{7}9\.(?:[a-z0-8\-]{8}){1,7}(?:[a-z0-8\-]{2}9{6}|[a-z0-8\-]{4}9{4}|[a-z0-8\-]{5}9{3}|[a-z0-8\-]{7}9)?\./"; reference:url,insights.infoblox.com/resources-whitepaper/infoblox-whitepaper-decoy-dog-is-no-ordinary-pupy-distinguishing-malware-via-dns; classtype:command-and-control; sid:2046965; rev:2; metadata:attack_target Client_Endpoint, created_at 2023_07_31, deployment Perimeter, deployment Internal, malware_family PupyRat, performance_impact Significant, confidence Medium, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_08_14; target:src_ip;)
Jul 31, 2023, 12:00 PM
Aug 14, 2023, 12:00 PM
Jul 31, 2023, 10:00 PM
Aug 20, 2025, 9:35 PM
rules/emerging-malware.rules