Versions (3)
Version DetailsCurrent
Rev: 2 • Jan 10, 2024, 12:00 PMET MALWARE Suspected TA451 Related FalseFont Backdoor Activity M3
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected TA451 Related FalseFont Backdoor Activity M3"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/api/Token"; http.request_body; content:"|7b 22|username|22 3a 22|"; startswith; content:"|22 2c 22|password|22 3a 22|"; content:"|22 2c 22|computerHostName|22 3a 22|"; fast_pattern; content:"|22 2c 22|osName|22 3a 22|"; threshold:type limit, count 1, seconds 300, track by_src; reference:md5,5b759c6db78de7587a9d201e8ea28c03; reference:md5,6fd5d31d607a212c6f7651c79e7655a3; reference:url,twitter.com/malwrhunterteam/status/1744660043574698176; classtype:trojan-activity; sid:2049963; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2024_01_10, deployment Perimeter, confidence High, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_02_05, reviewed_at 2024_01_10;)
Jan 10, 2024, 12:00 PM
Feb 5, 2024, 12:00 PM
Jan 10, 2024, 10:00 PM
Aug 18, 2025, 8:35 PM
rules/emerging-malware.rules