Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected TA451 Related FalseFont Backdoor Activity M5"; flow:established,to_server; urilen:22; http.uri; content:"/api/Core/Command/Init"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:"Authorization|0d 0a|"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,nextron-systems.com/2024/01/29/analysis-of-falsefont-backdoor-used-by-peach-sandstorm-threat-actor/; reference:md5,6fd5d31d607a212c6f7651c79e7655a3; classtype:trojan-activity; sid:2050677; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2024_02_01, deployment Perimeter, malware_family FalseFont, confidence High, signature_severity Critical, tag TA451, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_02_05;)