Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtherHiding Exfil M1"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/json"; http.request_body; content:"|22|method|22 3a 22|eth|5f|blockNumber|22|"; distance:0; fast_pattern; content:"|22|params|22 3a 5b 5d 7d|"; endswith; reference:url,jscrambler.com/blog/inside-takedown-resistant-skimmer-tricks; classtype:trojan-activity; sid:2065529; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_10_27, deployment Perimeter, malware_family Etherhiding, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_27;)