Rule History

SID: 3309686 • Source: pawpatrules

Versions (2)

Version DetailsCurrent

Rev: 11 • Oct 26, 2021, 12:00 PM

Message:

🐾 - 👁 Suspicious DNS Request 🌐 -fr.org > Possible 🏴‍☠️ FIN7 🇷🇺 Group

Rule:

alert dns any any -> any any (msg:"🐾 - 👁 Suspicious DNS Request 🌐 -fr.org > Possible 🏴‍☠️ FIN7 🇷🇺 Group"; flow:to_server, stateless; dns_query; content:"-fr.org"; fast_pattern; nocase; content:!"mmt-fr.org"; nocase; content:!"ubuntu-fr.org"; nocase; content:!"fedora-fr.org"; nocase; content:!"pharmacol-fr.org"; nocase; content:!"sfpt-fr.org"; nocase; content:!"debian-fr.org"; nocase; reference:url,https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/; reference:url,https://malpedia.caad.fkie.fraunhofer.de/actor/fin7; metadata:created_at 2021_10_26, updated_at 2025_07_19; sid:3309686; rev:11; classtype:trojan-activity;)

Created:

Oct 26, 2021, 12:00 PM

Updated:

Jul 19, 2025, 12:00 PM

DB Created:

Apr 30, 2024, 10:00 PM

DB Updated:

Jul 19, 2025, 9:34 PM

Filename:

rules/PAW-PATRULES_FIN7_FQDN.rules