Rule History

alert http any any -> any any (msg: "BANKER [PTsecurity] RedHook Keyboard Input Exfiltration"; flow: established, to_server; http.method; content: "POST"; http.uri; content: "/addKeyboardInput"; endswith; fast_pattern; http.header; content: "clientId|3a 20|"; pcre: "/^[0-9a-f]{32}\x0d\x0a/RH"; content: "Accept|3a| */*"; content: "Content-Type|3a| application/json"; content: "User-Agent|3a| okhttp/"; content: !"Referer|3a|"; http.request_body; content: "{|22|deviceId|22 3a 22|"; startswith; content: "|22|content|22 3a 22|"; distance: 0; content: "|22|appPackageName|22 3a 22|"; distance: 0; content: "|22|}"; endswith; threshold: type limit, track by_src, seconds 120, count 1; reference: url, tria.ge/250811-yb6lwatsds/behavioral1; reference: url, cyble.com/blog/redhook-new-android-banking-targeting-in-vietnam/; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10014433; rev: 1;)