ET MALWARE CozyDuke APT HTTP GET CnC Beacon

SID: 2020963Rev: 60 viewsHistory

Sourceet/open

CreatedApril 22, 2015

UpdatedApril 29, 2024

Classificationtargeted-activity

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CozyDuke APT HTTP GET CnC Beacon"; flow:established,to_server; flowbits:set,ET.CozyDuke.HTTP; http.method; content:"GET"; http.uri; content:".php?"; fast_pattern; pcre:"/[A-Z]{100}(?:&\w+=[a-zA-Z0-9/+=]+){0,2}$/"; http.header_names; content:!"|0d 0a|Accept"; content:!"|0d 0a|Referer|0d 0a|"; content:"|0d 0a|User-Agent|0d 0a|"; startswith; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:targeted-activity; sid:2020963; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, performance_impact Significant, signature_severity Major, tag c2, updated_at 2024_04_29, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)

References

url	securelist.com/blog/69731/the-cozyduke-apt/
md5	98a6484533fa12a9ba6b1bd9df1899dc Google Search Brave Search

Metadata

attack targetClient_Endpoint

created at2015_04_22

deploymentPerimeter

performance impactSignificant

signature severityMajor

tagc2

updated at2024_04_29

mitre tactic idTA0010

mitre tactic nameExfiltration

mitre technique idT1041

mitre technique nameExfiltration_Over_C2_Channel

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!