ET MALWARE BernhardPOS Possible Data Exfiltration via DNS Lookup (29a.de)

SID: 2021416Rev: 50 views
History
Sourceet/open
CreatedJuly 15, 2015
UpdatedSeptember 17, 2020
Classificationtrojan-activity
alert dns $HOME_NET any -> any any (msg:"ET MALWARE BernhardPOS Possible Data Exfiltration via DNS Lookup (29a.de)"; dns.query; content:".29a.de"; nocase; fast_pattern; endswith; pcre:"/^.(?=[a-z0-9+/]*?[A-Z])(?=[A-Z0-9+/]*?[a-z])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\.29a\.de$/"; reference:url,morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick; classtype:trojan-activity; sid:2021416; rev:5; metadata:created_at 2015_07_15, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_17;)

References

urlmorphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick

Metadata

created at2015_07_15
confidenceMedium
signature severityMajor
tagDescription_Generated_By_Proofpoint_Nexus
updated at2020_09_17

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!