alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b CnC Beacon"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php"; endswith; http.header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-Language|3a 20|en-US|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; depth:98; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"&method="; fast_pattern; pcre:"/^d(?:id|ei)=[A-F0-9]{10,100}&method=IS[A-Z]{1,10}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d6ef9b0cdb49b56c53da3433e30f3fd6; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:command-and-control; sid:2023933; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, confidence High, signature_severity Major, tag Android, tag c2, updated_at 2020_10_08, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)