alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT29 Implant8 - MAL_REFERER"; flow:established,to_server; http.method; content:"GET"; http.header; content:"&bvm=bv.81"; fast_pattern; content:"|2c|d."; distance:6; within:3; content:"|0d 0a|"; distance:3; within:2; content:"Referer|3a 20|https|3a|//www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd="; pcre:"/^(?:[02-9]|1[01]?)&ved=0C[A-L]{2}QFjA[A-L]&url=/R"; content:"&ei="; distance:0; pcre:"/^[A-Za-z0-9]{20,22}&usg=[A-Za-z0-9_]{34}&bvm=bv\.81[1-7]{6}\,d\.[A-Za-z0-9_]{3}\r\n/R"; http.header_names; content:!"Cookie|0d 0a|"; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2024004; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, malware_family APT29_Implant8, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_11_12;)