ET MALWARE Suspected SPECULOOS Backdoor CnC Init Packet Masquerading as SNI Request to live .com

SID: 2029910Rev: 60 viewsHistory

Sourceet/open

CreatedApril 14, 2020

UpdatedApril 11, 2023

Classificationcommand-and-control

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Suspected SPECULOOS Backdoor CnC Init Packet Masquerading as SNI Request to live .com"; dsize:186; content:"|16 03 01 00 b5 01 00 00 b1 03 01|"; depth:11; content:"|00 00 48 c0 0a c0 14 00 88 00 87 00 3900 38 c0 0f c0 05 00 84 00 35 c0 07 c0 09 c0 11 c0 13 00 45 00 44 00 66 00 33 00 32 c0 0c c0 0ec0 02 c0 04 00 96 00 41 00 04 00 05 00 2f c0 08c0 12 00 16 00 13 c0 0d c0 03 fe ff 00 0a 02 0100 00 3f 00 00 00 13 00 11 00 00 0e 6c 6f 67 696e 2e 6c 69 76 65 2e 63 6f 6d ff 01 00 01 00 000a 00 08 00 06 00 17 00 18 00 19 00 0b 00 02 01 00 00 23 00 00 33 74 00 00 00 05 00 05 01 00 0000 00|"; distance:32; within:143; fast_pattern; isdataat:!1,relative; reference:url,unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/; classtype:command-and-control; sid:2029910; rev:6; metadata:attack_target Client_Endpoint, created_at 2020_04_14, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_11;)

References

url	unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/

Metadata

attack targetClient_Endpoint

created at2020_04_14

deploymentPerimeter

confidenceMedium

signature severityMajor

tagDescription_Generated_By_Proofpoint_Nexus

updated at2023_04_11

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!