alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mustang Panda/RedDelta Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?token="; fast_pattern; content:"&computername="; distance:0; content:"&username="; distance:0; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT|20|10.0|3b 20|Win64|3b 20|x64)|20|AppleWebKit/537.36|20|(KHTML|2e 20|like|20|Gecko)|20|Chrome/72.0.3626.121|20|Safari/537.36"; reference:url,twitter.com/IntezerLabs/status/1316384526323638274; reference:md5,1ec914ef8443a1fb259c79b038e64ebf; classtype:trojan-activity; sid:2031072; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_21, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag TA416, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_10_21;)