ET RETIRED RShell Backdoor Initial CnC Checkin

SID: 2038540Rev: 20 viewsHistory

Sourceet/open

CreatedAugust 16, 2022

UpdatedSeptember 17, 2024

Classificationcommand-and-control

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET RETIRED RShell Backdoor Initial CnC Checkin"; flow:to_server,established; content:"|00 00 00 02|guid|00 25 00 00 00|"; offset:1; fast_pattern; pcre:"/^[a-f0-9]{8}-(?:[a-f0-9]{4}-){3}[a-f0-9]{12}/R"; content:"|00 02|hostname"; distance:0; content:"|00 02|lan"; distance:0; content:"|00 02|type"; distance:0; content:"login"; distance:0; content:"|00 02|username"; distance:0; content:"|00 02|version"; distance:0; reference:url,blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos; reference:url,www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html; classtype:command-and-control; sid:2038540; rev:2; metadata:attack_target Client_and_Server, created_at 2022_08_16, deployment Perimeter, former_category MALWARE, malware_family Rshell, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_09_17, reviewed_at 2024_09_17;)

References

url	blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos
url	www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html

Metadata

attack targetClient_and_Server

created at2022_08_16

deploymentPerimeter

former categoryMALWARE

malware familyRshell

performance impactLow

confidenceMedium

signature severityMajor

tagDescription_Generated_By_Proofpoint_Nexus

updated at2024_09_17

reviewed at2024_09_17

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!