alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA430/Andariel ACRES Backdoor Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?mailid="; content:"&action=inbox&param="; fast_pattern; distance:12; within:20; content:"&session="; distance:0; http.header_names; content:!"Referer"; reference:url,labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf; reference:md5,c027d641c4c1e9d9ad048cda2af85db6; classtype:trojan-activity; sid:2044086; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_02_03, deployment Perimeter, malware_family Andariel, malware_family TA430, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_02_03; target:src_ip;)