alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET RETIRED BellaCiao ASPX Backdoor Response"; flow:established,to_client; flowbits:isset,ET.BellaCiao.UA; http.stat_code; content:"200"; http.header; content:"Server|3a 20|Microsoft-IIS/"; file_data; content:"|3c|HTML|3e 3c|HEAD|3e 3c|title|3e|invoice|3c 2f|title|3e 3c 2f|HEAD|3e 20 3c|body bgcolor|3d 22 23|808080|22 3e|Not Found |21 21 21 21 3c|div|3e 3c 2f|div|3e 3c 2f|body|3e 3c 2f|HTML|3e|"; fast_pattern; reference:md5,f56a6da833289f821dd63f902a360c31; reference:url,www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/; classtype:trojan-activity; sid:2045977; rev:2; metadata:affected_product Microsoft_IIS, attack_target Web_Server, created_at 2023_05_31, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family BellaCiao, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_10_01, reviewed_at 2024_10_01; target:src_ip;)