alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Blackmoon Related Activity (GET)"; flow:established,to_server; flowbits:set,ET.blackmoon; urilen:<25; http.method; content:"GET"; http.uri; content:"/post/"; startswith; content:"_"; distance:8; within:1; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1)"; bsize:50; http.host; content:".lofter.com"; endswith; fast_pattern; reference:md5,26e28b0d5e50624d2597ae65cdd41dd5; reference:md5,f2827328571b9c292a1a3759e94c7b4a; reference:md5,53d082f3320b5c6cfd264d1b30298094; reference:url,threatpost.com/blackmoon-banking-trojan-using-new-infection-technique/125425/; classtype:trojan-activity; sid:2046635; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_06_23, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_06_23; target:src_ip;)