ET MALWARE TA402/Molerats Pierogi Variant Backdoor Activity (POST)
Sourceet/open
CreatedMay 1, 2024
UpdatedJune 13, 2024
Classificationtrojan-activity
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA402/Molerats Pierogi Variant Backdoor Activity (POST)"; flow:established,to_server; urilen:>30; http.method; content:"POST"; http.uri; content:!"|2e|"; http.header_names; bsize:48; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a 0d 0a|"; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|boundary|3d|"; http.request_body; content:"|22 0d 0a 0d 0a|"; pcre:"/^[A-F0-9]{20,50}/R"; reference:md5,421b2d8a58431ad72b72424fc571f2c3; reference:url,www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/; classtype:trojan-activity; sid:2052320; rev:2; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_05_01, deployment Perimeter, deployment SSLDecrypt, malware_family Molerats, malware_family TA402, performance_impact Moderate, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_06_13; target:src_ip;)
References
| md5 | 421b2d8a58431ad72b72424fc571f2c3 |
| url | www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/ |
Metadata
attack targetClient_Endpoint
tls stateTLSDecrypt
created at2024_05_01
deploymentSSLDecrypt
malware familyTA402
performance impactModerate
confidenceLow
signature severityMajor
tagDescription_Generated_By_Proofpoint_Nexus
updated at2024_06_13
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!