alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winos4.0 Framework Fake BMP Download Containing XOR encoded .dll"; flow:established,to_server; urilen:<15; http.uri; content:".bmp"; endswith; pcre:"/^\x2f\d\x2f[a-z0-9]{1,4}\x2ebmp$/"; http.header_names; bsize:45; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Host|0d 0a 0d 0a|"; http.header; content:"Cache|2d|Control|3a 20|no|2d|cache|0d 0a|Connection|3a 20|Keep|2d|Alive|0d 0a|Pragma|3a 20|no|2d|cache|0d 0a|Host|3a 20|"; startswith; fast_pattern; http.connection; bsize:10; content:"Keep-Alive"; reference:url,fortinet.com/blog/threat-research/threat-campaign-spreads-winos4-through-game-application; reference:md5,8f6f306ba501a7e435db720bb97cb1e4; classtype:command-and-control; sid:2059974; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2025_02_07, deployment Perimeter, malware_family Winos4_0, confidence High, signature_severity Major, tag c2, updated_at 2025_02_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)