🐾 - 🚨 👀 geoplugin.net JSON lookup public IP address from local network - Used by Remcos RAT - Possible Leak 🚱 - Suricata Rule 3301153 (pawpatrules)

🐾 - 🚨 👀 geoplugin.net JSON lookup public IP address from local network - Used by Remcos RAT - Possible Leak 🚱

SID: 3301153Rev: 327 viewsHistory

Sourcepawpatrules

CreatedMarch 3, 2024

UpdatedAugust 8, 2024

Classificationexternal-ip-check

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 👀 geoplugin.net JSON lookup public IP address from local network - Used by Remcos RAT - Possible Leak 🚱"; flow:to_server, stateless; threshold:type limit, track by_src,count 1, seconds 3600; http.host.raw; content:"geoplugin.net"; fast_pattern; nocase; http.method; content:"GET"; http.uri; content:"/json.gp"; reference:url,https://blog.talosintelligence.com/threat-roundup-1021-1028-2/; metadata:created_at 2024_03_03, updated_at 2024_08_08; sid:3301153; rev:3; classtype:external-ip-check;)

References

url	https://blog.talosintelligence.com/threat-roundup-1021-1028-2/

🐾 - 🚨 👀 geoplugin.net JSON lookup public IP address from local network - Used by Remcos RAT - Possible Leak 🚱

References

Metadata

Comments (0)