[Snort-sigs] Andr.Trojan.Femas (ViperRAT)

Y M snort at ...3751...
Sun Feb 19 00:39:28 EST 2017


Hello,


The below signature was derived from the articles from the reference. No pcaps available.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Femas outbound connection"; flow:to_client,established; content:"POST"; http_method; content:"did="; http_client_body; content:"&method="; fast_pattern:only; content:".php"; http_uri; content:"|3B| Android "; http_header; content:"Accept-Encoding|3A 20|gzip|0D 0A|"; http_header; content:!"Accept|3A 20|"; http_header; metadata:ruleset community, service http; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; reference:url,blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/; classtype:trojan-activity; sid:1000847; rev:1;)


Thank you.

YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170219/6330357a/attachment.html>


More information about the Snort-sigs mailing list