""ET CURRENT_EVENTS Nuclear EK Gate Sep 16 2014""
SID: 2019185
Revision: 3
Class Type: trojan-activity
Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_16, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2014_09_22
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: established,from_server
Contents:
-
Value: "16.html"
-
Value: "etCookie"
-
Value: "document.write(|27|<iframe"
Within:
PCRE: "/^(?=(?:(?!<\/iframe>).)+?src\s?=\s?\x22http\x3a[^\x22]+16.html\x22)(?=(?:(?!<\/iframe>).)+?left\s?[\x3a\x3d]\s?[\x22\x27]?-)(?=(?:(?!<\/iframe>).)+?top\s?[\x3a\x3d]\s?[\x22\x27]?-)(?:(?!<\/iframe>).)+?<\/iframe>\x27\x29/Rsi"
Special Options:
- file_data