""ET CURRENT_EVENTS Targeted Attack from APT Actor Delivering HT SWF Exploit RIP""
SID: 2021405
Revision: 4
Class Type: trojan-activity
Metadata: created_at 2015_07_13, updated_at 2015_07_13
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: established,from_server
Contents:
-
Value: "|67 5f 6f 3d 69 65 56 65 72 73 69 6f 6e 28 29 3b|"
-
Value: "|67 65 74 42 69 74 73 28 29 3b|"
-
Value: "var "
Within:
PCRE: "/^\s?(?P[^=\s\x3b]+)\s?=\s?getBits(\s?)\x3b.+?flashvars\s?=\s?\x5c\x22(?P=var)\s?=\s?\x22\s?+\s?(?P=var)\s?+\s?\x22\x5c\x22/Rsi"
Special Options:
-
file_data
-
nocase
-
nocase