Et rule 2022962 - Magic-SigExplorer

""ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 12 2016""

SID: 2022962

Revision: 3

Class Type: trojan-activity

Metadata: affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_07_12, deployment Perimeter, malware_family PsuedoDarkLeech, signature_severity Major, updated_at 2016_10_04

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,from_server

Contents:

Value: "|3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 2d 31|"

Within:

PCRE: "/^\d{3}px\x3b\swidth\x3a3\d{2}px\x3b\sheight\x3a3\d{2}px\x3b\x22>[^<>]?<\/iframe>[^<>]</em>?\n[^<>]*?<\/span>/Rsi"</p> <p><strong>Special Options:</strong></p> <ul> <li>file_data</li> </ul> <p><a href="https://github.com/magicsword-io/Magic-SigExplorer/tree/main/yaml/et/et_rule_2022962.yaml"><em>source</em></a></p> </div> </div><footer> <hr/> <div role="contentinfo">  </div> Built with <a href="https://www.mkdocs.org/">MkDocs</a> using a <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>. </footer> </div> </div> </section> </div> <div class="rst-versions" role="note" aria-label="Versions"> <span class="rst-current-version" data-toggle="rst-current-version"> </span> </div> <script src="../../../js/jquery-3.6.0.min.js"></script> <script>var base_url = "../../..";</script> <script src="../../../js/theme_extra.js"></script> <script src="../../../js/theme.js"></script> <script src="../../../search/main.js"></script> <script> jQuery(function () { SphinxRtdTheme.Navigation.enable(true); }); </script> </body> </html>