""ET TROJAN MWI Maldoc Load Payload""

SID: 2024306

Revision: 1

Class Type: trojan-activity

Metadata: affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_05_17

Reference:

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

• Value: "&act="

• Value: !".money-media.com|0d 0a|"

• Value: !"Referer|3a|"

• Value: !"Cookie|3a|"

Within:

PCRE: "/\?id=\d+&act=[12]$/U"

Special Options:

• http_uri

• nocase

• http_header

source