""ET CURRENT_EVENTS Underminer EK IE Exploit""
SID: 2025911
Revision: 2
Class Type: trojan-activity
Metadata: affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, signature_severity Major, tag Underminer_EK, updated_at 2018_07_26
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: established,to_client
Contents:
-
Value: "IE=EmulateIE9"
-
Value: "</head"
-
Value: "<body"
-
Value: "<script"
-
Value: "!!window.ActiveXObject"
-
Value: "try"
-
Value: "parent.parent.setLocalStoreUserData"
Within: 200
PCRE: "/^\s([\x22\x27][A-F0-9a-f]{32}[\x22\x27]\s)\s\x3b\s}\scatch\s(e)\s{\s}\s}\s<\/script>\s*<\/body>/Rsi"
Special Options:
-
file_data
-
nocase
-
nocase
-
nocase
-
nocase
-
nocase
-
nocase