""ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle NYTIMES POST]""

SID: 2031287

Revision: 3

Class Type: trojan-activity

Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel

Reference:

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

  • Value: "POST"

  • Value: "Accept: /"

  • Value: "Accept-Encoding: gzip, deflate, br"

  • Value: "Accept-Language: en-US,en\

  • Value: "|7b 22|locale|22 3a 22|en|22 2c 22|channel|22 3a 22|prod|22 2c 22|addon|22 3a|"

Within:

PCRE: "/^(?:\/track|\/api\/v1\/survey\/embed|\/svc\/weather\/v2)/U"

Special Options:

  • http_method

  • http_header

  • http_header

  • q=0.5"

  • http_header

source