""ET TROJAN TA410 APT FlowCloud Hardcoded Request (POST)""
SID: 2036391
Revision: 2
Class Type: trojan-activity
Metadata: attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TA410, signature_severity Major, updated_at 2022_04_27
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
-
Value: "X-Requested-With|3a 20|ShockwaveFlash/20.0.0.306|0d 0a|"
-
Value: "POST /messagebroker/amf HTTP/1.1"
-
Value: "COOKIE_SUPPORT=" Depth: 15
-
Value: "JSESSIONID="
-
Value: "COMPANY_ID="
-
Value: "ID="
-
Value: "PASSWORD="
-
Value: "LOGIN="
-
Value: "SCREEN_NAME"
-
Value: "GUEST_LANGUAGE_ID="
-
Value: "Referer|3a 20|http|3a 2f 2f|s.peheavens.com/html/portlet/ext/draco/resources/draco_manager.swf/"
Within:
PCRE:
Special Options:
-
fast_pattern
-
http_cookie
-
http_cookie
-
http_cookie
-
http_cookie
-
http_cookie
-
http_cookie
-
http_cookie
-
http_cookie
-
http_header