""ET TROJAN UAC-0114/Winter Vivern Redirect""
SID: 2044164
Revision: 1
Class Type: trojan-activity
Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_02_09, deployment Perimeter, signature_severity Major, updated_at 2023_02_09
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
-
Value: "GET"
-
Value: "error.jsp?errCode="
-
Value: "|25 36 39 25 36 36 25 32 38 25 32 31 25 36 34 25 36 66 25 36 33 25 37 35 25 36 64 25 36 35 25 36 65 25 37 34 25 32 65 25 36 37 25 36 35 25 37 34 25 34 35 25 36 63 25 36 35 25 36 64 25 36 35 25 36 65 25 37 34 25 34 32 25 37 39 25 34 39 25 36 34 25 32 38 25 32 32|"
-
Value: "|25 37 62 25 37 37 25 36 39 25 36 65 25 36 34 25 36 66 25 37 37 25 32 65 25 37 38 25 33 64 25 36 34 25 36 66 25 36 33 25 37 35 25 36 64 25 36 35 25 36 65 25 37 34 25 32 65 25 36 33 25 37 32 25 36 35 25 36 31 25 37 34 25 36 35 25 34 35 25 36 63 25 36 35 25 36 64 25 36 35 25 36 65 25 37 34 25 32 38 25 32 37 25 37 33 25 36 33 25 37 32 25 36 39 25 37 30 25 37 34 25 32 37 25 32 39 25 33 62 25 37 37 25 36 39 25 36 65 25 36 34 25 36 66 25 37 37 25 32 65 25 37 38 25 32 65 25 36 39 25 36 34 25 33 64 25 32 32|"
Within:
PCRE:
Special Options:
-
http_method
-
http_uri
-
fast_pattern
-
http_raw_uri
-
http_raw_uri