""ET TROJAN TA453 BellaCiao ASPX Backdoor User-Agent in HTTP Request""

SID: 2045224

Revision: 2

Class Type: trojan-activity

Metadata: affected_product Microsoft_IIS, attack_target Web_Server, created_at 2023_04_27, deployment Perimeter, deployment Internal, deployment SSLDecrypt, malware_family TA453, malware_family BellaCiao, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_05_31, reviewed_at 2023_08_21

Reference:

• Link

Protocol: tcp

Source Network: any

Source Port: any

Destination Network: $HOME_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

• Value: ".aspx"

• Value: "User-Agent|3a 20|ruby|40|123|21|"

Within:

PCRE: "/.aspx$/U"

Special Options:

• http_uri

• fast_pattern

• http_header

source