""ET TROJAN TA406 Win32/Updog Backdoor Data Exfiltration Attempt""

SID: 2049306

Revision: 1

Class Type: trojan-activity

Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_and_Server, created_at 2023_11_27, deployment Perimeter, confidence High, signature_severity Major, updated_at 2023_11_27

Reference:

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

  • Value: "POST"

  • Value: "/up.php?name=" Depth: 13

  • Value: "|2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d|7e4512a60722|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name|3d 22|fileToUpload|22 3b 20|filename|3d 22|" Depth: 106

  • Value: "Content-Type|3a 20|multipart/form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d|"

  • Value: "Content-Type|3a 20|7e4512a60722|0d 0a|"

Within:

PCRE:

Special Options:

  • http_method

  • http_uri

  • http_client_body

  • fast_pattern

  • http_header

source