""ET TROJAN Spyder Loader CnC Checkin""

SID: 2053269

Revision: 1

Class Type: trojan-activity

Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_Endpoint, tls_state plaintext, created_at 2024_06_05, deployment Perimeter, malware_family Spyder, performance_impact Low, confidence High, updated_at 2024_06_05

Reference:

• Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

• Value: "POST"

• Value: ".php"

• Value: "zte|3a 20|eyJ"

• Value: !"|0d 0a|Referer|0d 0a|"

• Value: "Content-Length|3a 20|0|0d 0a|"

Within:

PCRE:

Special Options:

• http_method

• http_uri

• http_header

• fast_pattern

source