The URL should be unit42[.]paloaltonetworks[.]com/curious-serpens-falsefont-backdoor/ but I could not add this for some reason when posting to the community so it will need added back into the rule below
alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“ET TROJAN Falsefont.Backdoor APT33 Initial Handshake”; flow:established,to_server; content:“POST”; http_method; content:“/api/Token”; http_uri; depth:10; content:!“User-Name|3A|”; http_header; content:“{|22|username|22|:|22|”; http_client_body; depth:16; content:“|22|password|22|:|22|”; http_client_body; distance:0; content:“|22|computerHostName|22|:|22|”; http_client_body; distance:0; content:“|22|computerHostName|22|:|22|”; http_client_body; distance:0; content:“|22|computerUserName|22|:|22|”; http_client_body; distance:0; content:“|22|osName|22|:|22|”; http_client_body; distance:0; classtype:trojan-activity; reference:url,REFERENCE; sid:133111; rev:1;)
Kind Regards,
Kevin Ross