requires decryption  c91413ad7c94c0e2694862b9d671d1204873bf65576ba2cb91fbd562a4ccf79b | Triage

alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET TROJAN MuddyWatter HTTP_VIP Backdoor POST”; flow:established,to_server; http_method; content:“POST”; urilen:9; http_uri; content:“/postinfo”; http_header; content:“X-Computer-Name|3A|”; http_header; content:“X-Domain-Name|3A|”; http_header; content:“X-Windows-Version|3A|”; http_header; content:“X-Windows-Build|3A|”; http_header; content:“X-Username|3A|”; classtype:trojan-activity; reference:md5,f5ef5f40922113c2dfb32c202ae2b3f5; reference:url,www.group-ib.com/blog/muddywater-operation-olalampo/; sid:198311; rev:1;)
alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET TROJAN MuddyWatter HTTP_VIP Backdoor Beacon”; flow:established,to_server; http_method; content:“POST”; http_uri; content:“/content?id=”; depth:12; fast_pattern; http_user_agent; content:“application”; bsize:11; http_header; content:“Content-Length|3A| 0”; reference:md5,f5ef5f40922113c2dfb32c202ae2b3f5; reference:url,www.group-ib.com/blog/muddywater-operation-olalampo/; sid:198312; rev:1;)

Kind Regards,

Kevin

Hey @kevinaddeman - Thanks for the tip! We have some signatures that match this logic in the ETPRO ruleset that we will move to OPEN in today’s release.

Thanks!
Isaac