alert tcp $EXTERNAL_NET $HTTP_PORTS → $HOME_NET any (msg:“ET TROJAN Kapeka/ICYWELL Backdoor APT44/Sandworm Launch Process Server Response”; flow:established,to_client; file_data; content:“|3A| |22|Launch process|22|,”; classtype:trojan-activity; reference:url,labs.withsecure.com/content/dam/labs/docs/WithSecure-Research-Kapeka.pdf; reference:url,services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf; sid:167115; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS → $HOME_NET any (msg:“ET TROJAN Kapeka/ICYWELL Backdoor APT44/Sandworm Launch Payload Server Response”; flow:established,to_client; file_data; content:“|3A| |22|Launch payload|22|,”; content:“payload|3A|”; distance:0; classtype:trojan-activity; reference:url,labs.withsecure.com/content/dam/labs/docs/WithSecure-Research-Kapeka.pdf; reference:url,services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf; sid:167116; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS → $HOME_NET any (msg:“ET TROJAN Kapeka/ICYWELL Backdoor APT44/Sandworm Execute Shell Command Server Response”; flow:established,to_client; file_data; content:“|3A| |22|Execute shell command|22|,”; classtype:trojan-activity; reference:url,labs.withsecure.com/content/dam/labs/docs/WithSecure-Research-Kapeka.pdf; reference:url,services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf; sid:167117; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS → $HOME_NET any (msg:“ET TROJAN Kapeka/ICYWELL Backdoor APT44/Sandworm Upgrade Backdoor Server Response”; flow:established,to_client; file_data; content:“|3A| |22|Upgrade backdoor|22|,”; content:“backdoor|3A|”; distance:0; classtype:trojan-activity; reference:url,labs.withsecure.com/content/dam/labs/docs/WithSecure-Research-Kapeka.pdf; reference:url,services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf; sid:167118; rev:1;)
2 Likes
Thanks Kevin! Taking a look and will see about getting these in for todays release.
JT