[Emerging-Sigs] SIG: T TROJAN W32/Eris.Ransomware Initial HTTP Checkin

Kevin Ross kevross33 at googlemail.com
Sun Aug 4 06:40:32 HDT 2019


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Eris.Ransomware Initial HTTP Checkin"; flow:established,to_server;
content:"POST"; http_method; content:"/api/v1/check"; http_uri; depth:13;
fast_pattern; content:"Accept-Encoding|3A| gzip"; http_header;
content:"{|22|uid|22 3A 22|"; http_client_body; depth:8;
classtype:trojan-activity; reference:url,
www.bleepingcomputer.com/news/security/rig-exploit-kit-pushing-eris-ransomware-in-drive-by-downloads/;
sid:194411; rev:1;)

Kind Regards,
Kevin Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190804/89edb4d0/attachment.html>


More information about the Emerging-sigs mailing list