[Emerging-Sigs] SIG: T TROJAN W32/Eris.Ransomware Initial HTTP Checkin

Jack Mott jmott at emergingthreats.net
Mon Aug 5 11:45:20 HDT 2019


Thanks Kevin!

We'll get this out for today's release.

Best,

Jack

On Sun, Aug 4, 2019 at 9:40 AM Kevin Ross via Emerging-sigs <
emerging-sigs at lists.emergingthreats.net> wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> W32/Eris.Ransomware Initial HTTP Checkin"; flow:established,to_server;
> content:"POST"; http_method; content:"/api/v1/check"; http_uri; depth:13;
> fast_pattern; content:"Accept-Encoding|3A| gzip"; http_header;
> content:"{|22|uid|22 3A 22|"; http_client_body; depth:8;
> classtype:trojan-activity; reference:url,
> www.bleepingcomputer.com/news/security/rig-exploit-kit-pushing-eris-ransomware-in-drive-by-downloads/;
> sid:194411; rev:1;)
>
> Kind Regards,
> Kevin Ross
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190805/a60b5deb/attachment.html>


More information about the Emerging-sigs mailing list