2016795 < Main < EmergingThreats

Main Web>2016795 (2020-08-05, TWikiGuest) (raw view)
 <h2>
 

#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN TROJ_NAIKON.A SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|04|donc"; fast_pattern; distance:1; within:5; content:"|55 04 0b|"; content:"|03|abc"; distance:1; within:4; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:2016795; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_04_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)

</h2>

Added 2020-08-05 19:09:03 UTC


 %COMMENT{type="threadmode" default="Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps." button="Add to Documentation" }%
 
 <hr>
 


 <h2>
 

#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN TROJ_NAIKON.A SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|04|donc"; fast_pattern; distance:1; within:5; content:"|55 04 0b|"; content:"|03|abc"; distance:1; within:4; metadata: former_category MALWARE; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:2016795; rev:5; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2013_04_26, updated_at 2016_07_01;)

</h2>

Added 2020-02-24 20:10:57 UTC


 
 <hr>
 


 <h2>
 

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN TROJ_NAIKON.A SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|04|donc"; fast_pattern; distance:1; within:5; content:"|55 04 0b|"; content:"|03|abc"; distance:1; within:4; metadata: former_category MALWARE; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:2016795; rev:5; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2013_04_26, updated_at 2016_07_01;)

</h2>

Added 2020-01-14 12:51:24 UTC


 
 <hr>
 


 <h2>
 

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ET TROJAN TROJ_NAIKON.A SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|04|donc"; fast_pattern; distance:1; within:5; content:"|55 04 0b|"; content:"|03|abc"; distance:1; within:4; metadata: former_category MALWARE; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:2016795; rev:5; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2013_04_26, updated_at 2016_07_01;)

</h2>

Added 2019-09-26 19:57:22 UTC


 
 <hr>
 


 <h2>
 

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ET TROJAN TROJ_NAIKON.A SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|04|donc"; fast_pattern; distance:1; within:5; content:"|55 04 0b|"; content:"|03|abc"; distance:1; within:4; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:2016795; rev:5; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2013_04_26, updated_at 2016_07_01;)

</h2>

Added 2017-08-07 21:10:36 UTC


 
 <hr>
 


 <h2>
 

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ET TROJAN TROJ_NAIKON.A SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|04|donc"; fast_pattern; distance:1; within:5; content:"|55 04 0b|"; content:"|03|abc"; distance:1; within:4; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:2016795; rev:5;)

</h2>

Added 2015-05-15 19:25:10 UTC


 
 <hr>
 


 <h2>
 

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ET TROJAN TROJ_NAIKON.A SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|04|donc"; fast_pattern; distance:1; within:5; content:"|55 04 0b|"; content:"|03|abc"; distance:1; within:4; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:2016795; rev:5;)

</h2>

Added 2013-04-29 13:26:51 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN TROJ_NAIKON.A User-Agent (NOKIAN95)"; flow:to_server,established; content:"User-Agent|3A| NOKIAN95|2f|WEB"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:2016795; rev:4;)

</h2>

Added 2013-04-27 00:46:56 UTC


 
 <hr>
 


 <h2>
 

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN TROJ_NAIKON.A User-Agent (NOKIAN95)"; flow:to_server,established; content:"User-Agent|3A| NOKIAN95|2f|WEB"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:2016795; rev:4;)

</h2>

Added 2013-04-26 18:35:52 UTC


 
 <hr>
Topic revision: r1 - 2020-08-05 - TWikiGuest
Main
User Reference
ATasteOfTWiki
TextFormattingRules
Signature Reference
WebRss Feed
EmergingFAQ