Chafer Malware URL Pattern
Detects HTTP request used by Chafer malware to receive data from its C2.
Sigma rule (View on GitHub)
1title: Chafer Malware URL Pattern
2id: fb502828-2db0-438e-93e6-801c7548686d
3status: test
4description: Detects HTTP request used by Chafer malware to receive data from its C2.
5references:
6 - https://securelist.com/chafer-used-remexi-malware/89538/
7author: Florian Roth (Nextron Systems)
8date: 2019-01-31
9modified: 2024-02-15
10tags:
11 - attack.command-and-control
12 - attack.t1071.001
13logsource:
14 category: proxy
15detection:
16 selection:
17 c-uri|contains: '/asp.asp\?ui='
18 condition: selection
19falsepositives:
20 - Unknown
21level: high
References
-
Throughout the autumn of 2018 we analyzed a long-standing (and still active at that time) cyber-espionage campaign that was primarily targeting foreign diplomatic entities based in Iran. The attackers were using an improved version of Remexi in what the victimology suggests might be a domestic cyber-espionage operation.
Read More
Related rules
- APT User Agent
- APT40 Dropbox Tool User Agent
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD
- Change User Agents with WebRequest