Chafer Malware URL Pattern
Detects HTTP request used by Chafer malware to receive data from its C2.
Sigma rule (View on GitHub)
1title: Chafer Malware URL Pattern
2id: fb502828-2db0-438e-93e6-801c7548686d
3status: test
4description: Detects HTTP request used by Chafer malware to receive data from its C2.
5references:
6 - https://securelist.com/chafer-used-remexi-malware/89538/
7author: Florian Roth (Nextron Systems)
8date: 2019-01-31
9modified: 2024-02-15
10tags:
11 - attack.command-and-control
12 - attack.t1071.001
13 - detection.emerging-threats
14logsource:
15 category: proxy
16detection:
17 selection:
18 c-uri|contains: '/asp.asp\?ui='
19 condition: selection
20falsepositives:
21 - Unknown
22level: high
References
-
Throughout the autumn of 2018 we analyzed a long-standing (and still active at that time) cyber-espionage campaign that was primarily targeting foreign diplomatic entities based in Iran. The attackers were using an improved version of Remexi in what the victimology suggests might be a domestic cyber-espionage operation.
Read More
Related rules
- APT40 Dropbox Tool User Agent
- ComRAT Network Communication
- Ursnif Malware C2 URL Pattern
- Ursnif Malware Download URL Pattern
- Katz Stealer Suspicious User-Agent