18 lines
526 B
Text
18 lines
526 B
Text
|
rule Mirage_APT_Backdoor : APT Mirage Backdoor Rat MirageRat
|
||
|
{
|
||
|
meta:
|
||
|
author = "Silas Cutler (SCutler@SecureWorks.com)"
|
||
|
version = "1.0"
|
||
|
description = "Malware related to APT campaign"
|
||
|
type = "APT Trojan / RAT / Backdoor"
|
||
|
reference = "https://www.secureworks.com/research/the-mirage-campaign"
|
||
|
|
||
|
strings:
|
||
|
$a1 = "welcome to the desert of the real"
|
||
|
$a2 = "Mirage"
|
||
|
$b = "Encoding: gzip"
|
||
|
$c = /\/[A-Za-z]*\?hl=en/
|
||
|
|
||
|
condition:
|
||
|
(($a1 or $a2) or $b) and $c
|
||
|
}
|