rule APT_MAL_DNS_Hijacking_Campaign_AA19_024A { meta: description = "Detects malware used in DNS Hijackign campaign" author = "Florian Roth (Nextron Systems)" reference = "https://www.us-cert.gov/ncas/alerts/AA19-024A" date = "2019-01-25" hash1 = "2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec" hash2 = "45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff" id = "6a476052-ba4e-5049-9c7a-f8949d26e7b5" strings: $s2 = "/Client/Login?id=" fullword ascii $s3 = "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" fullword ascii $s4 = ".\\Configure.txt" fullword ascii $s5 = "Content-Disposition: form-data; name=\"files\"; filename=\"" fullword ascii $s6 = "Content-Disposition: form-data; name=\"txts\"" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them }