Shiz Backdoor Post-Compromise Traffic

HTTP Request Method = POST
HTTP URI ends with */login.php
UA = Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Can also Regex URI for [a-z]{11}\.eu\/login.php$ if needed

References:
https://www.virustotal.com/file/b5ad005039657e495e81f1bf97d3e95ec3988041412e4c4c9d760bc231d00a03/analysis/
https://www.virustotal.com/file/317ec507071772a6806da420bc69b5f81f2eebf8a3915e03c18b658b75edef29/analysis/
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Shiz-L/detailed-analysis.aspx

Comments are closed.