6-14-2018: #RoyalAPT Backdoor IOC

1. RoyalAPT:
2. 016948ec7743b09e41b6968b42dfade5480774df3baf915e4c8753f5f90d1734
3.  
4. RoyalAPT C2:
5. buy.healthcare-internet[.]com
6.  
7. Snort:
8.  
9. alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Possible RoyalAPT traffic POST"; flow:established,to_server; http_uri; content:"/image_download.php?uid="; http_uri; reference:url,https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/; classtype:Trojan-activity; rev:1;)