Re: [Emerging-Sigs] Malicious Chrome Extensions

[Will Metcalf <william.metcalf () gmail com>]

Awesome thanks! We will get this into QA. 

Regards,

Will

> On Aug 5, 2016, at 5:32 AM, Stanwyck, Carraig - ASOC - Kansas City, MO <Carraig.Stanwyck () asoc usda gov> wrote:
>
> Good Morning,
>  
> I have identified what I am almost certain is traffic from malicious chrome extension infections on our network.  The 
> IOC in my case is hxxp://brainlog.top, which has the same registrar (VIACHESLAV ZINKEVICH) as 100+ other suspicious 
> domains (attached), including 4chan-plus.com, which has a reddit PSA 
> (https://www.reddit.com/r/chrome/comments/4caqdv/psa_remove_4chan_plus_its_inserting_malware_into/) for the same 
> activity we’re seeing here. 
>  
> Proposed rule:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious Chrome Extension"; 
> flow:established,to_server; content:"page?url="; http_uri; fast_pattern; content:"user"; http_uri; content:"iframe="; 
> http_uri; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:123456; rev:1; )
>  
> It’d be pretty easy to add some pcre into it if necessary, the patterns are consistent.
>  
> Example URIs (2 separate infections, delineated by the string following “user”):
> /user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=https://www.groupon.com/deals/k-f-custom-car-detailing&iframe= 
>          
> /user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=https://www.indiemerch.com/&iframe=             
> /user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=https://www.indiemerchstore.com/&iframe=   
> /user/e43tohsduglaic1qnk5896fmyzjrbv0p/39344/page?url=https://www.full30.com/&iframe=               
> /user/e43tohsduglaic1qnk5896fmyzjrbv0p/39344/page?url=https://www.google.com/&iframe=            
> /user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=http://l.instagram.com/?e=ATNv0z315R1OmkaGMEZAoaq-DKaekIneFy9u3I5gbf9ileNm211AFFAd&u=http%3A%2F%2Fwww.mixcloud.com%2Fdjhomeschool&iframe=
>           
> /user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=http://money.cnn.com/2016/08/02/news/economy/donald-trump-hillary-clinton-facebook/index.html&iframe=
>  
> /user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=http://www.cnn.com/2016/08/03/europe/leopard-cubs-twycross/index.html&iframe=
>  
> Thanks,
> Carraig Stanwyck
> USDA | OCIO | ASOC
> @C4RR41G
>  
>
>
>
>
> This electronic message contains information generated by the USDA solely for the intended recipients. Any 
> unauthorized interception of this message or the use or disclosure of the information it contains may violate the law 
> and subject the violator to civil or criminal penalties. If you believe you have received this message in error, 
> please notify the sender and delete the email immediately.
> <viacheslav_zinkevich_sites.txt>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs () lists emergingthreats net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!