Snort mailing list archives
Re: [Emerging-Sigs] Malicious Chrome Extensions
From: Will Metcalf <william.metcalf () gmail com>
Date: Fri, 5 Aug 2016 09:05:26 -0700
Awesome thanks! We will get this into QA. Regards, Will
On Aug 5, 2016, at 5:32 AM, Stanwyck, Carraig - ASOC - Kansas City, MO <Carraig.Stanwyck () asoc usda gov> wrote: Good Morning, I have identified what I am almost certain is traffic from malicious chrome extension infections on our network. The IOC in my case is hxxp://brainlog.top, which has the same registrar (VIACHESLAV ZINKEVICH) as 100+ other suspicious domains (attached), including 4chan-plus.com, which has a reddit PSA (https://www.reddit.com/r/chrome/comments/4caqdv/psa_remove_4chan_plus_its_inserting_malware_into/) for the same activity we’re seeing here. Proposed rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious Chrome Extension"; flow:established,to_server; content:"page?url="; http_uri; fast_pattern; content:"user"; http_uri; content:"iframe="; http_uri; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:123456; rev:1; ) It’d be pretty easy to add some pcre into it if necessary, the patterns are consistent. Example URIs (2 separate infections, delineated by the string following “user”): /user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=https://www.groupon.com/deals/k-f-custom-car-detailing&iframe= /user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=https://www.indiemerch.com/&iframe= /user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=https://www.indiemerchstore.com/&iframe= /user/e43tohsduglaic1qnk5896fmyzjrbv0p/39344/page?url=https://www.full30.com/&iframe= /user/e43tohsduglaic1qnk5896fmyzjrbv0p/39344/page?url=https://www.google.com/&iframe= /user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=http://l.instagram.com/?e=ATNv0z315R1OmkaGMEZAoaq-DKaekIneFy9u3I5gbf9ileNm211AFFAd&u=http%3A%2F%2Fwww.mixcloud.com%2Fdjhomeschool&iframe= /user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=http://money.cnn.com/2016/08/02/news/economy/donald-trump-hillary-clinton-facebook/index.html&iframe= /user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=http://www.cnn.com/2016/08/03/europe/leopard-cubs-twycross/index.html&iframe= Thanks, Carraig Stanwyck USDA | OCIO | ASOC @C4RR41G This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. <viacheslav_zinkevich_sites.txt> _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Malicious Chrome Extensions Stanwyck, Carraig - ASOC - Kansas City, MO (Aug 05)
- Re: [Emerging-Sigs] Malicious Chrome Extensions Will Metcalf (Aug 05)
- Re: Malicious Chrome Extensions Stanwyck, Carraig - ASOC - Kansas City, MO (Aug 25)