Win.Ransomware.Sage

[Y M <snort () outlook com>]

Hello,


This one for Sage "2.0" ransomware performing its post-infection C&C. There are several samples circulating. I have 
seen references mentioning that Sage is a variant of CryLocker, but some of the samples generate the same UDP traffic 
observed from Cerber. The ransom notes also resembles that of Cerber.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Sage variant outbound 
connection"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:" / HTTP/1."; 
content:"Connection|3A 20|close|0D 0A|"; fast_pattern:only; http_header; content:"Content-Length|3A 20|"; 
http_raw_header; byte_test:3,>,160,0,string,dec,relative; byte_test:3,<,170,0,string,dec,relative; 
content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset 
community, service http; classtype:trojan-activity; sid:1000824; rev:1;)


Thank you.

YM

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!