Snort mailing list archives
Re: Win.Trojan.Bitter RAT
From: Tyler Montier <tmontier () sourcefire com>
Date: Fri, 2 Feb 2018 16:09:51 -0500
Yaser, Thanks for your submission. We will review the rules and get back to you when they're finished. Can you send along the pcaps that you have? Regards, Tyler Montier Cisco Talos On Fri, Feb 2, 2018 at 10:35 AM, Y M via Snort-sigs < snort-sigs () lists snort org> wrote:
Hi, Below rules are for detecting two variants of the Bitter RAT. Pcaps for one variant only are available. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bitter RAT variant outbound connection attempt"; flow:to_server,established; content:"GET"; http_method; content:".php?TIe="; fast_pattern:only; http_uri; content:"Connection|3A 20|close|0D 0A|"; http_header; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,community.rsa. com/community/products/netwitness/blog/2018/01/10/ malspam-delivers-bitter-rat-07-01-2018; reference:url,community.rsa. com/thread/185482; reference:url,blogs.forcepoint.com/security-labs/ bitter-targeted-attack-against-pakistan; classtype:trojan-activity; sid:9000021; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Bitter RAT variant inbound connection attempt"; flow:to_client,established; file_data; content:"POF: #"; fast_pattern:only; content:"|0D 0A|SIZE: #"; content:"|0D 0A|SRE: #"; metadata:ruleset community, service http; reference:url,community.rsa. com/community/products/netwitness/blog/2018/01/10/ malspam-delivers-bitter-rat-07-01-2018; reference:url,community.rsa. com/thread/185482; reference:url,blogs.forcepoint.com/security-labs/ bitter-targeted-attack-against-pakistan; classtype:trojan-activity; sid:9000022; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bitter RAT variant outbound connection attempt"; flow:to_server,established; content:"GET"; http_method; content:".php?cId="; fast_pattern:only; http_uri; content:"&osInfo="; http_uri; content:"Connection|3A 20|close|0D 0A|"; http_header; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,community.rsa.com/community/products/ netwitness/blog/2018/01/10/malspam-delivers-bitter-rat-07-01-2018; reference:url,community.rsa.com/thread/185482; reference:url,blogs. forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; reference:url,www.virustotal.com/#/file/bad124a847b10641214300317d3f17 06a025d57f779428f1fbcc7b4a3b2e9160/detection; classtype:trojan-activity; sid:9000023; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Bitter RAT variant inbound connection attempt"; flow:to_client,established; file_data; content:"EXE: #"; fast_pattern:only; content:"SIZE: #"; metadata:ruleset community, service http; reference:url, community.rsa.com/community/products/netwitness/blog/2018/01/10/ malspam-delivers-bitter-rat-07-01-2018; reference:url,community.rsa. com/thread/185482; reference:url,blogs.forcepoint.com/security-labs/ bitter-targeted-attack-against-pakistan; reference:url,www.virustotal. com/#/file/bad124a847b10641214300317d3f1706a025d57f779428f1fbcc7b4a3b2e 9160/detection; classtype:trojan-activity; sid:9000024; rev:1;) Thanks. Yaser _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is- the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Win.Trojan.Bitter RAT Y M via Snort-sigs (Feb 02)
- Re: Win.Trojan.Bitter RAT Tyler Montier (Feb 02)