Snort mailing list archives
Re: Win.Trojan.RedLeaves variant
From: Phillip Lee <phillile () sourcefire com>
Date: Wed, 2 May 2018 11:34:31 -0400
Yaser, Thanks for your submission. We will review the rules and get back to you when they're finished. Can you send along the pcaps that you have? Regards, Phil Lee Cisco Talos
On May 1, 2018, at 2:17 PM, Y M via Snort-sigs <snort-sigs () lists snort org> wrote: Hi, Below signature attempts to detect a variant of RedLeaves. Pcap is available.There are subtle differences between the HTTP request in the pcap and its details in the research. The signature attempts to accommodate both. The HTTP body can be expressedin pcre, but either would lose detection of almost half the requests, or the pcre becomes unnecessary, I guess. # Title: Hogfish RedLeaves Campaign # Tests: pcaps # Reference: https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf <https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf>,https://www.virustotal.com/#/file/f6449e255bc1a9d4a02391be35d0dd37def19b7e20cfcc274427a0b39cb21b7b/detection <https://www.virustotal.com/#/file/f6449e255bc1a9d4a02391be35d0dd37def19b7e20cfcc274427a0b39cb21b7b/detection> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.RedLeaves variant outbound connection"; flow:to_server,established; urilen:<20; content:"POST"; http_method; content:"Connection: Keep-Alive|0D 0A|Accept: */*|0D 0A|"; http_header; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 6.1|3B| WOW64|3B| Trident/4.0|3B| SLCC2|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.5.30729|3B| .NET CLR 3.0.30729|3B| .NET4.0C|3B| .NET4.0E)|0D 0A|Content-Length"; http_header; content:"/index.php"; http_uri; content:!"Content-Type"; http_header; content:!"Referer"; http_header; content:!"Accept-"; http_header; metadata:ruleset community, service http; reference:url,www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf <http://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf>; reference:url,www.virustotal.com/#/file/f6449e255bc1a9d4a02391be35d0dd37def19b7e20cfcc274427a0b39cb21b7b/detection <http://www.virustotal.com/#/file/f6449e255bc1a9d4a02391be35d0dd37def19b7e20cfcc274427a0b39cb21b7b/detection>; classtype:trojan-activity; sid:8000038; rev:1;) Thanks. YM _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Win.Trojan.RedLeaves variant Y M via Snort-sigs (May 01)
- Re: Win.Trojan.RedLeaves variant Phillip Lee (May 02)