Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Andr.Trojan.ZooPark family

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 7 May 2018 16:42:57 +0000
Hi,

The below rules are driven by the report from the reference. The signatures should trigger on v1.0 - v3.0 variants. I 
couldn't locate the v4.0 samples, but I understand is that it should be similar. No pcaps available.

# --------------------
# Date: 2018-05-06
# Title: Who's Who in the Zoo - Cyberespionage Operation Targets Android Users in the Middle East
# Tests: syntax only
# Reference: 
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Piom v1.0/v2.0 outbound connection"; 
flow:to_server,established; content:"GET"; http_method; content:"/get/index.php?"; fast_pattern:only; http_uri; 
content:"id="; http_uri; content:"&user="; http_uri; content:"&pass="; http_uri; content:"&data="; http_uri; 
metadata:ruleset community, service http; 
reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf;
 reference:url,www.virustotal.com/#/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/detection; 
classtype:trojan-activity; sid:8000042; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Piom v1.0 outbound connection"; 
flow:to_server,established; content:"POST"; http_method; content:"/sv/sv.php"; fast_pattern:only; http_uri; 
content:"id"; http_client_body; content:"data"; http_client_body; metadata:ruleset community, service http; 
reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf;
 reference:url,www.virustotal.com/#/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/detection; 
classtype:trojan-activity; sid:8000043; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Piom v1.0 outbound connection"; 
flow:to_server,established; content:"GET"; http_method; content:"/index.php?set=show"; fast_pattern:only; http_uri; 
metadata:ruleset community, service http; 
reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf;
 reference:url,www.virustotal.com/#/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/detection; 
classtype:trojan-activity; sid:8000044; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.ZooPark outbound connection"; 
flow:to_server,established; content:"POST"; http_method; content:".php?key="; fast_pattern:only; http_uri; 
pcre:"/\/(get|save)\.php\x3fkey\x3d.*(\x26id\x3d[0-9]{15})?$/U"; metadata:ruleset community, service http; 
reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf;
 reference:url,www.virustotal.com/#/file/59ece87dfa254ba8d47503e069e5e2cb99e22140e9a2e6e56d382a6427171889/detection; 
reference:url,virustotal.com/#/file/d7da061b55d24a54988a3fca60009da907d14c2bcd32f2e53ef13bd8085b96cc/detection; 
reference:url,www.virustotal.com/#/file/7a7eee78dfffa5974a2da9bdd3337fb16e5e1d658cbe5284ef352114ef446f6a/detection; 
classtype:trojan-activity; sid:8000045; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.ZooPark v3.0 outbound connection"; 
flow:to_server,established; content:"/spyMobile/upload.php?"; fast_pattern:only; http_uri; content:"imei="; http_uri; 
metadata:ruleset community, service http; 
reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf;
 reference:url,koodous.com/apks/91659d5f35a8fea1c98f3ea32bcdd71a222f11095de680eb635ec8210fb5dc04/analysis; 
classtype:trojan-activity; sid:8000046; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.ZooPark v3.0 outbound connection"; 
flow:to_server,established; content:"/spyMobile/api_"; fast_pattern:only; http_uri; content:".php"; http_uri; 
metadata:ruleset community, service http; 
reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf;
 reference:url,koodous.com/apks/91659d5f35a8fea1c98f3ea32bcdd71a222f11095de680eb635ec8210fb5dc04/analysis; 
classtype:trojan-activity; sid:8000047; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: