Snort mailing list archives
Re: Andr.Trojan.ZooPark family
From: Phillip Lee <phillile () sourcefire com>
Date: Mon, 7 May 2018 13:29:38 -0400
Yaser, Thanks for your submission. We will review the rules and get back to you when they're finished. Regards, Phil Lee Cisco Talos
On May 7, 2018, at 12:42 PM, Y M via Snort-sigs <snort-sigs () lists snort org> wrote: Hi, The below rules are driven by the report from the reference. The signatures should trigger on v1.0 - v3.0 variants. I couldn't locate the v4.0 samples, but I understand is that it should be similar. No pcaps available. # -------------------- # Date: 2018-05-06 # Title: Who's Who in the Zoo - Cyberespionage Operation Targets Android Users in the Middle East # Tests: syntax only # Reference: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf <https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Piom v1.0/v2.0 outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/get/index.php?"; fast_pattern:only; http_uri; content:"id="; http_uri; content:"&user="; http_uri; content:"&pass="; http_uri; content:"&data="; http_uri; metadata:ruleset community, service http; reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf <http://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf>; reference:url,www.virustotal.com/#/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/detection <http://www.virustotal.com/#/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/detection>; classtype:trojan-activity; sid:8000042; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Piom v1.0 outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/sv/sv.php"; fast_pattern:only; http_uri; content:"id"; http_client_body; content:"data"; http_client_body; metadata:ruleset community, service http; reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf <http://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf>; reference:url,www.virustotal.com/#/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/detection <http://www.virustotal.com/#/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/detection>; classtype:trojan-activity; sid:8000043; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Piom v1.0 outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?set=show"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf <http://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf>; reference:url,www.virustotal.com/#/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/detection <http://www.virustotal.com/#/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/detection>; classtype:trojan-activity; sid:8000044; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.ZooPark outbound connection"; flow:to_server,established; content:"POST"; http_method; content:".php?key="; fast_pattern:only; http_uri; pcre:"/\/(get|save)\.php\x3fkey\x3d.*(\x26id\x3d[0-9]{15})?$/U"; metadata:ruleset community, service http; reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf <http://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf>; reference:url,www.virustotal.com/#/file/59ece87dfa254ba8d47503e069e5e2cb99e22140e9a2e6e56d382a6427171889/detection <http://www.virustotal.com/#/file/59ece87dfa254ba8d47503e069e5e2cb99e22140e9a2e6e56d382a6427171889/detection>; reference:url,virustotal.com/#/file/d7da061b55d24a54988a3fca60009da907d14c2bcd32f2e53ef13bd8085b96cc/detection <http://virustotal.com/#/file/d7da061b55d24a54988a3fca60009da907d14c2bcd32f2e53ef13bd8085b96cc/detection>; reference:url,www.virustotal.com/#/file/7a7eee78dfffa5974a2da9bdd3337fb16e5e1d658cbe5284ef352114ef446f6a/detection <http://www.virustotal.com/#/file/7a7eee78dfffa5974a2da9bdd3337fb16e5e1d658cbe5284ef352114ef446f6a/detection>; classtype:trojan-activity; sid:8000045; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.ZooPark v3.0 outbound connection"; flow:to_server,established; content:"/spyMobile/upload.php?"; fast_pattern:only; http_uri; content:"imei="; http_uri; metadata:ruleset community, service http; reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf <http://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf>; reference:url,koodous.com/apks/91659d5f35a8fea1c98f3ea32bcdd71a222f11095de680eb635ec8210fb5dc04/analysis <http://koodous.com/apks/91659d5f35a8fea1c98f3ea32bcdd71a222f11095de680eb635ec8210fb5dc04/analysis>; classtype:trojan-activity; sid:8000046; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.ZooPark v3.0 outbound connection"; flow:to_server,established; content:"/spyMobile/api_"; fast_pattern:only; http_uri; content:".php"; http_uri; metadata:ruleset community, service http; reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf <http://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf>; reference:url,koodous.com/apks/91659d5f35a8fea1c98f3ea32bcdd71a222f11095de680eb635ec8210fb5dc04/analysis <http://koodous.com/apks/91659d5f35a8fea1c98f3ea32bcdd71a222f11095de680eb635ec8210fb5dc04/analysis>; classtype:trojan-activity; sid:8000047; rev:1;) Thanks. YM _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Andr.Trojan.ZooPark family Y M via Snort-sigs (May 07)
- Re: Andr.Trojan.ZooPark family Phillip Lee (May 07)