Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multiple signatures

From: John Levy <johlevy () sourcefire com>
Date: Wed, 27 Jun 2018 10:54:35 -0400
Hi Yaser,

Thanks for these submissions. We will review each of them and get back to
you when finished. The format used is great, and we were able to easily
parse the different submissions. Thanks again.

Sincerely,

John Levy
Cisco Talos

On Wed, Jun 27, 2018 at 9:34 AM, Y M via Snort-sigs <
snort-sigs () lists snort org> wrote:


Hi,

Below are a set of rules for various detection aggregated in one email. Oddly,
I was not able to acquire any of the binaries/payloads, hence, the lack
of pcaps. It was just weird. Each set of signatures are separated by
"#----". Please let me if this format is not favorable and I will work
something out.

# --------------------
# Date: 2018-06-17
# Title: CVE-2017-8570 RTF and the Sisfader RAT
# Tests: syntax only
# Reference: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/
blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/
# Confidence: low-
# Notes: Rules are based on assumptions of the custom protocol detailed in
the reference

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.Sisfader RAT outbound connection - Register";
flow:to_server,established; content:"|FF DD EE AA|"; within:4;
byte_test:1,=,4,4,relative; content:"|0F 01|"; offset:8; metadata:ruleset
community; reference:url,www.nccgroup.trust/uk/about-us/newsroom-
and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/;
classtype:trojan-activity; sid:8000120; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.Sisfader RAT outbound connection - Beacon";
flow:to_server,established; content:"|FF DD EE AA|"; within:4;
byte_test:1,=,4,4,relative; content:"|F0 E1|"; offset:8; metadata:ruleset
community; reference:url,www.nccgroup.trust/uk/about-us/newsroom-
and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/;
classtype:trojan-activity; sid:8000121; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.Sisfader RAT outbound connection - Pong";
flow:to_server,established; content:"|FF DD EE AA|"; within:4;
byte_test:1,=,4,4,relative; content:"|F0 E3|"; offset:8; metadata:ruleset
community; reference:url,www.nccgroup.trust/uk/about-us/newsroom-
and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/;
classtype:trojan-activity; sid:8000122; rev:1;)

# --------------------
# Date: 2018-06-21
# Title: Kardon Loader Looks for Beta Testers
# Tests: syntax only
# Reference: https://asert.arbornetworks.com/kardon-loader-looks-for-
beta-testers/
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kardon loader outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"/gate.php"; http_uri; content:"&os=";
fast_pattern:only; http_client_body; content:"&pv="; http_client_body;
content:"&ip="; http_client_body; content:!"User-Agent"; http_header;
metadata:ruleset community, service http; reference:url,asert.
arbornetworks.com/kardon-loader-looks-for-beta-testers/;
classtype:trojan-activity; sid:8000123; rev:1;)

# --------------------
# Date: 2018-06-21
# Title: Nigelthorn Malware Abuses Chrome Extensions to Cryptomine and
Steal Data
# Tests: syntax only
# Reference: https://blog.radware.com/security/2018/05/nigelthorn-
malware-abuses-chrome-extensions/
# Confidence: low-

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Nigelthorn browser plugin social media credentials theft attempt";
flow:to_server,established; content:"GET"; http_method; content:"/php3/";
fast_pattern:only; http_uri; content:".php?"; http_uri; content:"u=";
http_uri; content:"&p="; http_header; metadata:ruleset community, service
http; reference:url,blog.radware.com/security/2018/05/
nigelthorn-malware-abuses-chrome-extensions/; classtype:trojan-activity;
sid:8000124; rev:1;)

# --------------------
# Date: 2018-06-21
# Title: Red Alert v2.0: Misadventures in Reversing Android Bot Malware
# Tests: syntax only
# Reference: https://www.trustwave.com/Resources/SpiderLabs-Blog/Red-
Alert-v2-0--Misadventures-in-Reversing-Android-Bot-Malware/
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.BankerBot outbound connection"; flow:to_server,established;
urilen:=5; content:"POST"; http_method; content:"/stbi"; fast_pattern:only;
http_uri; content:" Android "; http_header; content:"Content-Type:
application/json"; http_header; content:"eyJ"; within:3; http_client_body;
metadata:ruleset community, service http; reference:url,www.trustwave.
com/Resources/SpiderLabs-Blog/Red-Alert-v2-0--Misadventures-
in-Reversing-Android-Bot-Malware/; classtype:trojan-activity;
sid:8000125; rev:1;)

# --------------------
# Date: 2018-06-22
# Title: RAT Gone Rogue: Meet ARS VBS Loader
# Tests: syntax only
# Reference: https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.ARS VBS loader outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"?os="; http_uri; content:"&user=";
http_uri; content:"&av="; http_uri; content:"&fw="; http_uri;
content:"&hwid="; http_uri; metadata:ruleset community, service http;
reference:url,www.flashpoint-intel.com/blog/meet-ars-vbs-loader/;
classtype:trojan-activity; sid:8000126; rev:1;)

# --------------------
# Date: 2018-06-27
# Title: Six Years and Counting: Inside the Complex Zacinlo Ad Fraud
Operation
# Tests: syntax only
# Reference: https://labs.bitdefender.com/2018/06/six-years-and-
counting-inside-the-complex-zacinlo-ad-fraud-operation/
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zacinlo outbound connection"; flow:to_server,established;
content:"/toolbar/"; http_uri; fast_pattern:only; http_uri;
content:"User-Agent: wget"; http_header; content:"Referer:"; http_header;
content:"/toolbar"; within:50; http_header; content:!"Accept-"; http_headr;
content:!"Content-"; http_header; metadata:ruleset community, service http;
reference:url,labs.bitdefender.com/2018/06/six-
years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/;
classtype:trojan-activity; sid:8000127; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zacinlo outbound connection"; flow:to_server,established;
content:"/entry/"; http_uri; content:"&mac="; fast_pattern:only; http_uri;
content:"User-Agent: wget"; http_header; content:"Referer:"; http_header;
content:"/entry/"; within:50; http_header; content:!"Accept-"; http_headr;
content:!"Content-"; http_header; metadata:ruleset community, service http;
reference:url,labs.bitdefender.com/2018/06/six-
years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/;
classtype:trojan-activity; sid:8000128; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zacinlo outbound connection"; flow:to_server,established;
content:"/interface/getFile?"; fast_pattern:only; http_uri;
content:"User-Agent: wget"; http_header; content:!"Referer:"; http_header;
content:"Accept-"; http_headr; metadata:ruleset community, service http;
reference:url,labs.bitdefender.com/2018/06/six-
years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/;
classtype:trojan-activity; sid:8000129; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zacinlo outbound connection"; flow:to_server,established;
content:"User-Agent: SmartService|0D 0A|"; fast_pattern:only; http_header;
content:"/getFile?"; http_uri; metadata:ruleset community, service http;
reference:url,labs.bitdefender.com/2018/06/six-
years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/;
classtype:trojan-activity; sid:8000130; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zacinlo outbound connection"; flow:to_server,established;
urilen:>200; content:"/api/"; fast_pattern:only; http_uri; content:"q=";
http_uri; content:!"Referer:"; http_header; pcre:"/\/api\/(cpx|ss|lt)\x3fq\x3d/Ui";
metadata:ruleset community, service http; reference:url,labs.
bitdefender.com/2018/06/six-years-and-counting-inside-the-
complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity;
sid:8000131; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zacinlo outbound connection"; flow:to_server,established;
content:"User-Agent: BypassUac|0D 0A|"; fast_pattern:only; http_header;
metadata:ruleset community, service http; reference:url,labs.
bitdefender.com/2018/06/six-years-and-counting-inside-the-
complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity;
sid:8000132; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zacinlo outbound connection"; flow:to_server,established;
content:"/report?s="; fast_pattern:only; http_uri; content:"User-Agent:
Mozilla/5.0 (Windows NT 6.1|3B WOW64) "; http_header; content:!"Referer:";
http_header; content:"Accept"; http_header; metadata:ruleset community,
service http; reference:url,labs.bitdefender.com/2018/06/six-
years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/;
classtype:trojan-activity; sid:8000133; rev:1;)

# --------------------
# Date: 2018-06-27
# Title: RedAlpha: New Campaigns Discovered Targeting the Tibetan Community
# Tests: syntax only
# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf
#     - Dinwod: https://www.virustotal.com/#/file/
e94284e487e59b53efab9d4584fca766883b916118c9a8ff59514087555e9a8e/behavior
#     - NetHelp: https://www.virustotal.com/#/file/
e8b8e4d8694600116b0d7d6062d8f5b77f25e69e993f13be56399cadf175e512/behavior
#     - SpyGate: https://www.virustotal.com/#/file/
30e628bfbf80a8cb432b679fdeaccbe3c0ab7eaee8d0899fba7a16853abf35b9/behavior
# Confidence: low-

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Dinwod/NetHelp variant outbound connection";
flow:to_server,established; content:"POST"; http_method;
content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:53.0)
Gecko/20100101 Chrome /53.0"; fast_pattern:only; http_header;
content:"/index.html"; http_uri; http_header; content:!"Referer";
http_header; metadata:ruleset community, service http; reference:url,go.
recordedfuture.com/hubfs/reports/cta-2018-0626.pdf;
classtype:trojan-activity; sid:8000134; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.SpyGate variant outbound connection";
flow:to_server,established; urilen:<100; content:"/index?";
content:"Accept: */*|0D 0A|Accept-Encoding: gzip, deflate|0D 0A|User-Agent:
"; http_header; fast_pattern; content:"Connection: Keep-Alive|0D 0A|";
http_header; content:!"Referer"; http_header; content:!"Content-";
http_header; metadata:ruleset community, service http; reference:url,go.
recordedfuture.com/hubfs/reports/cta-2018-0626.pdf;
classtype:trojan-activity; sid:8000135; rev:1;)

# --------------------
# Date: 2018-06-27
# Title: FakeSpy Android Information-Stealing Malware Targets Japanese and
Korean-Speaking Users
# Tests: syntax only
# Reference:
#     - https://blog.trendmicro.com/trendlabs-security-
intelligence/fakespy-android-information-stealing-malware-
targets-japanese-and-korean-speaking-users/
#     - https://documents.trendmicro.com/assets/appendix-fakespy-
android-information-stealing-malware-targets-japanese-and-
korean-speaking-users.pdf
# Confidence: low-

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andro.Trojan.FakeSpy variant outbound connection";
flow:to_server,established; content:"/jiagu/"; http_uri; content:"/infos";
fast_pattern:only; http_uri; content:" Android "; http_header;
metadata:ruleset community, service http; reference:url,blog.trendmicro.
com/trendlabs-security-intelligence/fakespy-android-
information-stealing-malware-targets-japanese-and-korean-speaking-users/;
classtype:trojan-activity; sid:8000136; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andro.Trojan.FakeSpy variant outbound connection";
flow:to_server,established; content:"/servlet/OnLine"; fast_pattern:only;
http_uri; content:" Android "; http_header; metadata:ruleset community,
service http; reference:url,blog.trendmicro.com/trendlabs-security-
intelligence/fakespy-android-information-stealing-malware-
targets-japanese-and-korean-speaking-users/; classtype:trojan-activity;
sid:8000137; rev:1;)

# --------------------
# Date: 2018-06-27
# Title: FakeSpy Android Information-Stealing Malware Targets Japanese and
Korean-Speaking Users
# Tests: syntax only
# Reference:
#     - https://threatvector.cylance.com/en_us/home/threat-
spotlight-urlzone-malware-campaigns-targeting-japan.html
#     - https://github.com/arbor/urlzone/blob/master/urlzone.py#L94
#     - https://totalhash.cymru.com/analysis/?
110f2b3114ce891b620d84ca1072d7b46880ca02
# Confidence: low-
# Note: Older references show that this is via HTTPS. Newer references
show this via HTTP.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.URLZone dropper variant outbound connection"; flow:to_server,
established; content:"?tver="; fast_pattern:only; http_uri;
content:"&vcmd="; http_uri; content:"&ipcnf="; http_uri; metadata:ruleset
community, service http; reference:url,threatvector.
cylance.com/en_us/home/threat-spotlight-urlzone-malware-
campaigns-targeting-japan.html; reference:url,github.com/
arbor/urlzone/blob/master/urlzone.py; classtype:trojan-activity;
sid:8000138; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-
the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!



_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: