Snort mailing list archives

Multiple singatures - 002

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 2 Jul 2018 17:12:08 +0000

Hi,

Here is another set of rules. Pcaps available for all them, some of which generated with file2pcap for testing.

# --------------------
# Date: 2018-06-30
# Title: Observations from Lokibot, Emotet, and FormBook Droppers
# Reference: Research
# Hashes:
#     - 43cbdf813e2fcfab554b9a6d9483fc4011fe75fbf45fb8412a2350e5456a3f18 > Ref: 
https://twitter.com/James_inthe_box/status/1012731702232223745
#     - 8f859c1a9965427848315e9456237e9c018b487e3bd1d632bce2acd0c370341e > Ref: 
https://blog.talosintelligence.com/2018/06/my-little-formbook.html
#     - dac2202e74458d67b95f566d3f83f88ca4a33c3b28da31c3c183a656f485cd8c > Ref: 
https://www.virustotal.com/#/file/dac2202e74458d67b95f566d3f83f88ca4a33c3b28da31c3c183a656f485cd8c/detection
#     - 3ac6b5be53b3d1f6cff8706168bc8cd4c7774f5bd82959c1f2186106efea59e8 > Ref: 
https://myonlinesecurity.co.uk/fake-signed-contract-agreeement-delivers-lokibot-and-formbook-malware/
#     - 3de96921a07553cf5ef25cab246480f04383d44cc921042e1462b7ffbe1fe720 > Ref: 
https://isc.sans.edu/forums/diary/A+Malicious+Word+Document+Inside+a+PDF+Document/19623/
# Tests: pcap (file2pcap)
# Confidence: low
# Notes: some of the samples were not tested since they are on VTI only. The flowbit file.pdf_embed_doc is
#        an attempt to reduce FPs.

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE PDF file embeding 
.DOC/.DOCX/.DOTM/.DOTX document"; flow:to_client,established; flowbits:isset,file.pdf; flowbits:set,file.pdf_embed_doc; 
file_data; content:"/EmbeddedFile"; fast_pattern; content:"/Names"; within:15; content:".do"; within:50; 
pcre:"/\.do(c|tm|cx|tx)/"; metadata:ruleset community, service http; classtype:misc-activity; sid:8000148; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE PDF file with JS exporting 
embedded .DOC/.DOCX/.DOTM/.DOTX document"; flow:to_client,established; flowbits:isset,file.pdf; 
flowbits:isset,file.pdf_embed_doc; file_data; content:"exportDataObject("; content:"cName"; within:15; 
content:"nLaunch"; within:50; metadata:ruleset community, service http; classtype:misc-activity; sid:8000149; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE PDF file embeding .RTF document"; 
flow:to_client,established; flowbits:isset,file.pdf; flowbits:set,file.pdf_embed_rtf; file_data; 
content:"/EmbeddedFile"; fast_pattern; content:"/Names"; within:15; content:".rtf"; within:50; metadata:ruleset 
community, service http; classtype:misc-activity; sid:8000150; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE PDF file with JS exporting 
embedded .RTF document"; flow:to_client,established; flowbits:isset,file.pdf; flowbits:isset,file.pdf_embed_rtf; 
file_data; content:"exportDataObject("; content:"cName"; within:15; content:".rtf"; within:50; content:"nLaunch"; 
within:50; metadata:ruleset community, service http; classtype:misc-activity; sid:8000151; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE PDF file with JS exporting object 
from array"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"exportDataObject"; 
content:"cName"; within:15; content:"[0].name"; within:50; content:"nLaunch"; within:50; metadata:ruleset community, 
service http; classtype:misc-activity; sid:8000152; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE PDF file embeding 
.DOC/.DOCX/.DOTM/.DOTX document"; flow:to_server,established; flowbits:isset,file.pdf; flowbits:set,file.pdf_embed_doc; 
file_data; content:"/EmbeddedFile"; fast_pattern; content:"/Names"; within:15; content:".do"; within:50; 
pcre:"/\.do(c|tm|cx|tx)/"; metadata:ruleset community, service imap, service pop3, service smtp; 
classtype:misc-activity; sid:8000153; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE PDF file with JS exporting 
embedded .DOC/.DOCX/.DOTM/.DOTX document"; flow:to_server,established; flowbits:isset,file.pdf; 
flowbits:isset,file.pdf_embed_doc; file_data; content:"exportDataObject("; content:"cName"; within:15; 
content:"nLaunch"; within:50; metadata:ruleset community, service imap, service pop3, service smtp; 
classtype:misc-activity; sid:8000154; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE PDF file embeding .RTF 
document"; flow:to_server,established; flowbits:isset,file.pdf; flowbits:set,file.pdf_embed_rtf; file_data; 
content:"/EmbeddedFile"; fast_pattern; content:"/Names"; within:15; content:".rtf"; within:50; metadata:ruleset 
community, service imap, service pop3, service smtp; classtype:misc-activity; sid:8000155; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE PDF file with JS exporting 
embedded .RTF document"; flow:to_server,established; flowbits:isset,file.pdf; flowbits:isset,file.pdf_embed_rtf; 
file_data; content:"exportDataObject("; content:"cName"; within:15; content:".rtf"; within:50; content:"nLaunch"; 
within:50; metadata:ruleset community, service imap, service pop3, service smtp; classtype:misc-activity; sid:8000156; 
rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE PDF file with JS exporting 
object from array"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"exportDataObject"; 
content:"cName"; within:15; content:"[0].name"; within:50; content:"nLaunch"; within:50; metadata:ruleset community, 
service imap, service pop3, service smtp;; classtype:misc-activity; sid:8000157; rev:1;)

# --------------------
# Date: 2018-06-30
# Title: Slight changes to Trickbot delivery system
# Reference:
#     - https://myonlinesecurity.co.uk/slight-changes-to-trickbot-delivery-system/
#     - https://twitter.com/HybridAnalysis/status/1012694777454661635
# Hashes:
#     - a11af88bc26878f73fe2bbe541e6eb50fce4ff2b9c5c033f3cd27a021218bb3d
#     - 9f350ff27f614015b25cd8f3325084e0345e25ffa2f840a1c712f55c5bbedfff
#     - 3ac85313fd21ee48cd20576d116fb1961fd30f6aef692c50c6a041417be7da73
# Tests: pcap (file2pcap)
# Confidence: medium

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE document with InkPicture ActiveX 
within VBA macro"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"InkPicture"; nocase; 
content:"MSINKAUTLib"; within:30; nocase; content:"Painted(ByVal"; within:50; nocase; metadata:ruleset community, 
service http; classtype:misc-activity; sid:8000162; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE document with InkPicture ActiveX 
within VBA macro"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"InkP|00|icture"; nocase; 
content:"MSINK|00|AUTLib"; within:30; nocase; content:"Pain|00|ted(ByVa|00|l"; within:50; nocase; metadata:ruleset 
community, service http; classtype:misc-activity; sid:8000163; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE document with InkPicture ActiveX 
within VBA macro"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"InkP|00|icture"; nocase; 
content:"|00|Painted(|00|ByVal"; within:20; nocase; content:"MSINKAU"; within:50; content:"TLib"; within:10; 
metadata:ruleset community, service http; classtype:misc-activity; sid:8000164; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE document with InkPicture 
ActiveX within VBA macro"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"InkPicture"; 
nocase; content:"MSINKAUTLib"; within:30; nocase; content:"Painted(ByVal"; within:50; nocase; metadata:ruleset 
community, service imap, service pop3, service smtp; classtype:misc-activity; sid:8000165; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE document with InkPicture 
ActiveX within VBA macro"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"InkP|00|icture"; 
nocase; content:"MSINK|00|AUTLib"; within:30; nocase; content:"Pain|00|ted(ByVa|00|l"; within:50; nocase; 
metadata:ruleset community, service imap, service pop3, service smtp;; classtype:misc-activity; sid:8000166; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE document with InkPicture 
ActiveX within VBA macro"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"InkP|00|icture"; 
nocase; content:"|00|Painted(|00|ByVal"; within:20; nocase; content:"MSINKAU"; within:50; content:"TLib"; within:10; 
metadata:ruleset community, service imap, service pop3, service smtp; classtype:misc-activity; sid:8000167; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE document with VBA project - 
unicode"; flow:to_client,established; flowbits:isset,file.doc; file_data; 
content:"_|00|V|00|B|00|A|00|_|00|P|00|R|00|O|00|J|00|E|00|C|00|T"; fast_pattern:only; metadata:ruleset community, 
service http; classtype:misc-activity; sid:8000168; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE document with VBA project - 
unicode"; flow:to_server,established; flowbits:isset,file.doc; file_data; 
content:"_|00|V|00|B|00|A|00|_|00|P|00|R|00|O|00|J|00|E|00|C|00|T"; fast_pattern:only; metadata:ruleset community, 
service imap, service pop3, service smtp; classtype:misc-activity; sid:8000169; rev:1;)

# --------------------
# Date: 2018-07-02
# Title: All-Radio 4.27 Portable Can't Be Removed? Then Your PC is Severely Infected
# Reference: 
https://www.bleepingcomputer.com/news/security/all-radio-427-portable-cant-be-removed-then-your-pc-is-severely-infected/
# Tests: pcap
# Confidence: medium
# Hashes: 9d891048dddda8a65de966c71f81464b20e402766aaee8a284da8d25c98270bd

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector outbound connection"; 
flow:to_server,established; content:".php?mykeyone="; fast_pattern:only; http_uri; content:"&mykeytwo="; http_uri; 
content:"&anti_cache="; http_uri; content:!"User-Agent"; http_header; metadata:ruleset community, service http; 
reference:url,www.virustotal.com/#/file/9d891048dddda8a65de966c71f81464b20e402766aaee8a284da8d25c98270bd/detection; 
classtype:trojan-activity; sid:8000170; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector outbound connection"; 
flow:to_server,established; content:"/radio/"; fast_pattern:only; http_uri; content:".php?ver="; http_uri; 
content:"&prov="; http_uri; content:"&serverpassword="; http_uri; content:"&portable=1"; http_uri; metadata:ruleset 
community, service http; 
reference:url,www.virustotal.com/#/file/9d891048dddda8a65de966c71f81464b20e402766aaee8a284da8d25c98270bd/detection; 
classtype:trojan-activity; sid:8000171; rev:1;)

Thanks
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Multiple singatures - 002 Y M via Snort-sigs (Jul 02)
- Re: Multiple singatures - 002 Y M via Snort-sigs (Jul 03)
  - Re: Multiple singatures - 002 Marcos Rodriguez (Jul 03)