Re: Multiple signatures 008

[Marcos Rodriguez <mrodriguez () sourcefire com>]

On Wed, Aug 1, 2018 at 2:57 PM, Y M via Snort-sigs <
snort-sigs () lists snort org> wrote:

> Hi,
>
> Pcaps for FormBook and (what appears to be) the Google sinkhole sigs are
> available.
>
> # --------------------
> # Date: 2018-07-30
> # Title: Win.Trojan.FormBook
> # Reference: Research
> #     Dropper:
> #     - https://www.virustotal.com/#/file/9cab0520f4d7c3ecbc310e5528
> 2861ca20d53959eaf6e93d8d6aa717347819da/detection
> #     - https://app.any.run/tasks/16de6eff-d745-43d0-b463-a542e27ed4e5
> #    FormBook:
> #    - 6d9a03a5300e820e1cdadee50d0c35d26f4651e57ecaf730c918588433cfc207
> #    - 5039b1f1fe51ae793991dd75a4af247d7f3d1aee1ef7c5355f7fd3e949650c26
> #    - a0ce7c1ea60d04434ff18e9e2595d195b9aaaccbdabc7b7005b457e67885b095
> #    - 092e4c73963f4885ea3017de96fbb8746dd3b8bb8b67b098a1ffa5a9b89963fe
> #    - be87149f2ebdf39660a1b5a546daae5112fff80830233c430ba693279059696e
> #    - 5d99b940b9fd8bf6f97c5dd6ae12ae5fc9fc596678cb056f1cf7c1704904d7d5
> #    - 2238b58701332233865671be4304c789948b5480ca3f0512a18d2402c73db5e0
> #    - 310120dbead95d404212997aa0393b99173ba659c3a10f76ac6a96636fa8d283
> #    - 2d2fb898ab24ffe60db248ab6884f1c66a47d7b57dcbdecfefdf9cdf9334128b
> # Tests: pcap
> # Confidence: medium+
> # Note:
> #    1. Flow: Adwind JAR in attachment > Drops FormBook binary from remote
> source (opendir) > FormBook C&C.
> #    2. Opendir contained two differernt samples of FormBook (signed.exe
> and raypal.exe).
> #    3. The first URI query parameter in the GET request is the form item
> in client body of the POST request.
> #    4. SID 38134 may require updates, perhaps $EXTERNAL_NET 1024: instead
> of hardcoding the port?
> #    5. There are multiple GET requests, some of which will always end
> with "&sql=1".
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.FormBook variant outbound connection";
> flow:to_server,established; urilen:100<>120; content:"&sql=1";
> fast_pattern:only; http_uri; content:"/?"; http_uri; content:"Connection:
> close|0D 0A|"; http_header; content:!"User-Agent"; http_header;
> content:!"Accept"; http_header; content:!"Content"; http_header;
> metadata:ruleset community, service http; classtype:trojan-activity;
> sid:8000224; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.FormBook variant outbound connection";
> flow:to_server,established; urilen:<6; content:"POST"; http_method;
> content:"Origin: "; http_header; content:"Referer: "; http_header;
> content:"Connection: close|0D 0A|"; fast_pattern; http_header;
> content:"Content-Type: application/x-www-form-urlencoded|0D 0A|";
> http_header; content:"="; depth:10; http_client_body;
> pcre:"/\/[a-z0-9]{2,3}\//U"; metadata:ruleset community, service http;
> classtype:trojan-activity; sid:8000225; rev:1;)
>
> # --------------------
> # Date: 2018-08-01
> # Title: Andr.Dropper.Agent
> # Reference:
> #     - https://www.virustotal.com/#/file/9e5e9add2d75cef55afea99e40
> 6cda857734c1297af1695f17e96d251edfe004/detection
> # Tests: syntax only
> # Confidence: low
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Andr.Dropper.Agent outbound connection"; flow:to_server,established;
> content:"?platform="; http_uri; content:"&package_name=";
> fast_pattern:only; http_uri; content:"&screen_size="; http_uri;
> content:"&network_type="; http_uri; content:"&gaid="; http_uri;
> metadata:ruleset community, service http; reference:url,www.virustotal.c
> om/#/file/9e5e9add2d75cef55afea99e406cda857734c1297af1695f17
> e96d251edfe004/detection; classtype:trojan-activity; sid:8000226; rev:1;)
>
> # --------------------
> # Date: 2018-08-01
> # Title: Win.Backdoor.Sarhust/Hussarini
> # Reference:
> #     - https://www.fortinet.com/blog/threat-research/hussarini---ta
> rgeted-cyber-attack-in-the-philippines.html
> #     - https://www.virustotal.com/#/file/05dcc7856661244d082daa88a0
> 74d2f266c70623789a7bb5a919282b178d8f98/detection
> # Tests: syntax only
> # Confidence: low
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> known malicious user-agent - Win.Backdoor.Sarhust";
> flow:to_server,established; content:"User-Agent: Mozilla/4.0
> (compatible|3B| MSIE 5.5|3B| Windows NT 5.0)"; fast_pattern:only;
> http_header; content:!"Connection"; http_header; metadata:ruleset
> community, service http; reference:url,www.virustotal.c
> om/#/file/05dcc7856661244d082daa88a074d2f266c70623789a7bb5a9
> 19282b178d8f98/detection; classtype:trojan-activity; sid:8000227; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:""MALWARE-CNC
> Win.Backdoor.Sarhust inbound connection"; flow:to_client,established;
> file_data; content:"<CHECK>"; fast_pattern:only; content:"</CHECK>";
> within:200; metadata:ruleset community, service http; reference:url,
> www.virustotal.com/#/file/05dcc7856661244d082d
> aa88a074d2f266c70623789a7bb5a919282b178d8f98/detection;
> classtype:trojan-activity; sid:8000228; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:""MALWARE-CNC
> Win.Backdoor.Sarhust inbound connection"; flow:to_client,established;
> file_data; content:"</CHECK><COMMAND>"; fast_pattern:only; metadata:ruleset
> community, service http; reference:url,www.virustotal.c
> om/#/file/05dcc7856661244d082daa88a074d2f266c70623789a7bb5a9
> 19282b178d8f98/detection; classtype:trojan-activity; sid:8000229; rev:1;)
>
> # --------------------
> # Date: 2018-08-01
> # Title: PowerShell Inside a Certificate? – Part 1
> # Reference:
> #    - https://blog.nviso.be/2018/07/31/powershell-inside-a-certifi
> cate-part-1/
> #    - https://attack.mitre.org/wiki/Technique/T1036
> #    - https://www.virustotal.com/#/file/eed598fa60ad25cd43f33e4d64
> cede06b45a5140df3d8e8e92d64c4a83fd4898/detection
> # Tests: syntax only
> # Confidence: low
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"INDICATOR-COMPROMISE file masquerading as a certificate download
> attempt"; flow:to_client,established; file_data; content:"-----BEGIN
> CERTIFICATE-----|0D 0A|"; fast_pattern:only; content:!"M"; distance:0;
> metadata:ruleset community, service ftp-data, service http, service imap,
> service pop3; reference:url,blog.nviso.be/2018/07/31/powershell-inside-a-
> certificate-part-1/; reference:url,attack.mitre.org/wiki/Technique/T1036;
> classtype:trojan-activity; sid:8000230; rev:1;)
>
> # --------------------
> # Date: 2018-08-01
> # Title: Google Sinkhole Page/Redirection
> # Reference: Research
> # Tests: pcap
> # Confidence: low
> # Notes: Additional research is required.
>
> alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE
> Google Sinkhole page redirction"; flow:to_client,established;
> content:"302"; http_stat_code; content:"Location:
> http://domain-registrar.storage.googleapis.com/expired.html?";;
> fast_pattern:only; http_header; metadata:ruleset community, service http;
> classtype:trojan-activity; sid:8000231; rev:1;)
>
> # --------------------
> # Date: 2018-08-01
> # Title: Win.Backdoor.Bisonal
> # Reference: https://researchcenter.paloaltonetworks.com/2018/07/unit42-
> bisonal-malware-used-attacks-russia-south-korea/
> # Tests: syntax only
> # Confidence: low
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC
> Win.Backdoor.Bisonal variant outbound connection";
> flow:to_server,established; urilen:<30; content:"/ks8d"; fast_pattern:only;
> http_uri; content:"akspbu.txt"; http_uri; content:"POST"; http_method;
> metadata:ruleset community, service http; classtype:trojan-activity;
> sid:8000232; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
> Win.Backdoor.Bisonal variant outbound connection";
> flow:to_server,established; content:"|81 B2 A8 97 7E A3 1B 91|";
> fast_pattern:only; http_client_body; isdataat:!1,relative; metadata:ruleset
> community, service http; classtype:trojan-activity; sid:8000233; rev:1;)
>
> Thanks.
> YM
Hi Yaser,

Thanks for these submissions.  We'll get these into our testing process and
get back to you as soon as possible.  We'd appreciate any pcaps you'd be
willing to share.  Thanks again!

-- 
Marcos Rodriguez
Cisco Talos

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!