Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Multiple signatures 012

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 27 Aug 2018 14:13:46 +0000
Hi,

Pcaps are available for all of the signatures except Win.Trojan.AppleJeus and Andr.Trojan.Triout.

The Babylon RAT signatures posted earlier will hit FPs on traffic from/to Apple/Akamai. The signatures have been 
revised and are added below.

Have a good week.
YM

# --------------------
# Updates for SID 8000278-8000279 from 'Multiple signaturs 011'.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Babylon RAT outbound connection"; 
flow:to_server,established; dsize:4; content:"|FF 9E FF|"; offset:1; depth:3; fast_pattern; metadata:ruleset community; 
classtype:trojan-activity; sid:8000278; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Babylon RAT inbound connection"; 
flow:to_client,established; dsize:8; content:"|FF 9E FF|"; offset:1; depth:3; fast_pattern; metadata:ruleset community; 
classtype:trojan-activity; sid:8000279; rev:2;)

# --------------------
# Date: 2018-08-24
# Title: Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware
# Tests: syntax only
# Reference: https://securelist.com/operation-applejeus/87553/
# Confidence: low
# Notes:
#     1. Pivoting on the data leads to:
#        - https://go.recordedfuture.com/hubfs/reports/cta-2018-0116.pdf
#        - http://blogs.360.cn/post/apt-c-26.html
#     2. Added variation rules just in case.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AppleJeus outbound connection"; 
flow:to_server,established; content:"POST"; http_method; content:"/checkupdate.php"; fast_pattern:only; http_uri; 
content:"--jeus"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000280; 
rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AppleJeus outbound connection"; 
flow:to_server,established; content:"POST"; http_method; content:"/checkupdate.php"; fast_pattern:only; http_uri; 
content:"form-data|3B| name=|22|api|22|"; http_client_body; content:"form-data|3B| name=|22|upload|22|"; 
http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000281; rev:1;)

# --------------------
# Date: 2018-08-24
# Title: Triout – Spyware Framework for Android with Extensive Surveillance Capabilities
# Tests: syntax only
# Reference: 
https://labs.bitdefender.com/wp-content/uploads/downloads/triout-the-malware-framework-for-android-that-packs-potent-spyware-capabilities/
# Confidence: low
# Notes: No hashes available.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout outbound connection - Call 
Records"; flow:to_server,established; content:"call3.php"; fast_pattern:only; http_uri; content:"pid="; 
http_client_body; content:"&callid="; http_client_body; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000282; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout outbound connection - SMS 
Records"; flow:to_server,established; content:"/script3.php"; fast_pattern:only; http_uri; content:"pid="; 
http_client_body; content:"&smsbody="; http_client_body; content:"&smssender="; http_client_body; metadata:ruleset 
community, service http; classtype:trojan-activity; sid:8000283; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout outbound connection - Call 
Log"; flow:to_server,established; content:"/calllog.php"; fast_pattern:only; http_uri; content:"pid="; 
http_client_body; content:"&callname="; http_client_body; content:"&callnum="; http_client_body; content:"&calldate="; 
http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000284; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout outbound connection - Camera 
Capture"; flow:to_server,established; content:"/uppc.php"; fast_pattern:only; http_uri; content:"form-data|3B| 
name=|22|uploaded_file|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000285; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout outbound connection - Call 
Logs"; flow:to_server,established; content:"/upcal.php"; fast_pattern:only; http_uri; content:"form-data|3B| 
name=|22|uploaded_file|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000286; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout outbound connection - GPS"; 
flow:to_server,established; content:"/gps3.php"; fast_pattern:only; http_uri; content:"pid="; http_client_body; 
content:"&lat="; http_client_body; content:"&long="; http_client_body; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000287; rev:1;)

# --------------------
# Date: 2018-08-24
# Title: AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys
# Tests: pcap
# Reference: 
https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/
# Confidence: medium
# Notes:
#    1. The ransomware HTTP C&C does not contian HTTP version!
#    2. AZORult traffic matches on SID:8000261 sent in 'Multiple signatures 010' - 2018-08-20 -
#       so it is not sig'ed here.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE outbound IP address check to 
geoplugin.net"; flow:to_server,established; urilen:7; content:"/php.gp"; fast_pattern:only; http_uri; content:"Host: 
www.geoplugin.net"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000288; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Aurora initial outbound 
connection"; flow:to_server,established; urilen:9; content:"GET /info.php|0D 0A|"; content:!"HTTP/"; distance:0; 
content:!"Referer"; http_header; content:!"Content"; http_header; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000289; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Aurora generate encryption key 
outbound connection"; flow:to_server,established; content:".php?generate="; fast_pattern:only; http_uri; 
content:"&hwid="; http_uri; content:!"Referer"; http_header; content:!"Content"; http_header; metadata:ruleset 
community, service http; classtype:trojan-activity; sid:8000290; rev:1;)

# --------------------
# Date: 2018-08-25
# Title: Win.Trojan.Hancitor variant
# Tests: pcap
# Reference: Research
# Hashes:
#    - 413202954fbb57bc469750647c82dd1bbccfa10aa12f7eb3c53561ad866bcec2 (dropper)
#    - 31af1b2c498f4e71e25433465f3c12a28feccf8d5ac8deaa5479a3a55bf8c1d2 (Binary)
#    - 5838243440750de7aa23e1a0c7c9b57422fc5e5088e982826e208e8cf3aa020e (Binary)
# Confidence: medium
# Notes: This is very similar to SID:39800, but we drop
#        the URI altogether.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Hancitor variant outbound 
connection"; flow:to_server,established; urilen:<20; content:".php"; http_uri; fast_pattern; content:"GUID="; 
depth:122; http_client_body; content:"BUILD="; depth:122; http_client_body; content:"INFO="; depth:122; 
http_client_body; content:"IP="; depth:122; http_client_body; content:"TYPE="; depth:122; http_client_body; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000291; rev:1;)

# --------------------
# Date: 2018-08-25
# Title: PowerShell Empire Listener Agent HTTP Requests
# Reference: Research
#    - https://github.com/EmpireProject/Empire/blob/master/data/agent/agent.py
#    - https://github.com/EmpireProject/Empire/wiki/RESTful-API
# Hashes:
#    - 2e324187804c817bfb4ef270626ee25bd54e2e20e2c5f6a20a6df3d212ed807a
# Tests: pcap
# Confidence: medium
# Notes:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE PowerShell Empire outbound connection attempt"; 
flow:to_server,established; content:"GET /admin/get.php HTTP/1.1"; depth:27; content:"User-Agent: "; fast_pattern:only; 
content:!"Referer"; content:!"Content"; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000292; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE PowerShell Empire outbound connection attempt"; 
flow:to_server,established; content:"GET /login/process.jsp HTTP/1.1"; depth:31; content:"User-Agent: "; 
fast_pattern:only; content:!"Referer"; content:!"Content"; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000293; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE PowerShell Empire outbound connection attempt"; 
flow:to_server,established; content:"GET /news.asp HTTP/1.1"; depth:22; content:"User-Agent: "; fast_pattern:only; 
content:!"Referer"; content:!"Content"; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000294; rev:1;)

# --------------------
# Date: 2018-08-25
# Title: Win.Trojan.Malex/Buzus variant
# Tests: pcap
# Reference: Research
# Hashes:
#    - a7c544ee65fe3d31eaad3121b07cebec58dafac48f80f4647145e97396bfa05e
#    - abae2f654c626c89990afa8e6f0e5627837e704df37d428814ad0dfcbff4bf0e
# Confidence: medium
# Notes: Added couple of detection variants as it appears
#        the URL query strings may change with variants.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known malicious User-Agent - 
Win.Trojan.Malex/Buzus"; flow:to_server,established; content:"User-Agent: hackThemAll|0D 0A|"; fast_pattern:only; 
http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000295; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Malex/Busuz variant outbound 
connection"; flow:to_server,established; content:"/bots.php?"; fast_pattern:only; http_uri; content:"nome="; http_uri; 
content:"&os="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000296; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Malex/Busuz variant outbound 
connection"; flow:to_server,established; content:"/WebAdmin/"; http_uri; content:","; http_uri; fast_pattern:only; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000297; rev:1;)

# --------------------
# Date: 2018-08-26
# Title: Win.Trojan.Lethic avriant
# Tests: pcap
# Reference: Research
# Hashes:
#    - 9d5fa7dd604bf25c57e95558f79c38269abe8fc3a2b9eb6fc9b1ec32c6bec3d1
#    - 923d8ea6f8cfecc0dc2fab697bcfa51b58f4c8645b2c60ba699cb9bf8810117d
# Confidence: low
# Notes:
#    1. Not sure this is relevant but the samples are fairly recent.
#    2. Didn't sig the "Send Mail" command as it might be prone to FPs.

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Lethic initial inbound request"; 
flow:to_client,established; dsize:5; content:"|00 00 00 00 06|"; fast_pattern:only; metadata:ruleset community; 
classtype:trojan-activity; sid:8000298; rev:1;)

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.trojan.Lethic initial outbound response"; 
flow:to_server,established; dsize:5; content:"|00 00 00 00 06|"; fast_pattern:only; metadata:ruleset community; 
classtype:trojan-activity; sid:8000299; rev:1;)

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"MALWARE-CNC Win.trojan.Lethic add mail server by IP address 
inbound request"; flow:to_client,established; dsize:11; content:"|00 01|"; offset:3; depth:2; fast_pattern; 
byte_test:2, =, 25, 9; metadata:ruleset community; classtype:trojan-activity; sid:8000300; rev:1;)

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Lethic receive feedback inbound request"; 
flow:to_client,established; dsize:6; content:"|00 13|"; offset:3; depth:2; fast_pattern; metadata:ruleset community; 
classtype:trojan-activity; sid:8000301; rev:1;)

# --------------------
# Date: 2018-08-26
# Title: Custom PowerShell User-Agent
# Tests: pcap via triage
# Reference: https://twitter.com/ItsReallyNick/status/1033413803470467072
# Hashes:
#    - 9bd2c14baaf0c3088b3b03084850c2d4fd64c78ee15a88e6fb1b63bd33b513b9
# Notes:
#    1. Triaging on the data, we found another sample that is 12 days older:
#       1910f5ddb0fc0438a3e2a553c97559557898e6310bf7e37b13cf3013fd66ea75
#    2. Add 2082 to stream5 and http_inspect preprocessors
# Confidence: medium

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC known malicious User-Agent observed in custom 
PowerShell"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:"User-Agent: NMS."; 
fast_pattern:only; http_header; pcre:"/User-Agent\x3a\x20NMS\.[0-9]{1,2}\/[0-9]{60}\x20P\//H"; metadata:ruleset 
community, service http; classtype:trojan-activity; sid:8000302; rev:1;)

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: