Snort mailing list archives
Multiple signatures 012
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 27 Aug 2018 14:13:46 +0000
Hi, Pcaps are available for all of the signatures except Win.Trojan.AppleJeus and Andr.Trojan.Triout. The Babylon RAT signatures posted earlier will hit FPs on traffic from/to Apple/Akamai. The signatures have been revised and are added below. Have a good week. YM # -------------------- # Updates for SID 8000278-8000279 from 'Multiple signaturs 011'. alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Babylon RAT outbound connection"; flow:to_server,established; dsize:4; content:"|FF 9E FF|"; offset:1; depth:3; fast_pattern; metadata:ruleset community; classtype:trojan-activity; sid:8000278; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Babylon RAT inbound connection"; flow:to_client,established; dsize:8; content:"|FF 9E FF|"; offset:1; depth:3; fast_pattern; metadata:ruleset community; classtype:trojan-activity; sid:8000279; rev:2;) # -------------------- # Date: 2018-08-24 # Title: Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware # Tests: syntax only # Reference: https://securelist.com/operation-applejeus/87553/ # Confidence: low # Notes: # 1. Pivoting on the data leads to: # - https://go.recordedfuture.com/hubfs/reports/cta-2018-0116.pdf # - http://blogs.360.cn/post/apt-c-26.html # 2. Added variation rules just in case. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AppleJeus outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/checkupdate.php"; fast_pattern:only; http_uri; content:"--jeus"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000280; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AppleJeus outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/checkupdate.php"; fast_pattern:only; http_uri; content:"form-data|3B| name=|22|api|22|"; http_client_body; content:"form-data|3B| name=|22|upload|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000281; rev:1;) # -------------------- # Date: 2018-08-24 # Title: Triout – Spyware Framework for Android with Extensive Surveillance Capabilities # Tests: syntax only # Reference: https://labs.bitdefender.com/wp-content/uploads/downloads/triout-the-malware-framework-for-android-that-packs-potent-spyware-capabilities/ # Confidence: low # Notes: No hashes available. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout outbound connection - Call Records"; flow:to_server,established; content:"call3.php"; fast_pattern:only; http_uri; content:"pid="; http_client_body; content:"&callid="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000282; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout outbound connection - SMS Records"; flow:to_server,established; content:"/script3.php"; fast_pattern:only; http_uri; content:"pid="; http_client_body; content:"&smsbody="; http_client_body; content:"&smssender="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000283; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout outbound connection - Call Log"; flow:to_server,established; content:"/calllog.php"; fast_pattern:only; http_uri; content:"pid="; http_client_body; content:"&callname="; http_client_body; content:"&callnum="; http_client_body; content:"&calldate="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000284; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout outbound connection - Camera Capture"; flow:to_server,established; content:"/uppc.php"; fast_pattern:only; http_uri; content:"form-data|3B| name=|22|uploaded_file|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000285; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout outbound connection - Call Logs"; flow:to_server,established; content:"/upcal.php"; fast_pattern:only; http_uri; content:"form-data|3B| name=|22|uploaded_file|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000286; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout outbound connection - GPS"; flow:to_server,established; content:"/gps3.php"; fast_pattern:only; http_uri; content:"pid="; http_client_body; content:"&lat="; http_client_body; content:"&long="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000287; rev:1;) # -------------------- # Date: 2018-08-24 # Title: AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys # Tests: pcap # Reference: https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/ # Confidence: medium # Notes: # 1. The ransomware HTTP C&C does not contian HTTP version! # 2. AZORult traffic matches on SID:8000261 sent in 'Multiple signatures 010' - 2018-08-20 - # so it is not sig'ed here. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE outbound IP address check to geoplugin.net"; flow:to_server,established; urilen:7; content:"/php.gp"; fast_pattern:only; http_uri; content:"Host: www.geoplugin.net"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000288; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Aurora initial outbound connection"; flow:to_server,established; urilen:9; content:"GET /info.php|0D 0A|"; content:!"HTTP/"; distance:0; content:!"Referer"; http_header; content:!"Content"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000289; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Aurora generate encryption key outbound connection"; flow:to_server,established; content:".php?generate="; fast_pattern:only; http_uri; content:"&hwid="; http_uri; content:!"Referer"; http_header; content:!"Content"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000290; rev:1;) # -------------------- # Date: 2018-08-25 # Title: Win.Trojan.Hancitor variant # Tests: pcap # Reference: Research # Hashes: # - 413202954fbb57bc469750647c82dd1bbccfa10aa12f7eb3c53561ad866bcec2 (dropper) # - 31af1b2c498f4e71e25433465f3c12a28feccf8d5ac8deaa5479a3a55bf8c1d2 (Binary) # - 5838243440750de7aa23e1a0c7c9b57422fc5e5088e982826e208e8cf3aa020e (Binary) # Confidence: medium # Notes: This is very similar to SID:39800, but we drop # the URI altogether. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Hancitor variant outbound connection"; flow:to_server,established; urilen:<20; content:".php"; http_uri; fast_pattern; content:"GUID="; depth:122; http_client_body; content:"BUILD="; depth:122; http_client_body; content:"INFO="; depth:122; http_client_body; content:"IP="; depth:122; http_client_body; content:"TYPE="; depth:122; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000291; rev:1;) # -------------------- # Date: 2018-08-25 # Title: PowerShell Empire Listener Agent HTTP Requests # Reference: Research # - https://github.com/EmpireProject/Empire/blob/master/data/agent/agent.py # - https://github.com/EmpireProject/Empire/wiki/RESTful-API # Hashes: # - 2e324187804c817bfb4ef270626ee25bd54e2e20e2c5f6a20a6df3d212ed807a # Tests: pcap # Confidence: medium # Notes: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE PowerShell Empire outbound connection attempt"; flow:to_server,established; content:"GET /admin/get.php HTTP/1.1"; depth:27; content:"User-Agent: "; fast_pattern:only; content:!"Referer"; content:!"Content"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000292; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE PowerShell Empire outbound connection attempt"; flow:to_server,established; content:"GET /login/process.jsp HTTP/1.1"; depth:31; content:"User-Agent: "; fast_pattern:only; content:!"Referer"; content:!"Content"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000293; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE PowerShell Empire outbound connection attempt"; flow:to_server,established; content:"GET /news.asp HTTP/1.1"; depth:22; content:"User-Agent: "; fast_pattern:only; content:!"Referer"; content:!"Content"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000294; rev:1;) # -------------------- # Date: 2018-08-25 # Title: Win.Trojan.Malex/Buzus variant # Tests: pcap # Reference: Research # Hashes: # - a7c544ee65fe3d31eaad3121b07cebec58dafac48f80f4647145e97396bfa05e # - abae2f654c626c89990afa8e6f0e5627837e704df37d428814ad0dfcbff4bf0e # Confidence: medium # Notes: Added couple of detection variants as it appears # the URL query strings may change with variants. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known malicious User-Agent - Win.Trojan.Malex/Buzus"; flow:to_server,established; content:"User-Agent: hackThemAll|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000295; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Malex/Busuz variant outbound connection"; flow:to_server,established; content:"/bots.php?"; fast_pattern:only; http_uri; content:"nome="; http_uri; content:"&os="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000296; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Malex/Busuz variant outbound connection"; flow:to_server,established; content:"/WebAdmin/"; http_uri; content:","; http_uri; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000297; rev:1;) # -------------------- # Date: 2018-08-26 # Title: Win.Trojan.Lethic avriant # Tests: pcap # Reference: Research # Hashes: # - 9d5fa7dd604bf25c57e95558f79c38269abe8fc3a2b9eb6fc9b1ec32c6bec3d1 # - 923d8ea6f8cfecc0dc2fab697bcfa51b58f4c8645b2c60ba699cb9bf8810117d # Confidence: low # Notes: # 1. Not sure this is relevant but the samples are fairly recent. # 2. Didn't sig the "Send Mail" command as it might be prone to FPs. alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Lethic initial inbound request"; flow:to_client,established; dsize:5; content:"|00 00 00 00 06|"; fast_pattern:only; metadata:ruleset community; classtype:trojan-activity; sid:8000298; rev:1;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.trojan.Lethic initial outbound response"; flow:to_server,established; dsize:5; content:"|00 00 00 00 06|"; fast_pattern:only; metadata:ruleset community; classtype:trojan-activity; sid:8000299; rev:1;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"MALWARE-CNC Win.trojan.Lethic add mail server by IP address inbound request"; flow:to_client,established; dsize:11; content:"|00 01|"; offset:3; depth:2; fast_pattern; byte_test:2, =, 25, 9; metadata:ruleset community; classtype:trojan-activity; sid:8000300; rev:1;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Lethic receive feedback inbound request"; flow:to_client,established; dsize:6; content:"|00 13|"; offset:3; depth:2; fast_pattern; metadata:ruleset community; classtype:trojan-activity; sid:8000301; rev:1;) # -------------------- # Date: 2018-08-26 # Title: Custom PowerShell User-Agent # Tests: pcap via triage # Reference: https://twitter.com/ItsReallyNick/status/1033413803470467072 # Hashes: # - 9bd2c14baaf0c3088b3b03084850c2d4fd64c78ee15a88e6fb1b63bd33b513b9 # Notes: # 1. Triaging on the data, we found another sample that is 12 days older: # 1910f5ddb0fc0438a3e2a553c97559557898e6310bf7e37b13cf3013fd66ea75 # 2. Add 2082 to stream5 and http_inspect preprocessors # Confidence: medium alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC known malicious User-Agent observed in custom PowerShell"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:"User-Agent: NMS."; fast_pattern:only; http_header; pcre:"/User-Agent\x3a\x20NMS\.[0-9]{1,2}\/[0-9]{60}\x20P\//H"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000302; rev:1;)
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 012 Y M via Snort-sigs (Aug 27)