Snort mailing list archives
Re: Multiple signatures 014
From: Marcos Rodriguez via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 12 Sep 2018 13:25:44 -0400
On Wed, Sep 12, 2018 at 1:03 PM, Y M via Snort-sigs < snort-sigs () lists snort org> wrote:
Hi, Pcaps and ClamAV/Yara signatures are available for the majority of the cases below. Thanks. YM # -------------------- # Date: 2018-08-29 # Title: A walk through the AcridRain Stealer # Reference: Triage from: https://thisissecurity. stormshield.com/2018/08/28/acridrain-stealer/ # Tests: pcap # Yara: # - MALWARE_Win_Trojan_AcridRain # ClamAV: # - MALWARE_Win.Trojan.AcridRain # Hashes (triage): # - fb9581e5432392c7fac47b5883a381659345c08d3c26764e689f3110d5d6be53 # - 009d46cbfb0e8796ed754a18020491b1a1e6a3dccbdc2f8843cbace9def60896 # - 3d28392d2dc1292a95b6d8f394c982844a9da0cdd84101039cf6ca3cf9874c1c # - 56c73dbd50d9161476b904f542491b6f27c6a42fccd661a3032ab1e01b0ca8f5 # - 769df72c4c32e94190403d626bd9e46ce0183d3213ecdf42c2725db9c1ae960b # - 7afa4e20058a95dec77629f22195a0d9af796fa2dfadf0ce73786e46654ea8b7 # - 7b045eec693e5598b0bb83d21931e9259c8e4825c24ac3d052254e4925738b43 # - 80217425c6fd2f588a42121ff061b085fd26510e9b9b44bfee8a3c693425ed3c # - 80c6632fac75e4b5769e11f1ee5603821e73a0bacff8300c7373220f20f3535a # - 8fffaaaae976e558ee64f1f7d2e3670c19497c5b78e9a59c3ccc37c9ae177c66 # - b78c78477cd7f5a0571a5db6fd0062e25f8659a9d7b428b7709d8d587c11b453 # - db8f74ebd5ddd43f07f580ee72c2e18fb3f9ab7465479b2a81c366df4509375f # - fdf613b16fc7025ec8f3a8833064c8feb292a7cc103f7c10f1133c9832f2d3fd alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AcridRain outbound connection"; flow:to_server,established; content:"/Upload/"; fast_pattern:only; http_uri; content:"form-data|3B| name=|22|file|22|"; http_client_body; content:"form-data|3B| name=|22|id|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000311; rev:1;) # -------------------- # Date: 2018-09-02 # Title: Win.Trojan.Arkei (a.k.a Win.Trojan.Nocturnal?) # Reference: Research # Tests: pcap # Yara: # - MALWARE_Win_Trojan_Nocturnal # ClamAV: # - MALWARE_Win.Trojan.Nocturnal # Hashes: # - 0892104dceefa48f5fac31d030432689ee151ab577f0e1e0f2d6676238a70de9 # - 5283b968056136a34c2e89c352c02c5b4422a5aa75b261a2f7713f24ad56abc5 # - bae982b9b1712e05f2fad90e0227bb21341eac9766a395641f07c22c3368debe # Notes: HTTP POST traffic partially matches SID:8000096 - Win.Trojan.Nocturnal sumbitted a while back. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known malicious User-Agent - Win.Trojan.Nocturnal/Arkei"; flow:to_server,established; content:"User-Agent: Arkei/"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000322; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nocturnal/Arkei outbound connection"; flow:to_server,established; content:"/server/grubConfig"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000323; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nocturnal/Arkei outbound connection"; flow:to_server,established; content:"/server/gate"; fast_pattern:only; http_uri; content:"name=|22|hwid|22|"; http_client_body; content:"name=|22|os|22|"; http_client_body; content:"name=|22|platform|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000324; rev:1;) # -------------------- # Date: 2018-09-02 # Title: PowerPool malware exploits ALPC LPE zero-day vulnerability # Reference: Triage from: https://www.welivesecurity. com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/ # Tests: pcap + sandbox # Yara: # - MALWARE_Win_Trojan_PowerPool_Stage_1 # - MALWARE_Win_Trojan_PowerPool_Stage_2 # ClamAV: # - MALWARE_Win.Trojan.PowerPool_Stage_1 # - MALWARE_Win.Trojan.PowerPool_Stage_2 # Hashes: # 1st_stage: # - 035f97af0def906fbd8f7f15fb8107a9e852a69160669e7c0781888180cd 46d5 # - 8c2e729bc086921062e214b7e4c9c4ddf324a0fa53b4ed106f1341cfe827 4fe4 # - 8c32d6f2408115476c5552a4e3e86a3cc5e7148cc0111a4b464509461f3c 0d20 # - fb05c7b6087ebaf129036639e3cd9cd199ab450d69c2faac4a51064c1505 334d # 2nd_stage: # - 58a50840c04cd15f439f1cc1b684e9f9fa22c0d64f44a391d9e2b1222e5c d6bd # - af2abf0748013a7084507f8e96f6e7c21a3f962fbbb148dcbb482a98c069 40a1 # Notes: # 1. Triage on C&C and Yara revealed additional samples. # 2. Sandbox execution reveals C&C not mentioned in original reference. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PowerPool first stage outbound connection attempt"; flow:to_server,established; content:"/?id="; http_uri; content:"&info="; distance:16; fast_pattern; http_uri; content:!"Accept-"; http_header; content:!"Referer"; http_header; content:!"Content"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000329; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PowerPool second stage heartbeat outbound connection attempt"; flow:to_server,established; urilen:6; content:"/heart"; http_uri; fast_pattern:only; content:"User-Agent: Mozilla/4.0 (compatible|3b| )"; http_header; content:"|22|sessionid|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000330; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PowerPool second stage execute command outbound connection"; flow:to_server,established; urilen:8; content:"/cmdpool"; http_uri; fast_pattern:only; content:"User-Agent: Mozilla/4.0 (compatible|3b| )"; http_header; content:"|22|dos|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000331; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PowerPool second stage lsit directory outbound connection"; flow:to_server,established; urilen:8; content:"/cmdpool"; http_uri; fast_pattern:only; content:"User-Agent: Mozilla/4.0 (compatible|3b| )"; http_header; content:"|22|folder|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000332; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE outbound IP address check to l2.io"; flow:to_server,established; urilen:3; content:"/ip"; fast_pattern:only; http_uri; content:"Host: www.l2.io"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000333; rev:1;) # -------------------- # Date: 2018-09-08 # Title: CVE-2018-5002 Exploit/Infection Chain # Reference: # - https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack # - https://researchcenter.paloaltonetworks.com/2018/09/ unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/ # Tests: pcap alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER CVE-2018-5002 infection chain detected"; flow:to_server,established; content:"/doc?token="; fast_pattern:only; http_uri; content:"x-flash-version"; http_header; content:!"Referer"; http_header; pcre:"/\/doc\x3ftoken\x3d[a-f0-9]{32}$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000334; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER CVE-2018-5002 infection chain detected"; flow:to_server,established; urilen:<70; content:"/stab/"; fast_pattern:only; http_uri; content:".png?x="; http_uri; content:"Referer"; http_header; content:"x-flash-version"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000335; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER CVE-2018-5002 infection chain detected"; flow:to_server,established; urilen:<45; content:"POST"; http_method; content:"/download/"; http_uri; content:"Referer"; http_header; content:"x-flash-version"; http_header; content:"Content-Type: application/x-www-form-urlencoded"; http_header; pcre:"/\/download\/[a-f0-9]{32}\/$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000336; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER CVE-2018-5002 infection chain detected"; flow:to_server,established; urilen:<40; content:"POST"; http_method; content:"/log/"; http_uri; content:"Content-Type: text/plain"; http_header; pcre:"/\/log\/[a-f0-9]{32}$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000337; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER CVE-2018-5002 infection chain detected"; flow:to_server,established; urilen:<40; content:"POST"; http_method; content:"/home/"; http_uri; content:"Content-Type: text/plain"; http_header; pcre:"/\/home\/[a-f0-9]{32}$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000338; rev:1;) # -------------------- # Date: 2018-09-08 # Title: OilRig targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE # Reference: # - https://researchcenter.paloaltonetworks.com/2018/09/ unit42-oilrig-targets-middle-eastern-government-adds- evasion-techniques-oopsie/ # Tests: syntax only # Notes: # - Computer name maximum allowed length (CN) = 63 > (Win7/Win10) # - User name maximum allowed length (UN) = 20 > (Win7/Win10) # - Separartor (SP, \) = 1 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt"; flow:to_server,established; urilen:<90; content:"/khc?"; depth:5; http_uri; content:"|5C|"; http_uri; pcre:"/\/khc\?[A-F0-9]{3,84}$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000339; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt"; flow:to_server,established; urilen:<91; content:"/tahw?"; depth:6; http_uri; content:"|5C|"; http_uri; pcre:"/\/chk\?[A-F0-9]{3,84}$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000340; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt"; flow:to_server,established; urilen:<1100; content:"/pser?"; depth:6; http_uri; content:"|5C|"; http_uri; pcre:"/\/pser\?[A-F0-9]{3,84}(BBZ|BBY)[A-F0-9]{,1000}/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000341; rev:1;) # -------------------- # Date: 2018-08-29 # Title: Click me if you can, Office social engineering with embedded objects # Reference: https://securify.nl/blog/SFY20180801/click-me-if-you- can_-office-social-engineering-with-embedded-objects.html # Tests: pcap (file2pcap) # Yara: # - FILE_OFFICE_RTF_Shell_Explorer_Execution # - FILE_OFFICE_RTF_Forms_HTML_Execution # ClamAV: # - FILE_OFFICE_OLE_Shell_Explorer_Execution # - FILE_OFFICE_ActiveX_Forms_HTML_Execution # Notes: # 1. Documents were converted to RTF and they appear to achieve the same behavior when opened with Word. # 2. First 6 signatures in this set match what is observed in the generated files. # 3. Remaining singatures target Forms.HTML:* variants for referencing HTTP URLs instead of file URLs. # 4. ClamAV signatures don't care if the files are RTF or other. alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF Shell.Explorer.1 CLSID referencing embedded LNK file with remote content"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"c32ab2eac130cf11a7eb0000c05bae0b"; nocase; fast_pattern:only; content:"4c00000001140200"; nocase; content:"6800740074007000"; metadata:ruleset community, service http; reference:url,securify.nl/blog/SFY20180801/click-me-if- you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000312; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF Shell.Explorer.1 CLSID referencing embedded LNK file with remote content"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"c32ab2eac130cf11a7eb0000c05bae0b"; nocase; fast_pattern:only; content:"4c00000001140200"; nocase; content:"6800740074007000"; metadata:ruleset community, service smtp; reference:url,securify.nl/blog/SFY20180801/click-me-if- you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000313; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing executable file URL"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"12d11255c65ccf118d6700aa00bdce1d"; nocase; content:"660069006c0065003a"; nocase; content:"6500780065"; metadata:ruleset community, service http; reference:url,securify.nl/ blog/SFY20180801/click-me-if-you-can_-office-social- engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000314; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing executable file URL"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"12d11255c65ccf118d6700aa00bdce1d"; nocase; content:"660069006c0065003a"; nocase; content:"6500780065"; metadata:ruleset community, service smtp; reference:url,securify.nl/ blog/SFY20180801/click-me-if-you-can_-office-social- engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000315; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing executable file URL"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"10d11255c65ccf118d6700aa00bdce1d"; nocase; content:"660069006c0065003a"; nocase; content:"6500780065"; metadata:ruleset community, service http; reference:url,securify.nl/ blog/SFY20180801/click-me-if-you-can_-office-social- engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000316; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing executable file URL"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"10d11255c65ccf118d6700aa00bdce1d"; nocase; content:"660069006c0065003a"; nocase; content:"6500780065"; metadata:ruleset community, service smtp; reference:url,securify.nl/ blog/SFY20180801/click-me-if-you-can_-office-social- engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000317; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing HTTP URL"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:" 12d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070"; metadata:ruleset community, service http; reference:url,securify.nl/ blog/SFY20180801/click-me-if-you-can_-office-social- engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000318; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing HTTP URL"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:" 12d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070"; metadata:ruleset community, service smtp; reference:url,securify.nl/ blog/SFY20180801/click-me-if-you-can_-office-social- engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000319; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing HTTP URL"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:" 10d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070"; metadata:ruleset community, service http; reference:url,securify.nl/ blog/SFY20180801/click-me-if-you-can_-office-social- engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000320; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing HTTP URL"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:" 10d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070"; metadata:ruleset community, service smtp; reference:url,securify.nl/ blog/SFY20180801/click-me-if-you-can_-office-social- engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000321; rev:1;) # -------------------- # Date: 2018-09-03 # Title: Ruler is a tool for interacting with Exchange servers remotely with the the aim of # abusing client-side Outlook features and gain a shell remotely. # Reference: Research # - https://github.com/sensepost/ruler # - https://attack.mitre.org/wiki/Technique/T1190 # - https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1046 # Tests: syntax only alert tcp any any -> $HOME_NET 80 (msg:"INDICATOR-SCAN Ruler interaction attempt"; flow:to_server,established; content:"User-Agent: ruler|0D 0A|"; fast_pattern:only; http_header; content:"/autodiscover/autodiscover.xml"; http_uri; metadata:ruleset community, service http; reference:url, attack.mitre.org/wiki/Technique/T1027; classtype:web-application-activity; sid:8000327; rev:1;)
Hi Yaser, Thanks for these submissions, we'll get these into our testing process and get back to you as soon as possible. We'd appreciate any pcaps you'd be willing to share. Thanks again! -- Marcos Rodriguez Cisco Talos
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 014 Y M via Snort-sigs (Sep 12)
- Re: Multiple signatures 014 Marcos Rodriguez via Snort-sigs (Sep 12)