Snort mailing list archives

Re: Multiple signatures 014

From: Marcos Rodriguez via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 12 Sep 2018 13:25:44 -0400

On Wed, Sep 12, 2018 at 1:03 PM, Y M via Snort-sigs <
snort-sigs () lists snort org> wrote:

Hi,

Pcaps and ClamAV/Yara signatures are available for the majority of the
cases below.

Thanks.
YM

# --------------------
# Date: 2018-08-29
# Title: A walk through the AcridRain Stealer
# Reference: Triage from: https://thisissecurity.
stormshield.com/2018/08/28/acridrain-stealer/
# Tests: pcap
# Yara:
#    - MALWARE_Win_Trojan_AcridRain
# ClamAV:
#    - MALWARE_Win.Trojan.AcridRain
# Hashes (triage):
#    - fb9581e5432392c7fac47b5883a381659345c08d3c26764e689f3110d5d6be53
#    - 009d46cbfb0e8796ed754a18020491b1a1e6a3dccbdc2f8843cbace9def60896
#    - 3d28392d2dc1292a95b6d8f394c982844a9da0cdd84101039cf6ca3cf9874c1c
#    - 56c73dbd50d9161476b904f542491b6f27c6a42fccd661a3032ab1e01b0ca8f5
#    - 769df72c4c32e94190403d626bd9e46ce0183d3213ecdf42c2725db9c1ae960b
#    - 7afa4e20058a95dec77629f22195a0d9af796fa2dfadf0ce73786e46654ea8b7
#    - 7b045eec693e5598b0bb83d21931e9259c8e4825c24ac3d052254e4925738b43
#    - 80217425c6fd2f588a42121ff061b085fd26510e9b9b44bfee8a3c693425ed3c
#    - 80c6632fac75e4b5769e11f1ee5603821e73a0bacff8300c7373220f20f3535a
#    - 8fffaaaae976e558ee64f1f7d2e3670c19497c5b78e9a59c3ccc37c9ae177c66
#    - b78c78477cd7f5a0571a5db6fd0062e25f8659a9d7b428b7709d8d587c11b453
#    - db8f74ebd5ddd43f07f580ee72c2e18fb3f9ab7465479b2a81c366df4509375f
#    - fdf613b16fc7025ec8f3a8833064c8feb292a7cc103f7c10f1133c9832f2d3fd

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.AcridRain outbound connection"; flow:to_server,established;
content:"/Upload/"; fast_pattern:only; http_uri; content:"form-data|3B|
name=|22|file|22|"; http_client_body; content:"form-data|3B|
name=|22|id|22|"; http_client_body; metadata:ruleset community, service
http; classtype:trojan-activity; sid:8000311; rev:1;)

# --------------------
# Date: 2018-09-02
# Title: Win.Trojan.Arkei (a.k.a Win.Trojan.Nocturnal?)
# Reference: Research
# Tests: pcap
# Yara:
#    - MALWARE_Win_Trojan_Nocturnal
# ClamAV:
#    - MALWARE_Win.Trojan.Nocturnal
# Hashes:
#    - 0892104dceefa48f5fac31d030432689ee151ab577f0e1e0f2d6676238a70de9
#    - 5283b968056136a34c2e89c352c02c5b4422a5aa75b261a2f7713f24ad56abc5
#    - bae982b9b1712e05f2fad90e0227bb21341eac9766a395641f07c22c3368debe
# Notes: HTTP POST traffic partially matches SID:8000096 -
Win.Trojan.Nocturnal sumbitted a while back.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
known malicious User-Agent - Win.Trojan.Nocturnal/Arkei";
flow:to_server,established; content:"User-Agent: Arkei/";
fast_pattern:only; http_header; metadata:ruleset community, service http;
classtype:trojan-activity; sid:8000322; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Nocturnal/Arkei outbound connection";
flow:to_server,established; content:"/server/grubConfig";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:trojan-activity; sid:8000323; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Nocturnal/Arkei outbound connection";
flow:to_server,established; content:"/server/gate"; fast_pattern:only;
http_uri; content:"name=|22|hwid|22|"; http_client_body;
content:"name=|22|os|22|"; http_client_body; content:"name=|22|platform|22|";
http_client_body; metadata:ruleset community, service http;
classtype:trojan-activity; sid:8000324; rev:1;)

# --------------------
# Date: 2018-09-02
# Title: PowerPool malware exploits ALPC LPE zero-day vulnerability
# Reference: Triage from: https://www.welivesecurity.
com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/
# Tests: pcap + sandbox
# Yara:
#    - MALWARE_Win_Trojan_PowerPool_Stage_1
#    - MALWARE_Win_Trojan_PowerPool_Stage_2
# ClamAV:
#    - MALWARE_Win.Trojan.PowerPool_Stage_1
#    - MALWARE_Win.Trojan.PowerPool_Stage_2
# Hashes:
#    1st_stage:
#        - 035f97af0def906fbd8f7f15fb8107a9e852a69160669e7c0781888180cd
46d5
#        - 8c2e729bc086921062e214b7e4c9c4ddf324a0fa53b4ed106f1341cfe827
4fe4
#        - 8c32d6f2408115476c5552a4e3e86a3cc5e7148cc0111a4b464509461f3c
0d20
#        - fb05c7b6087ebaf129036639e3cd9cd199ab450d69c2faac4a51064c1505
334d
#    2nd_stage:
#        - 58a50840c04cd15f439f1cc1b684e9f9fa22c0d64f44a391d9e2b1222e5c
d6bd
#        - af2abf0748013a7084507f8e96f6e7c21a3f962fbbb148dcbb482a98c069
40a1
# Notes:
#    1. Triage on C&C and Yara revealed additional samples.
#    2. Sandbox execution reveals C&C not mentioned in original reference.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.PowerPool first stage outbound connection attempt";
flow:to_server,established; content:"/?id="; http_uri; content:"&info=";
distance:16; fast_pattern; http_uri; content:!"Accept-"; http_header;
content:!"Referer"; http_header; content:!"Content"; http_header;
metadata:ruleset community, service http; classtype:trojan-activity;
sid:8000329; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.PowerPool second stage heartbeat outbound connection attempt";
flow:to_server,established; urilen:6; content:"/heart"; http_uri;
fast_pattern:only; content:"User-Agent: Mozilla/4.0 (compatible|3b| )";
http_header; content:"|22|sessionid|22|"; http_client_body;
metadata:ruleset community, service http; classtype:trojan-activity;
sid:8000330; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.PowerPool second stage execute command outbound connection";
flow:to_server,established; urilen:8; content:"/cmdpool"; http_uri;
fast_pattern:only; content:"User-Agent: Mozilla/4.0 (compatible|3b| )";
http_header; content:"|22|dos|22|"; http_client_body; metadata:ruleset
community, service http; classtype:trojan-activity; sid:8000331; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.PowerPool second stage lsit directory outbound connection";
flow:to_server,established; urilen:8; content:"/cmdpool"; http_uri;
fast_pattern:only; content:"User-Agent: Mozilla/4.0 (compatible|3b| )";
http_header; content:"|22|folder|22|"; http_client_body; metadata:ruleset
community, service http; classtype:trojan-activity; sid:8000332; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"INDICATOR-COMPROMISE outbound IP address check to l2.io";
flow:to_server,established; urilen:3; content:"/ip"; fast_pattern:only;
http_uri; content:"Host: www.l2.io"; http_header; metadata:ruleset
community, service http; classtype:trojan-activity; sid:8000333; rev:1;)

# --------------------
# Date: 2018-09-08
# Title: CVE-2018-5002 Exploit/Infection Chain
# Reference:
#    - https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack
#    - https://researchcenter.paloaltonetworks.com/2018/09/
unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/
# Tests: pcap

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
CVE-2018-5002 infection chain detected"; flow:to_server,established;
content:"/doc?token="; fast_pattern:only; http_uri;
content:"x-flash-version"; http_header; content:!"Referer"; http_header;
pcre:"/\/doc\x3ftoken\x3d[a-f0-9]{32}$/U"; metadata:ruleset community,
service http; classtype:trojan-activity; sid:8000334; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
CVE-2018-5002 infection chain detected"; flow:to_server,established;
urilen:<70; content:"/stab/"; fast_pattern:only; http_uri;
content:".png?x="; http_uri; content:"Referer"; http_header;
content:"x-flash-version"; http_header; metadata:ruleset community, service
http; classtype:trojan-activity; sid:8000335; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
CVE-2018-5002 infection chain detected"; flow:to_server,established;
urilen:<45; content:"POST"; http_method; content:"/download/"; http_uri;
content:"Referer"; http_header; content:"x-flash-version"; http_header;
content:"Content-Type: application/x-www-form-urlencoded"; http_header;
pcre:"/\/download\/[a-f0-9]{32}\/$/U"; metadata:ruleset community,
service http; classtype:trojan-activity; sid:8000336; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
CVE-2018-5002 infection chain detected"; flow:to_server,established;
urilen:<40; content:"POST"; http_method; content:"/log/"; http_uri;
content:"Content-Type: text/plain"; http_header;
pcre:"/\/log\/[a-f0-9]{32}$/U"; metadata:ruleset community, service http;
classtype:trojan-activity; sid:8000337; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
CVE-2018-5002 infection chain detected"; flow:to_server,established;
urilen:<40; content:"POST"; http_method; content:"/home/"; http_uri;
content:"Content-Type: text/plain"; http_header;
pcre:"/\/home\/[a-f0-9]{32}$/U"; metadata:ruleset community, service
http; classtype:trojan-activity; sid:8000338; rev:1;)

# --------------------
# Date: 2018-09-08
# Title: OilRig targets a Middle Eastern Government and Adds Evasion
Techniques to OopsIE
# Reference:
#    - https://researchcenter.paloaltonetworks.com/2018/09/
unit42-oilrig-targets-middle-eastern-government-adds-
evasion-techniques-oopsie/
# Tests: syntax only
# Notes:
#    - Computer name maximum allowed length (CN) = 63 > (Win7/Win10)
#    - User name maximum allowed length (UN) = 20     > (Win7/Win10)
#    - Separartor (SP, \) = 1

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.OilRig variant outbound connection attempt";
flow:to_server,established; urilen:<90; content:"/khc?"; depth:5; http_uri;
content:"|5C|"; http_uri; pcre:"/\/khc\?[A-F0-9]{3,84}$/U";
metadata:ruleset community, service http; classtype:trojan-activity;
sid:8000339; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.OilRig variant outbound connection attempt";
flow:to_server,established; urilen:<91; content:"/tahw?"; depth:6;
http_uri; content:"|5C|"; http_uri; pcre:"/\/chk\?[A-F0-9]{3,84}$/U";
metadata:ruleset community, service http; classtype:trojan-activity;
sid:8000340; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.OilRig variant outbound connection attempt";
flow:to_server,established; urilen:<1100; content:"/pser?"; depth:6;
http_uri; content:"|5C|"; http_uri; pcre:"/\/pser\?[A-F0-9]{3,84}(BBZ|BBY)[A-F0-9]{,1000}/U";
metadata:ruleset community, service http; classtype:trojan-activity;
sid:8000341; rev:1;)

# --------------------
# Date: 2018-08-29
# Title: Click me if you can, Office social engineering with embedded
objects
# Reference: https://securify.nl/blog/SFY20180801/click-me-if-you-
can_-office-social-engineering-with-embedded-objects.html
# Tests: pcap (file2pcap)
# Yara:
#     - FILE_OFFICE_RTF_Shell_Explorer_Execution
#     - FILE_OFFICE_RTF_Forms_HTML_Execution
# ClamAV:
#     - FILE_OFFICE_OLE_Shell_Explorer_Execution
#     - FILE_OFFICE_ActiveX_Forms_HTML_Execution
# Notes:
#    1. Documents were converted to RTF and they appear to achieve the
same behavior when opened with Word.
#    2. First 6 signatures in this set match what is observed in the
generated files.
#    3. Remaining singatures target Forms.HTML:* variants for referencing
HTTP URLs instead of file URLs.
#    4. ClamAV signatures don't care if the files are RTF or other.

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-OFFICE RTF Shell.Explorer.1 CLSID referencing embedded LNK file
with remote content"; flow:to_client,established; flowbits:isset,file.rtf;
file_data; content:"c32ab2eac130cf11a7eb0000c05bae0b"; nocase;
fast_pattern:only; content:"4c00000001140200"; nocase;
content:"6800740074007000"; metadata:ruleset community, service http;
reference:url,securify.nl/blog/SFY20180801/click-me-if-
you-can_-office-social-engineering-with-embedded-objects.html;
classtype:attempted-user; sid:8000312; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25
(msg:"FILE-OFFICE RTF Shell.Explorer.1 CLSID referencing embedded LNK file
with remote content"; flow:to_server,established; flowbits:isset,file.rtf;
file_data; content:"c32ab2eac130cf11a7eb0000c05bae0b"; nocase;
fast_pattern:only; content:"4c00000001140200"; nocase;
content:"6800740074007000"; metadata:ruleset community, service smtp;
reference:url,securify.nl/blog/SFY20180801/click-me-if-
you-can_-office-social-engineering-with-embedded-objects.html;
classtype:attempted-user; sid:8000313; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing executable file
URL"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"12d11255c65ccf118d6700aa00bdce1d"; nocase;
content:"660069006c0065003a"; nocase; content:"6500780065";
metadata:ruleset community, service http; reference:url,securify.nl/
blog/SFY20180801/click-me-if-you-can_-office-social-
engineering-with-embedded-objects.html; classtype:attempted-user;
sid:8000314; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25
(msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing executable file
URL"; flow:to_server,established; flowbits:isset,file.rtf; file_data;
content:"12d11255c65ccf118d6700aa00bdce1d"; nocase;
content:"660069006c0065003a"; nocase; content:"6500780065";
metadata:ruleset community, service smtp; reference:url,securify.nl/
blog/SFY20180801/click-me-if-you-can_-office-social-
engineering-with-embedded-objects.html; classtype:attempted-user;
sid:8000315; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing executable
file URL"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"10d11255c65ccf118d6700aa00bdce1d"; nocase;
content:"660069006c0065003a"; nocase; content:"6500780065";
metadata:ruleset community, service http; reference:url,securify.nl/
blog/SFY20180801/click-me-if-you-can_-office-social-
engineering-with-embedded-objects.html; classtype:attempted-user;
sid:8000316; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25
(msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing executable
file URL"; flow:to_server,established; flowbits:isset,file.rtf; file_data;
content:"10d11255c65ccf118d6700aa00bdce1d"; nocase;
content:"660069006c0065003a"; nocase; content:"6500780065";
metadata:ruleset community, service smtp; reference:url,securify.nl/
blog/SFY20180801/click-me-if-you-can_-office-social-
engineering-with-embedded-objects.html; classtype:attempted-user;
sid:8000317; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing HTTP URL";
flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"
12d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070";
metadata:ruleset community, service http; reference:url,securify.nl/
blog/SFY20180801/click-me-if-you-can_-office-social-
engineering-with-embedded-objects.html; classtype:attempted-user;
sid:8000318; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25
(msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing HTTP URL";
flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"
12d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070";
metadata:ruleset community, service smtp; reference:url,securify.nl/
blog/SFY20180801/click-me-if-you-can_-office-social-
engineering-with-embedded-objects.html; classtype:attempted-user;
sid:8000319; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing HTTP URL";
flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"
10d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070";
metadata:ruleset community, service http; reference:url,securify.nl/
blog/SFY20180801/click-me-if-you-can_-office-social-
engineering-with-embedded-objects.html; classtype:attempted-user;
sid:8000320; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25
(msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing HTTP URL";
flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"
10d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070";
metadata:ruleset community, service smtp; reference:url,securify.nl/
blog/SFY20180801/click-me-if-you-can_-office-social-
engineering-with-embedded-objects.html; classtype:attempted-user;
sid:8000321; rev:1;)

# --------------------
# Date: 2018-09-03
# Title: Ruler is a tool for interacting with Exchange servers remotely
with the the aim of
#        abusing client-side Outlook features and gain a shell remotely.
# Reference: Research
#     - https://github.com/sensepost/ruler
#     - https://attack.mitre.org/wiki/Technique/T1190
#     - https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1046
# Tests: syntax only

alert tcp any any -> $HOME_NET 80 (msg:"INDICATOR-SCAN Ruler interaction
attempt"; flow:to_server,established; content:"User-Agent: ruler|0D 0A|";
fast_pattern:only; http_header; content:"/autodiscover/autodiscover.xml";
http_uri; metadata:ruleset community, service http; reference:url,
attack.mitre.org/wiki/Technique/T1027; classtype:web-application-activity;
sid:8000327; rev:1;)


Hi Yaser,

Thanks for these submissions, we'll get these into our testing process and
get back to you as soon as possible.  We'd appreciate any pcaps you'd be
willing to share.  Thanks again!

-- 
Marcos Rodriguez
Cisco Talos

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Multiple signatures 014 Y M via Snort-sigs (Sep 12)
- Re: Multiple signatures 014 Marcos Rodriguez via Snort-sigs (Sep 12)