Snort mailing list archives
Re: Multiple signatures - 003
From: Marcos Rodriguez <mrodriguez () sourcefire com>
Date: Tue, 3 Jul 2018 12:02:07 -0400
On Tue, Jul 3, 2018 at 9:23 AM, Y M via Snort-sigs < snort-sigs () lists snort org> wrote:
Hi, Happy soon-to-be 4th of July to you all. Pcaps for the first two sets of signatures are available. # -------------------- # Date: 2018-07-03 # Title: Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems # Tests: pcap (partial) # Reference: https://researchcenter.paloaltonetworks.com/2018/06/ unit42-tick-group-weaponized-secure-usb-drives-target-air- gapped-critical-systems/ # Hashes: # - 3227d1e39fc3bc842245ccdb16eeaadad3bcd298e811573b2e68ef2a7077f6f6 # - 92e0d0346774127024c672cc7239dd269824a79e85b84c532128fd9663a0ce78 # - 33665d93ab2a0262551c61ec9a3adca2c2b8dfea34e6f3f723274d88890f6ceb # - 019874898284935719dc74a6699fb822e20cdb8e3a96a7dc8ec4f625e3f1116e # - f817c9826089b49d251b8a09a0e9bf9b4b468c6e2586af60e50afe48602f0bec # Confidence: low # Note: The trojanized loader binaries, the standalone bianries, and the C&C domain (plus an additional domain) # succeffully correlates to the observed HTTP URI and Header. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HomamDownloader outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Win32)|3B|51|3B|"; fast_pattern:only; http_header; content:"/index.htm"; http_uri; content:!"Connection: "; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url, researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized- secure-usb-drives-target-air-gapped-critical-systems/; classtype:trojan-activity; sid:8000172; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HomamDownloader outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Win32)|3B|61|3B|"; fast_pattern:only; http_header; content:"/index.htm"; http_uri; content:!"Connection: "; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url, researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized- secure-usb-drives-target-air-gapped-critical-systems/; classtype:trojan-activity; sid:8000173; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HomamDownloader outbound connection - PCRE"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE "; http_header; content:"|3B| Win32)|3B|"; within:12; http_header; fast_pattern; content:"/index.htm"; http_uri; content:!"Connection: "; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/User-Agent\x3a\sMozilla\/4\.0\s\ x28compatible\x3b\sMSIE\s\d\.0\x3b\sWin32\x29\x3b[0-9]{2}\x3b\w+/H"; metadata:ruleset community, service http; reference:url,researchcenter. paloaltonetworks.com/2018/06/unit42-tick-group-weaponized- secure-usb-drives-target-air-gapped-critical-systems/; classtype:trojan-activity; sid:8000174; rev:1;) # -------------------- # Date: 2018-07-03 # Title: PUA FileTour/MediaDrug # Tests: pcap, live traffic # Reference: Research # Confidence: medium+ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.MediaDrug/FileTour outbound connection"; flow:to_server,established; content:"/client.config/?"; fast_pattern:only; http_uri; content:"app="; http_uri; content:"&format="; http_uri; content:"&uid="; http_uri; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/c25cb815710871b5e984a0b002f6f5 7088e43c5e3f19da9e889f4b962cd4da56/detection; classtype:trojan-activity; sid:8000175; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-ADWARE Win.Adware.MediaDrug/FileTour inbound connection"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type: text/xml"; http_header; file_data; content:"<LogUrl>"; fast_pattern; nocase; content:"<csrtmm>"; nocase; content:"<advertid>"; nocase; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/c25cb815710871b5e984a0b002f6f5 7088e43c5e3f19da9e889f4b962cd4da56/detection; classtype:trojan-activity; sid:8000176; rev:1;) # -------------------- # Date: 2018-07-03 # Title: MirageFox: APT15 Resurfaces With New Tools Based On Old Ones # Tests: syntax only # Reference: https://www.intezer.com/miragefox-apt15-resurfaces- with-new-tools-based-on-old-ones/ # Confidence: low-- (use for threat hunting? You assume way too much...) # Notes: All content matches were extracted from the binaries strings. Most of the remaining samples # , specifically, Mirage share the same URI patterns. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.RoyalAPT outbound connection"; flow:to_server,established; content:"/image_download.php?"; fast_pattern:only; http_uri; content:"uid="; http_uri; content:"part="; http_cookie; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/ 016948ec7743b09e41b6968b42dfade5480774df3baf915e4c8753f5f90d1734/detection; reference:url,www.malwares.com/report/file?hash= 016948EC7743B09E41B6968B42DFADE5480774DF3BAF915E4C8753F5F90D1734; classtype:trojan-activity; sid:8000177; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.MirageFox outbound connection"; flow:to_server,established; content:"/search?gid="; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0"; http_header; content:"Accept: */*"; http_header; content:"POST"; http_method; content:!"Referer"; http_header; reference:url, www.virustotal.com/#/file/28d6a9a709b9ead84aece250889a16 87c07e19f6993325ba5295410a478da30a/detection; reference:url, www.virustotal.com/#/file/97813e76564aa829a359c2d12c9c6b 824c532de0fc15f43765cf6b106a32b9a5/detection; classtype:trojan-activity; sid:8000178; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Mirage variant outbound connection"; flow:to_server,established; content:"/net/server.asp?"; fast_pattern:only; http_uri; nocase; content:"cmd="; http_uri; nocase; content:"&adminid="; http_uri; nocase; content:"&adminkey="; http_uri; nocase; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/ 1534432fafb21c0479343bc2d9f3991e56c75baa41c54b3470d41055bb578f8f/detection; reference:url,www.malwares.com/report/file?hash= 1534432FAFB21C0479343BC2D9F3991E56C75BAA41C54B3470D41055BB578F8F; classtype:trojan-activity; sid:8000179; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Mirage variant outbound connection"; flow:to_server,established; content:"/users/login.asp?"; fast_pattern:only; http_uri; nocase; content:"type="; http_uri; nocase; content:"&server_ver="; http_uri; nocase; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/ 1534432fafb21c0479343bc2d9f3991e56c75baa41c54b3470d41055bb578f8f/detection; reference:url,www.malwares.com/report/file?hash= 1534432FAFB21C0479343BC2D9F3991E56C75BAA41C54B3470D41055BB578F8F; classtype:trojan-activity; sid:8000180; rev:1;) Thanks. YM
Hi Yaser, Thanks for these submissions. We will review each of them and get back to you when finished. -- Marcos Rodriguez Cisco Talos
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures - 003 Y M via Snort-sigs (Jul 03)
- Re: Multiple signatures - 003 Marcos Rodriguez (Jul 03)