Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multiple signatures 015

From: Marcos Rodriguez <mrodriguez () sourcefire com>
Date: Wed, 3 Oct 2018 13:46:53 -0400
On Wed, Oct 3, 2018 at 1:36 PM Y M via Snort-sigs
<snort-sigs () lists snort org> wrote:


Hi,

Hope all is well. Pcaps and ClamAV/Yara signatures are available for some the cases.

Thank you.
YM

# --------------------
# Date: 2018-09-19
# Title: Osx.Trojan.AMCleaner/AutoFixer
# Reference: Research
# Tests: pcap + sandbox
# Hashes:
#    - ff274bc19a82b09d5d7b841bcc90859e7eb7ebffb1c9ef8c258a534736d00070
#    - d8647dfb73ad636c7c1a743754b47ff1824c11cfef040104efabca92715ffcff
#    - 444d85360e6cf24b9808bab627b69cbdc82dc6d6471e1785e4046d355cee1ad2
#    - cf00d0789911e58cf1d6fcdb1da64dfe7b0b91c1737b6ad0369a9a968dab214a
# Note:
#    - TechyUtils Software Private Limited have been busy:
#      https://www.virustotal.com/#/ip-address/64.185.181.238
#    - C&C IP address hosts APKs and EXEs which also communicate with it.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound 
connection attempt"; flow:to_server,established; content:"User-Agent: Mac Auto Fixer"; fast_pattern:only; 
http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000350; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound 
connection attempt"; flow:to_server,established; content:"User-Agent: Mac|25 32 30|Auto|25 32 30|Fixer"; 
fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000351; 
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound 
connection attempt"; flow:to_server,established; content:"User-Agent: maftask/"; fast_pattern:only; http_header; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000352; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound 
connection attempt"; flow:to_server,established; content:"/install/maf/"; fast_pattern:only; http_uri; 
content:"&btnid="; http_uri; content:"&appversion="; http_uri; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000353; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound 
connection attempt"; flow:to_server,established; content:"/mtrack/?metd="; fast_pattern:only; http_uri; 
content:"&ram="; http_uri; content:"&model="; http_uri; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000354; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound 
connection attempt"; flow:to_server,established; content:"/amc/more/"; fast_pattern:only; http_uri; content:".html"; 
http_uri; content:"&affiliateid="; http_uri; content:"&btnid="; http_uri; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000355; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound 
connection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nis/gn"; http_uri; 
content:"|22|Display|22|"; http_client_body; content:"Origin:"; http_header; content:"Referer"; http_header; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000355; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound 
connection attempt"; flow:to_server,established; content:"User-Agent: helperamc/"; fast_pattern:only; http_header; 
content:".plist"; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000356; rev:1;)

# --------------------
# Date: 2018-09-19
# Title: Deep Analysis of a Driver-Based MITM Malware: iTranslator
# Reference: https://www.fortinet.com/blog/threat-research/deep-analysis-of-driver-based-mitm-malware-itranslator.html
# Tests: pcap
# Yara:
#    - MALWARE_Win_Trojan_iTranslator_EXE
#    - MALWARE_Win_Trojan_iTranslator_DLL
# ClamAV:
#    - MALWARE_Win_Trojan_iTranslator_EXE
#    - MALWARE_Win_Trojan_iTranslator_DLL
# Notes:
#     - HTTP C&C behavior is consistent with the research reference.
#     - First rule matches on the unique header. Remaining rules match
#       in case the unique header is not present or changed.
#     - Some of the JSON responses can be sig'ed as well but they weren't
#       in this case.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iTranslator outbound connection"; 
flow:to_server,established; content:"UID: P002|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, 
service http; classtype:trojan-activity; sid:8000363; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iTranslator outbound connection"; 
flow:to_server,established; content:"/gl.php?"; http_uri; content:"uid=078B"; http_uri; fast_pattern:only; 
content:"&v="; http_uri; content:"&x="; http_uri; content:!"Connection"; http_header; metadata:ruleset community, 
service http; classtype:trojan-activity; sid:8000364; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iTranslator outbound connection"; 
flow:to_server,established; content:"/in.php?"; http_uri; content:"type="; http_uri; fast_pattern:only; 
content:"&ch="; http_uri; content:"&mc="; http_uri; content:"MC: "; http_header; metadata:ruleset community, service 
http; classtype:trojan-activity; sid:8000365; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known malicious User-Agent - 
Win.Trojan.iTranslator"; flow:to_server,established; content:"User-Agent: ITRANSLATOR|0D 0A|"; fast_pattern:only; 
http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000366; rev:1;)

# --------------------
# Date: 2018-09-29
# Title: Office Exploit Builder - Phantom Crypter/Ancalog
# Reference: Triage from: https://twitter.com/GaborSzappanos/status/1045573257909415936
# Tests: pcap (file2pcap)
# Yara:
#    - FILE_OFFICE_RTF_Ancalog_Builder_Doc
# ClamAV:
#    - FILE_OFFICE.RTF.Ancalog_Builder.Doc
# Hashes:
#    - 3b4215b2b0dfb8fb1f96984a41d38da3fd19234f0f2c1957f32a3e0e25a8bb3e
#    - f8a111e5c6b6da694567bdbd51c3113f92acd0e9b77e9c01784f1166d7fd3e5f
#    - 43b07839c4b79076cb33428fee4400fbed2e92a9654a2837de7e470f9e4fb004

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Ancalog Exploit Builder generated 
payload detected"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|*|5C|ancalog"; 
nocase; fast_pattern:only; pcre:"/\x5c\x2a\x5cancalog[0-9]{1,4}\s[0-9]{1,9}/"; metadata:ruleset community, service 
ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:8000367; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Ancalog Exploit Builder generated payload 
detected"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|*|5C|ancalog"; nocase; 
fast_pattern:only; pcre:"/\x5c\x2a\x5cancalog[0-9]{1,4}\s[0-9]{1,9}/"; metadata:ruleset community, service smtp; 
classtype:trojan-activity; sid:8000368; rev:1;)

# --------------------
# Date: 2018-09-29
# Title: New KONNI Malware attacking Eurasia and Southeast Asia
# Reference: 
https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/
# Tests: pcap
# Yara:
#    - MALWARE_Win_Trojan_Konni
# ClamAV:
#    - MALWARE_Win.Trojan.Konni_1
#    - MALWARE_Win.Trojan.Konni_2
# Hashes:
#    - 07b90088ec02ef6757f6590a62e2a038ce769914139aff1a26b50399a31dcde9
#    - 9b1a21d352ededd057ee3a965907126dd11d13474028a429d91e2349b1f00e10
#    - 9bf634ff0bc7c69ffceb75f9773c198944d907ba822c02c44c83e997b88eeabd
#    - b8120d5c9c2c889b37aa9e37514a3b4964c6e41296be216b327cdccd2e908311
#    - dce53e59b0c48e269dadc766a78667a14f11b72c49f57d95abde62c84ac8d7ae

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Konni outbound connection"; 
flow:to_server,established; content:"subject="; http_client_body; content:"&data="; http_client_body; content:".php"; 
http_uri; content:!"User-Agent"; http_header; content:!"Referer"; http_header; content:!"Accept"; http_header; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000369; rev:1;)

# --------------------
# Date: 2018-10-02
# Title: Osx.Trojan.Wave?
# Reference: Research
#    - https://www.virustotal.com/#/file/087add809dca997a546b8d86f0a0be23cb04b8cf1dc77c58c475e50a3b6fa6ab/detection
# Tests: syntax only

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Wave outbound connection attempt"; 
flow:to_server,established; content:"/?localTime="; fast_pattern:only; http_uri; content:"User-Agent: MailBar/"; 
http_header; metadata:ruleset community, service http; 
reference:url,www.virustotal.com/#/file/087add809dca997a546b8d86f0a0be23cb04b8cf1dc77c58c475e50a3b6fa6ab/detection; 
classtype:trojan-activity; sid:8000370; rev:1;)

# --------------------
# Date: 2018-10-03
# Title: Win.Trojan.Trickbot variant
# Reference: Research
# Tests: pcap + sandbox
# Hashes:
#    - dropper       : 109ca2be52cf8a2953ee823b3bf20ff18af6e76c312b6cea086dab3aecd28853
#    - loader        : 595c49d0ba30eff4a48adb927cda9062efc7bb352ea75c6eadcbfe841a81e09c
#    - inject module : b105891f90b2a8730bbadf02b5adeccbba539883bf75dec2ff7a5a97625dd222
#    - system module : ba2a255671d33677cab8d93531eb25c0b1f1ac3e3085b95365a017463662d787
#    - network module: 1c62f004d0c9b91d3467b1b8106772e667e7e2075470c2ec7982b63573c90c54
# Notes:
#     - Where is the "config.conf"?
#     - Found and decoded the module configs
#     - Persisted via Task Scheduler

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWWARE-CNC Win.Trojan.Trickbot variant outbound connection"; 
flow:to_server,established; content:"form-data|3B| name=|22|proclist|22|"; http_client_body; content:"process list"; 
nocase; http_client_body; content:"[System Process]"; http_client_body; content:"form-data|3B| name=|22|sysinfo|22|"; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000371; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Trickbot variant potential server 
response"; flow:to_client,established; content:"200"; http_stat_code; content:"server: Cowboy"; http_header; 
content:"content-length: 3|0D 0A|"; http_header; file_data; content:"/1/"; depth:3; metadata:ruleset community, 
service http; classtype:trojan-activity; sid:8000372; rev:1;)


Hi Yaser,

Thanks for the submissions and hope all is well with you!  We'll get
bugs open for these and report to you our findings. We'd appreciate
any pcaps, etc, you'd be willing to share. Thanks again!
-- 
Marcos Rodriguez
Cisco Talos
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: