Snort mailing list archives
Multiple signatures 018
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 15 Nov 2018 14:11:59 +0000
Hi, Pcaps and Yara/ClamAV signatures are available for the majority of the below cases. Thank you. YM # -------------------- # Date: 2018-11-07 # Title: Inside VSSDestroy Ransomware # Reference: Triage from: https://threatvector.cylance.com/en_us/home/threat-spotlight-inside-vssdestroy-ransomware.html # Tests: pcap # Yara: # - MALWARE_Win_Ransomware_VSSDestroy_VAR # ClamAV: # - MALWARE_Win.Ransomware.VSSDestroy-VAR # Hashes: # - 193697be39290126d24363482627ff49ad7ff76ad12bbac43f53c0a3a614db5d # - 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95 # - 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53 # - d0c7b512610a1a206dbf4b4d8c352a26a26978abe8b5d0d3255f0b02196482a1 # Notes: # - The IP check is observed with and without a User-Agent and the domain may change.. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.VSSDestroy variant post-infection outbound connection"; flow:to_server,established; content:"/addrecord.php?"; fast_pattern:only; http_uri; content:"apikey="; http_uri; content:"&compuser="; http_uri; content:"&sid="; http_uri; content:"&phase="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000401; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE User-Agent associated with external IP address check detected"; flow:to_server,established; content:"User-Agent: IP retriever"; nocase; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000402; rev:1;) # -------------------- # Date: 2018-11-08 # Title: DarkPulsar # Reference: https://securelist.com/darkpulsar/88199/ # Tests: syntax only # Yara: NA # ClamAV: NA # Hashes: 96f10cfa6ba24c9ecd08aa6d37993fe4 (lab generated?) alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-CNC Win.Trojan.Doublepulsar variant successful connection"; flow:to_server,established; flowbits:isset,smb.trans2.mid65|smb.trans2.mid66; content:"|FF|SMB|73 00 00 00 00|"; depth:9; offset:4; content:"|40 00|"; within:2; distance:21; content:"|04 D6 47 33 4B AB 5E 08 4A 7D 1D 3B 72 8C 7D 91 00|"; within:17; distance:27; flowbits:set,smb.trans2.mid66; metadata:ruleset community, service netbios-ssn; classtype:trojan-activity; sid:8000403; rev:1;) # -------------------- # Date: 2018-11-09 # Title: Malware Targeting Brazil Uses Legitimate Windows Components WMI and CertUtil as Part of its Routine # Reference: Triage from: # - https://blog.trendmicro.com/trendlabs-security-intelligence/malware-targeting-brazil-uses-legitimate-windows-components-wmi-and-certutil-as-part-of-its-routine/ # - http://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html # Tests: pcap # Yara: # - MALWARE_Win_LNK_Downloader_VAR1 # - MALWARE_Win_Trojan_Guildma_DLL_Main # - MALWARE_Win_Trojan_Guildma_DLL_Module_1 # - MALWARE_Win_Trojan_Guildma_DLL_Module_2 # - MALWARE_Win_Trojan_Guildma_DLL_Module_3 # ClamAV: # - MALWARE_Win.LNK.Downloader-VAR1-RAW # - MALWARE_Win.LNK.Downloader-VAR1-CON # - MALWARE_Win.Trojan.Guildma_DLL_Main # - MALWARE_Win.Trojan.Guildma_DLL_Module_1 # - MALWARE_Win.Trojan.Guildma_DLL_Module_2 # - MALWARE_Win.Trojan.Guildma_DLL_Module_3 # Hashes: # - LNKs: # - 1a1cbfe0e0d004f00a9829dfe0eae0d6d171154f53a93f2e8ee66757c207f6aa # - 2ae32ad396f48165e8eb9fdaf8138ce078a3f1dfd6220352e5bf0f50bdf47d61 # - 2f170ee85862fbcf2fccf8099e254d9a07ad78ffc54ac76150911108a971aad6 # - 32063e61a7a9011dc74fe59df7469ee09b6b56539728d23ab9cab2afa5ce949e # - 4a5f133f5f8671fdd54da4e46c983054c7d5eee82ffdca80b6946f855c034394 # - 4c93229e1a429bd4a69596a4687dd7b51d7de4a3b9c74d70a396de90f25fd929 # - 5caa69f928c159c1869d2819691d12a066920518927ac24d1a9434cceb95fbe8 # - 63276c25d37bf7f7e3a19a921a6f250c35fa3907910e57f4bbb69f27750286db # - 695e03c97eaed0303c9527e579e69b1ba280c448476edcf97d7a289b439fa39a # - 795524849b20948a339c8daaa68c0c261d0c13a42cc3d485b50d9f08cad39b4b # - 959ca35720eccc22fa3789c2f2883a1038f2f7e3a0ba39ef56583390be93e731 # - 990e8ead229c89fd28502381ee735abf4cd4d694822db3490674497004940097 # - b4e830993ef79ffc641a2ac9612f74d030fd13aedf0dfbe233bb9ed79800cfed # - d69e5621277e2523f110b3237ecfd103525d80df74233ac56505e73d3ca50e06 # - de03a803cf3f754e44062b6b023fc4bf5af4c7483f874bc3599b658ad9891fc0 # - Guildma DLLs (unpacked): # - 18aaca5812401af6c2236053f60064b7ad5a050433a9d912fe70d409526f01c7 # - 1dbcc0a79876552a85eee727168236fc87fc4120d622871f1b1f0c563d1164d2 # - 31c90b6838ba4e1f7649abaf233f0de33a39056dc157971d4d932c579eeb12ee # - 370faf00c5c85962a586064ec428780f0534310630eed5a801bd21e1709319bd # - 43aed13087af5d719fe6f49964006c0f4ccb5fc7e4ca2500ee770027690e82ca # - 612f3800e67eb442a6d8d2665a0a1097cd36e1e6d6ddb817eb001be13b4fb3f7 # - 644d2baa94dc8272a1ffe464ed03e38d882856363ce0560180e831b2e0b38c5b # - 69ec793c08669b86935f9aaa38a038f92c41f429a2d2a3592556b0a70d54cf78 # - 6ff74a393fa29beced417c47709b61b96cca4fcac2ac25166665dd76a0682067 # - 7798f7f0fd5ff2f646653ed02580b771c99fee5b847303063e15e7ad0d4b37b0 # - 888bd1fda851543408aba27c8c481c697bcbbf5701c8963f7b2e3931d8f1dfda # - 8d1f5282948204325d51bb42d3b48c6d1b4266c2b36814bc800b755e95133246 # - 96c48e25630607c6b15c057d43e543db85a6cdfff8956a2cc803867e5e0105ee # - b346cc298f92f33a3cd37ca2069f89e5216496e06479b0a2044e9ca6bc686993 # - b951bb402207e0aaba9da0159801632b1e94a316d1f773a39add75ea802546b5 # - f19b24abde1a29572d57efbee8ebc0f36c0d87d40d7b0615c0c512081eaa7a6f # - f89f02d38dc1ab0a8459e7a9d7d9776fd0f80a774988681bb369937d1bb06baa # Notes: # - Added 25029, 25056, 25089, etc to stream5 and http_inspect # - The "/v131" seems consistent but may change, ex.: the preceeding # "/03/" to "/09". # - Additional module(s) may exist, but were not sig'ed. # - Banking trojan targeting Brazil, uses LNKs and DLLs, uses image file # extensions for downloads, similarities to Metamorfo campaign? alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.LNK.Downloader variant initial outbound connection"; flow:to_server,established; urilen:<25; content:"/v"; http_uri; content:".xsl?"; distance:3; http_uri; content:".xsl"; within:15; http_uri; content:!"Content"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000404; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Guildma plugin request outbound connection"; flow:to_server,established; urilen:<40; content:".zip?"; http_uri; content:"User-Agent: Microsoft BITS/";http_header; fast_pattern:only; content:!"Content"; http_header; content:!"Referer"; http_header; pcre:"/\.(jpg|gif|dll)\.zip\x3f[0-9]{9}/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000405; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Guildma plugin request outbound connection"; flow:to_server,established; urilen:<40; content:".zip?"; http_uri; content:"User-Agent: CertUtil URL Agent";http_header; fast_pattern:only; content:!"Content"; http_header; content:!"Referer"; http_header; pcre:"/\.(jpg|gif|dll)\.zip\x3f[0-9]{9}/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000406; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Guildma plugin request outbound connection"; flow:to_server,established; urilen:<40; content:".zip?"; http_uri; content:"User-Agent: Microsoft-CryptoAPI/";http_header; fast_pattern:only; content:!"Content"; http_header; content:!"Referer"; http_header; pcre:"/\.(jpg|gif|dll)\.zip\x3f[0-9]{9}/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000407; rev:1;) alert tcp any any -> any 25 (msg:"MALWARE-OTHER Win.LNK.Downloader variant file via SMTP"; flow:to_server,established; flowbits:isset,file.lnk; file_data; content:"W|00|M|00|I|00|C|00|.|00|e|00|x|00|e"; nocase; fast_pattern:only; content:"g|00|e|00|t|00 20 00|/|00|f|00|o|00|r|00|m|00|a|00|t|00|:"; distance:0; content:"|22 00|h|00|t|00|t|00|p"; distance:0; metadata:ruleset community, service smtp; classtype:attempted-user; sid:8000408; rev:1;) # -------------------- # Date: 2018-11-11 # Title: Win.Trojan.Emotet variant # Reference: Research # Tests: pcap # Yara: # - MALWARE_Pdf_Dropper_Emotet # - MALWARE_Doc_Dropper_Emotet # ClamAV: # - MALWARE_Pdf.Dropper.Emotet # - MALWARE_Doc.Dropper.Emotet # Hashes: # - PDFs: # - 39e69a23fc772b1fd07dbb6a4832980f19b2f053f4b8586da1e258652b0ed24e # - bc1bab82efb24da0bea2425eb5357dd81f93bfa3cfbb8898f2b5e978a09026ad # - Docs: # - 65e4c3c3407f22722aeb6b0e477027e01aa381d83209f713b48f8b4f738528f9 # - EXEs: # - ebecb74b4fc9dd33d0fbea870741ea8e7d02f98de8ef5da3490716aa4976238b # Notes: # - Flow: SMTP > Pdf with link > HTTP (link) > Doc with pwsh > HTTP (pwsh) > Exe > HTTP (exe) C&C. # - Need more samples to confirm Yara/ClamAV detection/behavior. # - C&C appear to be more consistent across samples than files. # - Emotet C&C was published in last advisory, so removing from here. alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Emotet IP address check attempt"; flow:to_server,established; urilen:11; content:"/whoami.php"; fast_pattern:only; http_uri; content:" MSIE "; http_header; content:"Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; content:!"Content"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:!"Connection"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000410; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Emotet payload request outbound connection"; flow:to_server,established; urilen:<15; content:"/wp-content/"; http_uri; content:!"User-Agent"; http_header; content:!"Content"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:!"Connection"; http_header; pcre:"/\/wp-content\/[A-Z]/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000411; rev:1;) # -------------------- # Date: 2018-11-11 # Title: Malware “WellMess” Targeting Linux and Windows # Reference: Triage from: https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html # Tests: syntax only # Yara: # - MALWARE_Win_Trojan_WellMess_DotNet # - MALWARE_Win_Trojan_WellMess_GoLang # - MALWARE_Elf_Trojan_WellMess_GoLang # ClamAV: # - MALWARE_Win.Trojan.WellMess_DotNet # - MALWARE_Win.Trojan.WellMess_GoLang # - MALWARE_Elf.Trojan.WellMess_GoLang # Hashes: # - 0b8e6a11adaa3df120ec15846bb966d674724b6b92eae34d63b665e0698e0193 # - bec1981e422c1e01c14511d384a33c9bcc66456c1274bbbac073da825a3f537d # - 2285a264ffab59ab5a1eb4e2b9bcab9baf26750b6c551ee3094af56a4442ac41 # Notes: # - Additional samples were found, but not visible :( # - This is probably the worst sig ever, just in case your eyes hurt. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan.WellMess outbound connection attempt"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:"Cookie"; http_header; content:"Content-Type: application/x-www-form-urlencoded"; http_header; content:"Expect: 100-Continue"; http_header; content:"Accept-Encoding: deflate|0D 0A|"; http_header; content:!"Referer"; http_header; content:!"="; within:20; http_client_body; pcre:"/[A-Za-z0-9\.\x20\x2c\x2a].*/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000413; rev:1;) # -------------------- # Date: 2018-11-15 # Title: Opendir, LegacyDrawing_AutoLoad: Win.Trojan.Stimilina / Win.Ransomware.Delf-6651871-0 / AZORult # Reference: Research # Tests: pcaps # Yara: # - FILE_OFFICE_OLE_Dropper_CVE_2017_11882 # - FILE_OFFICE_Doc_Dropper_LegacyDrawing_AutoLoad # - MALWARE_Win_Trojan_Stimilina # ClamAV: # - FILE_OFFICE_OLE.Dropper.CVE_2017_11882 # - FILE_OFFICE_Doc.Dropper.LegacyDrawing_AutoLoad # Hashes: # - Dropper: # - b9d8a288dd9fd62fb2354854a3cd80e55d988ea0ea434d4adc249bb5d59c71f3 # - Binaries: # - 0cd169df12982d013f201966d57fa77c233cadbb68ead042aa6b27cfd4c058ef # - 172fddc26079fc7f3c48bac462e9f9f2c8c208f2c98d9910499f3500cefaa17c # - 1f04343aebbc630e8c0479f3035dc012d353c0bdd6c4d2356ea8948a3af735c1 # - 926b9fbe6a71ea6d79c0366de78d99ccb5ea818277285dcf21996a505e1476b1 # - a15333778d612df71e987dd385b9c5e32ef25bcc7dd4331672fb17e300c3acd0 # - bdbe4e3ff7a86e5ab002f8884a37f06ae45dc53f9b8a4e180f77ee32d9456058 # - c9dd349152aa035bf2dc9a66d3394ade75fcb0e5b2e33e9c55abbecf23818813 # - cd664442b99d6719fbfc5f481adc13424d6d6135b2b761e98f794b952621b344 # - d4eeb08cf122e14fab3396d9413e63d083dfc6eea8c9dd4a75e5b51b256dea3f # - d4eeb08cf122e14fab3396d9413e63d083dfc6eea8c9dd4a75e5b51b256dea3f # - dd2929b27483554b5005f677ae90126da7ecedce3166fe31b07ca7530a02bba1 # - e3c2b60bffed7c3b861641b59815ddd4e049f0958df61d59d76c93da6181dac1 # - eb2718ee5898279c17d0a663132ce06efb4fac275654b48d54ba9a30c851c59a # Notes: # - Never seen the dropper technique before, though similar to Remote Template, # combined with CVE-2017-11882. # - Fetches configuration from C&C server in base64 format at the end. # - All binaries uploaded to VT, HA, and AA. Opendir screenshot attached. # - More eyes-hurting signatures :). alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Stimilina variant outbound connection"; flow:to_server,established; urilen:<30; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 5.1)|0D 0A|"; http_header; content:"|2F|"; offset:1; depth:1; fast_pattern; http_client_body; content:"POST"; http_method; content:!"Connection"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/\x2f(\xfa|\xfb)*/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000414; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Stimilina variant config retrieval inbound connection"; flow:to_client,established; file_data; content:"</n><d>"; content:"</d>"; distance:0; pcre:"/<\/n><d>[A-Za-z0-9+=]+<\/d>/"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000415; rev:1;) # -------------------- # Date: 2018-11-15 # Title: XpertRAT # Reference: Research # Tests: pcaps # Yara: NA # ClamAV: NA # Hashes: # - Droppers: # - 15c438d27607046e787136625f5d5192d647662a87fbdfb5ce88e912dff61c24 # - 364c0c208bec32f13613844c89668baeb79df2bb915c5cf562f132056436d1fe # - 4e11624e421251b1f38daef7f7fdefb5c6b363b92d9a1015f8f655d7630208d5 # - 64eb94c2934492b893e0eb05388d1600908bd6d19f698549f27c6143b297baaf # - 920f006948f2a029245bdcf0dc84b2d3153920202abfc0825c77d72e65ddb3ff # - b4a1f7f7bc991d8e4077921875a901dd957bcef0e91034052f953d4c3a280d45 # - d6608695f412f7f0f938fbab2d84e1cad9df0278f2a8d1c02aafeb4ac737c9b4 # - Binaries: # - 064d1d9a20f737679bb7ce912854c7ab29f78a0716ee8bc8dc69ade02acdca5a # - 1d3c280c402e62057131f64bedd12a4aa1f08bd5854e1e177f1581edc934c225 # - 2654d67e5286c2d1d9fc3c4c72788854ca1b01277e2c4bd598c96eb37b17c05f # - 3126681755833f7236efbda8f3e949eeb38d0f6f06a3a44530d24d6d60c17205 # - 329f8804c800b723fad251a88556875f2f2a2624f55f5d6bc4c1b4c56ba67b53 # - 350aa4e3bab3e53f4a0160e770e2f4a733fcdfd80e4aec3da9e2753e8d59b659 # - 36eb43b50f6b9b7943d7fef904991d5df0859e5e0dd17620ede4c5bdcdaf3485 # - 4c4b3ad8895c8ea779e3e359b8f3610f061d4d865170e32b7af648ff0268e2b8 # - 5cd67222bf8fa8ecfe8a71b0f43033e6c8c92b4fb460c38eb5000be8ef024e7b # - 98a0e4de95408f8c394b56d480670a95961fba578209a3a3bb92f17fabb67e70 # - c63b13c9c9349180bcc667d5f1a1776b80aa1e0804aee3737ba0a89b964144df # - ca0f1eeff7976e051f7a4a1bc7503a781ad7d9e73dabb7930a37677015c25649 # - d48413c73228d35c248909d7908dabfa3032c4eac259578191c8efe0b0f6bdda # - f10ccf9d9c47973cee6566eea584202f61e1ab5e79f7a14853db24b37e2eeb49 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.XpertRAT inbound connection"; flow:to_client,established; dsize:<12; content:"|7C 30 7C A1 40 23 40 21|"; offset:3; depth:8; fast_pattern; isdataat:!1,relative; metadata:ruleset community; classtype:trojan-activity; sid:8000416; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.XpertRAT outbound connection"; flow:to_server,established; dsize:10; content:"|7C|root|7C|"; offset:3; depth:6; fast_pattern; isdataat:!1,relative; metadata:ruleset community; classtype:trojan-activity; sid:8000417; rev:1;)
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 018 Y M via Snort-sigs (Nov 15)
- Re: Multiple signatures 018 Marcos Rodriguez (Nov 15)