Snort mailing list archives

Multiple signatures 024

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 6 Mar 2019 17:21:17 +0000

Hi,

On the previous post, I may have misidentified AveMaria as PlugX. Not sure how I came up with that. I apologize for any 
inconvenience this may have caused. Anyway, here is a new set of signatures, most of which have accompanying Yara and 
ClamAV signatures.

Thank you.
YM

# --------------------
# Title: Win.Trojan.TheRat
# Reference: Research
# Tests: pcaps
# Yara:
#   - MALWARE_Win_Trojan_TheRat_Variant_1
#   - MALWARE_Win_Trojan_TheRat_Variant_2
#   - INDICATOR_Image_Embedding_Archive
# ClamAV:
#   - MALWARE_Win.Trojan.TheRat-Variant-1
#   - MALWARE_Win.Trojan.TheRat-Variant-2
#   - INDICATOR_Image_Embedding_Archive
# Hashes:
#   - 46cc296583d7ae1f6bdbe7a3f8d1c66f04a10a8fbc502b42e0b7eb15c3c0cad1
#   - 484fb2977715262b2b6ded712c5846f10f6fb9594d9a61fb4488db88c102657c
#   - 5ffcfe54e04748367dfc2bdaeab33fe80070d9b62b7032cac6e1def28cf67210
#   - 90426ca0a5d0fad4bfbfef999b80577c3f592a247e29eb170490e20510076156
#   - a21b719d48905fd06b2281a4a47bfa8605e895e1ad7812963d249f87368c42de
#   - c301e722f409f0d5dd1c252c346f29a7f12a875e633c41216c1f88841854f68a
#   - d85029c633e6705608b24bcd31c6c4ef23ce41a72238b7e19c190fed9d77b8b3
#   - e0d0c5522eb9ff996ae422573e95ba43a29ff9dc70adc616440fc720146bf878
# Note:
#   - NullSoft and Inno packed binaries.
#   - Images embedding archives extracted.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TheRat variant outbound connection 
attempt"; flow:to_server,established; content:"/update.php?id="; fast_pattern:only; http_uri; content:"&stat="; 
http_uri; content:"User-Agent: Mozilla/5.0 (Windows NT 5.1)|0D 0A|"; http_header; content:!"Accept"; http_header; 
content:!"Content"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000544; 
rev:1;)

# --------------------
# Title: PlugX DNS Tunneling
# Reference: Research
# Tests: pcaps
# Yara:
#   - MALWARE_Win_Trojan_PlugX_DLL
# ClamAV:
#   - MALWARE_Win.Trojan.PlugX_DLL
# Hashes:
#   - Initial Sample:
#     - a3c66c8e929f582368e105c0ecedb0ead346494e9a14cf7e7d88f163049ce7f9 (RAR Archive)
#     - bd8e56950c0c5878b298f97de2051c12d3c5714b6d01eb75b86797dc82732bbd (DLL)
#   - Triage:
#     - 9032a1644f525baaafa5199edf29fb18c71a8c221264c2890e1ec475138fc317 (RAR Archive)
#     - 76b5bf13ba685211cf28f339dc18d691830f7006dd6630c2c6e80f18006cdb9e (DLL)
#     - ece271ee20d3113b08862a1424f9d359a42270fbb3b2cdb9ccba6601248b0a7d (DLL)
#     - e39e021c1867acf6e4af9f55756c30b5f2bf5e914c0960f4a2035d758966fb55 (RAR Archive)
#     - 3fd178fbdf6b07a1f18c1b5749937db2cdf39b6e630fd1511409fb2c4d52e6ef (DLL)
#     - bf423809330c5bf93bdf184075c2a0babcfa6fcda4f14a101e094c7b17677300 (RAR Archive)
#     - a555193380d8c3c25a649e2393fb1366e9a5ac94a86a409eddc6f452474f986e (DLL)
#     - 39c4b2371192a4365b8366e047355ba75fff6f78140dcac5f16306f6f50830cb (RAR Archive)
#     - 507beb609fd324130d378b09f1c2bba147830a11e0e2d2447e8272cefe76e482 (DLL)
# Note:
#   - Signature 3:30881 is sufficient for detection but not
#     enabled by default, and maybe bound to FPs.
#   - Initial Sample was first observed 2017, but was not publicly available
#     until recently.

alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.PlugX dns tunneling outbound connection attempt"; 
flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00 3F|"; offset:2; depth:11; fast_pattern; content:"|3F|"; 
distance:63; byte_jump:0, 0, from_end, post_offset -5; content:"|00 10 00 01|"; distance:0; within:5; metadata:ruleset 
community, service dns; classtype:trojan-activity; sid:8000545; rev:1;)

# --------------------
# Title: Suspected Molerats New Attack in the Middle East
# Reference: https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/
# Tests: pcaps
# Yara:
#   - INDICATOR_Suspicous_Binary_Packed
#   - INDICATOR_Base64_Binary__Packed
# ClamAV:
#   - INDICATOR_Suspicous_Binary_Packed
#   - INDICATOR_Base64_Binary_Packed
# Hashes:
# Note:
#   - Instead of a PCRE to match client body character set
#     we look for the absense of a typical '=' in HTTP form.
#   - Updated exisitng singature: INDICATOR_Win_Binary_Many_Builtin_Executables
#     for ClamAV and Yara.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Molerats variant outbound 
connection"; flow:to_server,established; urilen:1; content:"from: user"; http_header; content:"connection: close"; 
http_header; content:"user-agent"; http_header; content:!"="; depth:30; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000546; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Enigma packer executable file download 
detected"; flow:to_client,established; flowbits:isnotset,file.msi; flowbits:isnotset,file.packed; 
flowbits:isset,file.exe; file_data; content:".enigma1"; content:".enigma2"; distance:32; metadata:ruleset 
communication, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:8000547; 
rev:1;)

# --------------------
# Title: CVE-2018-20377
# Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-20377
# Tests:
# Yara: NA
# ClamAV: NA
# Hashes: NA

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Orange LiveBox privilage escalation attemp"; 
flow:to_server,established; urilen:23; content:"/get_getnetworkconf.cgi"; fast_pattern:only; http_uri; metadata:ruleset 
community, service http; classtype:attempted-admin; sid:8000548; rev:1;)

# --------------------
# Title: GreyEnergy’s overlap with Zebrocy
# Reference: https://securelist.com/greyenergys-overlap-with-zebrocy/89506/
# Tests:
# Yara: NA
# ClamAV: NA
# Hashes: NA

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy outbound connection attempt"; 
flow:to_server,established; content:"/help-desk/remote-assistant-service/PostId"; fast_pattern:only; http_uri; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000549; rev:1;)

# --------------------
# Title: Zipped JS > PowerShell > GandCrab v5.2
# Reference: Research
# Tests: pcaps
# Yara:
#   - MALWARE_Win_JS_Downloader_Variant_1
#   - MALWARE_Win_JS_Downloader_Variant_2
#   - INDICATOR_JS_Obfuscation_Patterns
# ClamAV:
#   - Email.Trojan.ScriptDownloader (.cdb)
#   - MALWARE_Win_JS_Downloader_Variant_1
#   - MALWARE_Win_JS_Downloader_Variant_2
# Hashes: List is too long to be shared here.
# Notes:
#   - HTTPS connections go to: hxxps://www[.]kakaocorp[.]link/includes/imgs/kaimhe.bmp

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.JS downloader outbound connection 
attempt"; flow:to_server,established; urilen:<20; content:"User-Agent: Windows|0D 0A|"; fast_pattern:only; http_header; 
content:!"Accept"; http_header; content:!"Content"; http_header; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000550; rev:1;)

alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC DNS request to known malicious domain - GandCrab Ransomware"; 
flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|kakaocorp|04|link"; fast_pattern:only; metadata:ruleset community, 
service dns; classtype:trojan-activity; sid:8000551; rev:1;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware GandCrab variant certificate exchange"; 
flow:to_client,established; ssl_state:server_hello; content:"|55 04 03 13 0E|kakaocorp.link"; fast_pattern:only; 
metadata:ruleset community, service ssl; classtype:trojan-activity; sid:8000552; rev:2;)

# --------------------
# Title: EdgeSpot detects PDF samples tracking users who use Google Chrome as local PDF viewer
# Reference: https://blog.edgespot.io/2019/02/edgespot-detects-pdf-zero-day-samples.html
# Tests: pcaps
# Yara:
#   - MALWARE_Pdf_Trojan_Ticanoti_Variant_1
#   - MALWARE_Pdf_Trojan_Ticanoti_Variant_2
#   - MALWARE_Pdf_Trojan_Ticanoti_Variant_3
# ClamAV:
#   - Pdf.Trojan.Ticanoti-Variant-1
#   - Pdf.Trojan.Ticanoti-Variant-2
#   - Pdf.Trojan.Ticanoti-Variant-3
# Hashes:
#   - 0cc1234c981806dd22e0e98e4be002e8df8d285b055e7f891ff8e91af59aee1e
#   - 2dd6ade4d0d4dc8224b28f8819b1c49bb7ae4025933e737ac8069c496d88bb43

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Pdf.Trojan.Ticanoti outbound information leak 
detected"; flow:to_server,established; content:"/nocache/"; http_uri; content:"?page="; http_uri; fast_pattern:only; 
content:"//mhjfbmdgcfjbbpaeojofohoefgiehjai|0D 0A|"; http_header; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000553; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Pdf.Trojan.Ticanoti outbound information leak 
detected"; flow:to_server,established; content:"//mhjfbmdgcfjbbpaeojofohoefgiehjai|0D 0A|"; fast_pattern:only; 
http_header; http_header; content:"<</F<</F(file////"; http_client_body; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000554; rev:1;)

# --------------------
# Title: HawkEye / iSpy
# Reference: Research
# Tests: pcaps
# Yara:
#   - INDICATOR_Win_DotNet_Packed
# ClamAV:
#   - INDICATOR_Win_DotNet_Packed
# Hashes:
#   - 039aa11d64377ad3719a3d637a8930b58140f60fa3c3025bf362d5f1186dc388
#   - 0432d8f8f5493463e21e63bec2775b0768883427a3c304ed5c654295fe194f54
#   - 059caf37845d86effe76c9884cc1ac328fb3e9e173ea7a591e39471643e46cfc
#   - 3124000b9f0e4422ad5c153ea6c0b12e6740bb0672de53807b47b3fb1d96b9d1
#   - 70030f1def1ff72fdcd64e31df5bb2f9edc53aa29552b7fe252aee6d8fb471f1
#   - 79849bd2c0f7983623ed2da2a94a9cc57de192f823899d542887b7e87710ae1b
#   - 9f7dca729655b97e79eff175797424b135790cf6e550b193285d04cb793e397a
#   - b28f51704e94543040344a257555e8c0c3f175dcaff6a09bdd581503dfefd84e
#   - b94eba88f222d0114ea940613ef7459a7d7f2ab9410abb9c1bfb2b59e063b92d
#   - ba147bb736208f03e1272cd956078cc8d799dc5e0a087f1ead61c8ef20f8a1c4
#   - bac7beac51934f584804cc38ab154d68e6085716704714051e5b1c433e1a87f6
#   - d716c64eba90657a20742dd63adbef2ce23ba76ef743aec038665266f62072f0
#   - e98f4dbfc2c5bfe7d4f8f4a21bcab3a4f8b0a577c1f25b417371b9047eba6e66
#   - f0170c0df25cbcb224d2237836d94d5dcc23a628fdd13300fdf085dd0a1bcbeb
# Notes:
#   - SID 8000512 from a previous sigs post is valid in this context.

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye/iSpy outbound connection 
attempt"; flow:to_server,established; content:"Subject: HawkEye Keylogger "; fast_pattern:only; metadata:ruleset 
community, service smtp; classtype:trojan-activity; sid:8000555; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye/iSpy outbound connection 
attempt"; flow:to_server,established; content:"- Passwords Logs -"; fast_pattern:only; metadata:ruleset community, 
service smtp; classtype:trojan-activity; sid:8000556; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye/iSpy outbound connection 
attempt"; flow:to_server,established; content:"- Keyboard Logs -"; fast_pattern:only; metadata:ruleset community, 
service smtp; classtype:trojan-activity; sid:8000557; rev:1;)

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Multiple signatures 024 Y M via Snort-sigs (Mar 06)
- Re: Multiple signatures 024 Matthew Mickel (Mar 07)