Snort mailing list archives
Multiple signatures 024
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 6 Mar 2019 17:21:17 +0000
Hi, On the previous post, I may have misidentified AveMaria as PlugX. Not sure how I came up with that. I apologize for any inconvenience this may have caused. Anyway, here is a new set of signatures, most of which have accompanying Yara and ClamAV signatures. Thank you. YM # -------------------- # Title: Win.Trojan.TheRat # Reference: Research # Tests: pcaps # Yara: # - MALWARE_Win_Trojan_TheRat_Variant_1 # - MALWARE_Win_Trojan_TheRat_Variant_2 # - INDICATOR_Image_Embedding_Archive # ClamAV: # - MALWARE_Win.Trojan.TheRat-Variant-1 # - MALWARE_Win.Trojan.TheRat-Variant-2 # - INDICATOR_Image_Embedding_Archive # Hashes: # - 46cc296583d7ae1f6bdbe7a3f8d1c66f04a10a8fbc502b42e0b7eb15c3c0cad1 # - 484fb2977715262b2b6ded712c5846f10f6fb9594d9a61fb4488db88c102657c # - 5ffcfe54e04748367dfc2bdaeab33fe80070d9b62b7032cac6e1def28cf67210 # - 90426ca0a5d0fad4bfbfef999b80577c3f592a247e29eb170490e20510076156 # - a21b719d48905fd06b2281a4a47bfa8605e895e1ad7812963d249f87368c42de # - c301e722f409f0d5dd1c252c346f29a7f12a875e633c41216c1f88841854f68a # - d85029c633e6705608b24bcd31c6c4ef23ce41a72238b7e19c190fed9d77b8b3 # - e0d0c5522eb9ff996ae422573e95ba43a29ff9dc70adc616440fc720146bf878 # Note: # - NullSoft and Inno packed binaries. # - Images embedding archives extracted. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TheRat variant outbound connection attempt"; flow:to_server,established; content:"/update.php?id="; fast_pattern:only; http_uri; content:"&stat="; http_uri; content:"User-Agent: Mozilla/5.0 (Windows NT 5.1)|0D 0A|"; http_header; content:!"Accept"; http_header; content:!"Content"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000544; rev:1;) # -------------------- # Title: PlugX DNS Tunneling # Reference: Research # Tests: pcaps # Yara: # - MALWARE_Win_Trojan_PlugX_DLL # ClamAV: # - MALWARE_Win.Trojan.PlugX_DLL # Hashes: # - Initial Sample: # - a3c66c8e929f582368e105c0ecedb0ead346494e9a14cf7e7d88f163049ce7f9 (RAR Archive) # - bd8e56950c0c5878b298f97de2051c12d3c5714b6d01eb75b86797dc82732bbd (DLL) # - Triage: # - 9032a1644f525baaafa5199edf29fb18c71a8c221264c2890e1ec475138fc317 (RAR Archive) # - 76b5bf13ba685211cf28f339dc18d691830f7006dd6630c2c6e80f18006cdb9e (DLL) # - ece271ee20d3113b08862a1424f9d359a42270fbb3b2cdb9ccba6601248b0a7d (DLL) # - e39e021c1867acf6e4af9f55756c30b5f2bf5e914c0960f4a2035d758966fb55 (RAR Archive) # - 3fd178fbdf6b07a1f18c1b5749937db2cdf39b6e630fd1511409fb2c4d52e6ef (DLL) # - bf423809330c5bf93bdf184075c2a0babcfa6fcda4f14a101e094c7b17677300 (RAR Archive) # - a555193380d8c3c25a649e2393fb1366e9a5ac94a86a409eddc6f452474f986e (DLL) # - 39c4b2371192a4365b8366e047355ba75fff6f78140dcac5f16306f6f50830cb (RAR Archive) # - 507beb609fd324130d378b09f1c2bba147830a11e0e2d2447e8272cefe76e482 (DLL) # Note: # - Signature 3:30881 is sufficient for detection but not # enabled by default, and maybe bound to FPs. # - Initial Sample was first observed 2017, but was not publicly available # until recently. alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.PlugX dns tunneling outbound connection attempt"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00 3F|"; offset:2; depth:11; fast_pattern; content:"|3F|"; distance:63; byte_jump:0, 0, from_end, post_offset -5; content:"|00 10 00 01|"; distance:0; within:5; metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000545; rev:1;) # -------------------- # Title: Suspected Molerats New Attack in the Middle East # Reference: https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/ # Tests: pcaps # Yara: # - INDICATOR_Suspicous_Binary_Packed # - INDICATOR_Base64_Binary__Packed # ClamAV: # - INDICATOR_Suspicous_Binary_Packed # - INDICATOR_Base64_Binary_Packed # Hashes: # Note: # - Instead of a PCRE to match client body character set # we look for the absense of a typical '=' in HTTP form. # - Updated exisitng singature: INDICATOR_Win_Binary_Many_Builtin_Executables # for ClamAV and Yara. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Molerats variant outbound connection"; flow:to_server,established; urilen:1; content:"from: user"; http_header; content:"connection: close"; http_header; content:"user-agent"; http_header; content:!"="; depth:30; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000546; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Enigma packer executable file download detected"; flow:to_client,established; flowbits:isnotset,file.msi; flowbits:isnotset,file.packed; flowbits:isset,file.exe; file_data; content:".enigma1"; content:".enigma2"; distance:32; metadata:ruleset communication, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:8000547; rev:1;) # -------------------- # Title: CVE-2018-20377 # Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-20377 # Tests: # Yara: NA # ClamAV: NA # Hashes: NA alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Orange LiveBox privilage escalation attemp"; flow:to_server,established; urilen:23; content:"/get_getnetworkconf.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-admin; sid:8000548; rev:1;) # -------------------- # Title: GreyEnergy’s overlap with Zebrocy # Reference: https://securelist.com/greyenergys-overlap-with-zebrocy/89506/ # Tests: # Yara: NA # ClamAV: NA # Hashes: NA alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy outbound connection attempt"; flow:to_server,established; content:"/help-desk/remote-assistant-service/PostId"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000549; rev:1;) # -------------------- # Title: Zipped JS > PowerShell > GandCrab v5.2 # Reference: Research # Tests: pcaps # Yara: # - MALWARE_Win_JS_Downloader_Variant_1 # - MALWARE_Win_JS_Downloader_Variant_2 # - INDICATOR_JS_Obfuscation_Patterns # ClamAV: # - Email.Trojan.ScriptDownloader (.cdb) # - MALWARE_Win_JS_Downloader_Variant_1 # - MALWARE_Win_JS_Downloader_Variant_2 # Hashes: List is too long to be shared here. # Notes: # - HTTPS connections go to: hxxps://www[.]kakaocorp[.]link/includes/imgs/kaimhe.bmp alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.JS downloader outbound connection attempt"; flow:to_server,established; urilen:<20; content:"User-Agent: Windows|0D 0A|"; fast_pattern:only; http_header; content:!"Accept"; http_header; content:!"Content"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000550; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC DNS request to known malicious domain - GandCrab Ransomware"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|kakaocorp|04|link"; fast_pattern:only; metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000551; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware GandCrab variant certificate exchange"; flow:to_client,established; ssl_state:server_hello; content:"|55 04 03 13 0E|kakaocorp.link"; fast_pattern:only; metadata:ruleset community, service ssl; classtype:trojan-activity; sid:8000552; rev:2;) # -------------------- # Title: EdgeSpot detects PDF samples tracking users who use Google Chrome as local PDF viewer # Reference: https://blog.edgespot.io/2019/02/edgespot-detects-pdf-zero-day-samples.html # Tests: pcaps # Yara: # - MALWARE_Pdf_Trojan_Ticanoti_Variant_1 # - MALWARE_Pdf_Trojan_Ticanoti_Variant_2 # - MALWARE_Pdf_Trojan_Ticanoti_Variant_3 # ClamAV: # - Pdf.Trojan.Ticanoti-Variant-1 # - Pdf.Trojan.Ticanoti-Variant-2 # - Pdf.Trojan.Ticanoti-Variant-3 # Hashes: # - 0cc1234c981806dd22e0e98e4be002e8df8d285b055e7f891ff8e91af59aee1e # - 2dd6ade4d0d4dc8224b28f8819b1c49bb7ae4025933e737ac8069c496d88bb43 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Pdf.Trojan.Ticanoti outbound information leak detected"; flow:to_server,established; content:"/nocache/"; http_uri; content:"?page="; http_uri; fast_pattern:only; content:"//mhjfbmdgcfjbbpaeojofohoefgiehjai|0D 0A|"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000553; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Pdf.Trojan.Ticanoti outbound information leak detected"; flow:to_server,established; content:"//mhjfbmdgcfjbbpaeojofohoefgiehjai|0D 0A|"; fast_pattern:only; http_header; http_header; content:"<</F<</F(file////"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000554; rev:1;) # -------------------- # Title: HawkEye / iSpy # Reference: Research # Tests: pcaps # Yara: # - INDICATOR_Win_DotNet_Packed # ClamAV: # - INDICATOR_Win_DotNet_Packed # Hashes: # - 039aa11d64377ad3719a3d637a8930b58140f60fa3c3025bf362d5f1186dc388 # - 0432d8f8f5493463e21e63bec2775b0768883427a3c304ed5c654295fe194f54 # - 059caf37845d86effe76c9884cc1ac328fb3e9e173ea7a591e39471643e46cfc # - 3124000b9f0e4422ad5c153ea6c0b12e6740bb0672de53807b47b3fb1d96b9d1 # - 70030f1def1ff72fdcd64e31df5bb2f9edc53aa29552b7fe252aee6d8fb471f1 # - 79849bd2c0f7983623ed2da2a94a9cc57de192f823899d542887b7e87710ae1b # - 9f7dca729655b97e79eff175797424b135790cf6e550b193285d04cb793e397a # - b28f51704e94543040344a257555e8c0c3f175dcaff6a09bdd581503dfefd84e # - b94eba88f222d0114ea940613ef7459a7d7f2ab9410abb9c1bfb2b59e063b92d # - ba147bb736208f03e1272cd956078cc8d799dc5e0a087f1ead61c8ef20f8a1c4 # - bac7beac51934f584804cc38ab154d68e6085716704714051e5b1c433e1a87f6 # - d716c64eba90657a20742dd63adbef2ce23ba76ef743aec038665266f62072f0 # - e98f4dbfc2c5bfe7d4f8f4a21bcab3a4f8b0a577c1f25b417371b9047eba6e66 # - f0170c0df25cbcb224d2237836d94d5dcc23a628fdd13300fdf085dd0a1bcbeb # Notes: # - SID 8000512 from a previous sigs post is valid in this context. alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye/iSpy outbound connection attempt"; flow:to_server,established; content:"Subject: HawkEye Keylogger "; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000555; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye/iSpy outbound connection attempt"; flow:to_server,established; content:"- Passwords Logs -"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000556; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye/iSpy outbound connection attempt"; flow:to_server,established; content:"- Keyboard Logs -"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000557; rev:1;)
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 024 Y M via Snort-sigs (Mar 06)
- Re: Multiple signatures 024 Matthew Mickel (Mar 07)