Snort mailing list archives

Multiple signatures 029

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 3 Jun 2019 18:17:12 +0000

Hi,

Below is a set of new Snort rules. Accompanying PCAP and Yara/ClamAV signatures are also available.

Have a great week.
YM

# --------------------
# Title: Win.Ransomware.CryptoMix Clop
# Reference: Research
# Tests: pcaps (f2p)
# Yara:
#   - MALWARE_Win_Ransomware_CryptoMixClop
# ClamAV:
#   - MALWARE_Win.Ransomware.CryptoMixClop-1
#   - MALWARE_Win.Ransomware.CryptoMixClop-2
# Hashes:
#   - 1281d6c387210fe426a399750d2135595a6c12587a9630e75934269987a0a034
#   - 7c8eb1d0c7a374223a366a8135c36cca5e1e9d7b48b74ce4415f051849a73ed9
#   - 96bdd3b4538a21f79c664641e48bd821007260977de028ba8bd761dbc0acb975
#   - cf3e3ee221ba2c3d863b97d7f138e741199d16fa833b996d3d8e01d2f1bfae76
# Note: Snort rule below is weak, additional testing is required.

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.CryptoMix Clop malicious 
executable download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|53 79 73 74 65 
6d 46 75 6e 63 74 69 6f 6e 30 33 36 00 00 00 41 44 56 41 50 49 33 32 2e 44 4c 4c 00 00 00 00|"; content:"|47 65 74 50 
72 6f 63 65 73 73 57 69 6e 64 6f 77 53 74 61 74 69 6f 6e 00 47 65 74 55 73 65 72 4f 62 6a 65 63 74 49 6e 66 6f 72 6d 61 
74 69 6f 6e 41 00 00 00 47 65 74 4c 61 73 74 41 63 74 69 76 65 50 6f 70 75 70 00 00 47 65 74 41 63 74 69 76 65 57 69 6e 
64 6f 77 00 4d 65 73 73 61 67 65 42 6f 78 41 00 55 53 45 52 33 32 2e 44 4c 4c 00 00|"; metadata:ruleset community, 
service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:8000649; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.CryptoMix Clop malicious executable 
download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|53 79 73 74 65 6d 46 75 6e 
63 74 69 6f 6e 30 33 36 00 00 00 41 44 56 41 50 49 33 32 2e 44 4c 4c 00 00 00 00|"; content:"|47 65 74 50 72 6f 63 65 
73 73 57 69 6e 64 6f 77 53 74 61 74 69 6f 6e 00 47 65 74 55 73 65 72 4f 62 6a 65 63 74 49 6e 66 6f 72 6d 61 74 69 6f 6e 
41 00 00 00 47 65 74 4c 61 73 74 41 63 74 69 76 65 50 6f 70 75 70 00 00 47 65 74 41 63 74 69 76 65 57 69 6e 64 6f 77 00 
4d 65 73 73 61 67 65 42 6f 78 41 00 55 53 45 52 33 32 2e 44 4c 4c 00 00|"; metadata:ruleset community, service smtp; 
classtype:trojan-activity; sid:8000650; rev:1;)

# --------------------
# Title: Win.Trojan.DarkCrystal RAT / Rasftuby
# Reference: Research
# Tests: pcaps
# Yara:
#   - MALWARE_Win_DarkCrystal_RAT_Rasftuby
# ClamAV:
#   - MALWARE_Win_DarkCrystal_RAT_Rasftuby
# Hashes:
#   - 09d5979cffd2d6bca8c602f8a345d4296115d1c779ae461ecede3d76f9cea4e4
#   - 2bb86a42cd30565d1dc70fefc499d3dd4d7ec4411de9761b14dd9cbad37d6d5a
#   - 8469b4b09cd36112bcbdd388012afd1579a951b79f6252d6a3c19e154d7129cb
# Note:
#   - Running Yara INDICATOR_Binary_References_Many_Builtin_Windows_Executables
#     against PCAPs could be an indicator of exfiltrated process listing.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DarkCrystal RAT outbound connection"; 
flow:to_server,established; content:"/main.php?data=active"; fast_pattern:only; http_uri; content:!"User-Agent"; 
http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000651; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DarkCrystal RAT outbound connection"; 
flow:to_server,established; content:"/DCRS/dsock/"; fast_pattern:only; http_uri; urilen:<100; content:"HEAD"; 
http_method; content:!"User-Agent"; http_header; content:!"Connection"; http_header; metadata:ruleset community, 
service http; classtype:trojan-activity; sid:8000652; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DarkCrystal RAT outbound connection"; 
flow:to_server,established; content:"/socket.php?type="; fast_pattern:only; http_uri; content:"ds_setdata_"; http_uri; 
content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000653; 
rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE IP address check to ipinfo.io"; 
flow:to_server,established; urilen:3; content:"Host: ipinfo.io|0D 0A|"; fast_pattern:only; http_header; content:"/ip"; 
http_uri; content:!"User-Agent"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service 
http; classtype:trojan-activity; sid:8000654; rev:1;)

# --------------------
# Title: Win.Trojan.QulabZ / MASAD Stealer
# Reference: Research
# Tests: syntax only
# Yara:
#   - MALWARE_Win_Trojan_QulabZ_Stealer
# ClamAV:
#   - MALWARE_Win.Trojan.QulabZ-Stealer
# Hashes:
#   - 0383a9607db623b7305988b39dc8ab9fa0a4fc353de853a6cce59645ddf63081
#   - 060d8cadca9146bf0503172f8299763f0101efb757ac71ca3ce365e63e49a008
#   - 139d07df2150213b78a95fcf3e9b760ba130d8b7f694b208bc094eb3d0a0ecb4
#   - 1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0
#   - 32b5d0d28b48a802c1d24ee990485cda4d25756e51585c29e014d68dd9458e74
#   - 358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020
#   - 6bf8aca158b7f1aeaf96f1b369b189e32537a62d9e3b059eba047f10387b1d5d
#   - 6faf5ff76303fdc31acbcc8ec9145761a0535b4a4ef75b31fa01311957b56a4c
#   - 7cbd433fcb043cb950489cecd175ee0d2846920a05a3ad4968e32d4ad74a1294
#   - 8afde4f6f28fb3dc26ce86e7158b974e946875f96c674e3863449384102e3bd6
#   - 9f1e8bf3bd9d937cec87fcee7d981d6919b1c11436c3a73cf3caa18adf855cda
#   - a8378d35eb92c8427a1f9505e9b12de0059a3e0463a7a465ae1665301dbf0c7c
#   - ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867
#   - bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375
#   - d291b19ec26742ea2edfb622d321cad3d75771186b88bf5222da2c714619cc2d
#   - e96450d29ab037abad0cb12b0785c3c2b9383f9472a444f276027bed5738f84a
# Note:
#   - Requires SSL decryption since exfiltration (7z) is via Telegram
#   - Different installers/packers mostly AutoIt, NullSoft, and UPX.

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.QulabZ stealer outbound connection"; 
flow:to_server,established; content:"/bot"; depth:4; http_uri; content:":"; distance:8; http_uri; content:"/getMe?"; 
within:50; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000657; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.QulabZ stealer outbound connection"; 
flow:to_server,established; content:"/bot"; depth:4; http_uri; content:":"; distance:8; http_uri; 
content:"/sendDocument"; within:50; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000658; rev:1;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.QulabZ stealer inbound connection"; 
flow:to_client,established; file_data; content:"|5C 22|id|22|"; content:"|22|is_bot|22|:true"; 
content:"|22|first_name|22|:"; content:"|22|username|22|"; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000659; rev:1;)

# --------------------
# Title: Win.Trojan.ASync RAT
# Reference: Research
# Tests: pcaps
# Yara:
#   - MALWARE_Win_Trojan_AsyncRAT
# ClamAV:
#   - MALWARE_Win.Trojan.AsyncRAT
# Hashes:
#   - 818fa711c47af91faede1311d5a0ef60410899358cce18ce98aa22e412d1626d
# Note:
#   - AsyncRAT Version: 0.4.9B
#   - ssl_state:server_hello may not work, so it is removed from the Snort rule.
#   - Packed with AutoIt.
#   - Snort signature does not cover non-SSL variants.
#   - Exisitng Yara/ClamAV signature hits:
#       1. INDICATOR_Binary_References_Sandbox_Hooking_DLL
#       2. INDICATOR_Binary_References_Many_Builtin_Windows_Executables
#       3. INDICATOR_Binary_References_Disabling_Windows_Defender_PWSH_Aritfacts

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Async RAT variant SSL certificate exchange"; 
flow:to_client,established; content:"|55 04 03 0C 12|AsyncRAT Server CA"; fast_pattern:only; metadata:ruleset 
community, service ssl; classtype:trojan-activity; sid:8000660; rev:1;)

# --------------------
# Title: Win.Trojan.ProtonBot
# Reference: https://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/
# Tests: pcaps
# Yara:
#   - MALWARE_Win_Trojan_ProtonBot
# ClamAV:
#   - MALWARE_Win.Trojan.ProtonBot
# Hashes:
#   - 9af4eaa0142de8951b232b790f6b8a824103ec68de703b3616c3789d70a5616f

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ProtonBot outbound connection"; 
flow:to_server,established; content:"/page.php?id="; fast_pattern:only; http_uri; content:"&clip=get"; http_uri; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000661; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ProtonBot outbound connection"; 
flow:to_server,established; content:"/page.php?id="; fast_pattern:only; http_uri; content:"&os="; http_uri; 
content:"&pv="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000662; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ProtonBot outbound connection"; 
flow:to_server,established; content:") Proton Browser|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset 
community, service http; classtype:trojan-activity; sid:8000663; rev:1;)

# --------------------
# Title: Win.Ransomware.GetCrypt
# Reference: Research
# Tests: pcaps
# Yara:
#   - MALWARE_Win_Ransomware_GetCrypt
# ClamAV:
#   - MALWARE_Win.Ransomware.GetCrypt-1
#   - MALWARE_Win.Ransomware.GetCrypt-2
# Hashes:
#   - 3ee4607ed06c270fdf9ddfde65da676d2547607bad420a8114767309b17adfeb
#   - 8d833937f4da8ab0269850f961e8a9f963c23e6bef04a31af925a152f01a1169
#   - f94814acaa06d4c006bf5f5f5c2f18ccc02e6859a927b6f4250f4c5b0985df0c
#   - bcbf98fe5c81dfb45a5c15344457a7c047440c9a92c11c469bc020d0e35eb480
# Note:

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.GetCrypt malicious 
executable download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|43 72 79 70 74 
49 6d 70 6f 72 74 4b 65 79 00 00 cb 00 43 72 79 70 74 45 6e 63 72 79 70 74 00 00 c1 00 43 72 79 70 74 41 63 71 75 69 72 
65 43 6f 6e 74 65 78 74 41 00 00 c8 00 43 72 79 70 74 44 65 73 74 72 6f 79 4b 65 79 00 d2 00 43 72 79 70 74 47 65 6e 52 
61 6e 64 6f 6d 00 00 c2 00 43 72 79 70 74 41 63 71 75 69 72 65 43 6f 6e 74 65 78 74 57 00 00 41 44 56 41 50 49 33 32 2e 
64 6c 6c 00 00 b5 01 53 68 65 6c 6c 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4c 4c 33 32 2e 64 6c 6c 00|"; 
metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; 
sid:8000664; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.GetCrypt malicious executable download 
attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|43 72 79 70 74 49 6d 70 6f 72 74 4b 
65 79 00 00 cb 00 43 72 79 70 74 45 6e 63 72 79 70 74 00 00 c1 00 43 72 79 70 74 41 63 71 75 69 72 65 43 6f 6e 74 65 78 
74 41 00 00 c8 00 43 72 79 70 74 44 65 73 74 72 6f 79 4b 65 79 00 d2 00 43 72 79 70 74 47 65 6e 52 61 6e 64 6f 6d 00 00 
c2 00 43 72 79 70 74 41 63 71 75 69 72 65 43 6f 6e 74 65 78 74 57 00 00 41 44 56 41 50 49 33 32 2e 64 6c 6c 00 00 b5 01 
53 68 65 6c 6c 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4c 4c 33 32 2e 64 6c 6c 00|"; metadata:ruleset community, 
service smtp; classtype:trojan-activity; sid:8000665; rev:1;)

# --------------------
# Title: Win.Trojan.AZorult using the AVIator AV Bypass utility
# Reference: Research
# Tests: pcaps
# Yara:
#   - Tool_AVBypass_AVIator
#   - INDICATOR_Binary_References_Remote_Download_Execution_Artifacts
# ClamAV:
#   - Tool.AVBypass.AVIator
#   - INDICATOR_Binary_References_Remote_Download_Execution_Artifacts
# Hashes:
#   - Downloader:
#       - 32163dc4db5ca091126647902c80876057eee3f324f75303b363bd7e27971fbf (setup.exe)
#   - Downloaded/Dropped:
#       - e28d88f49d86ab60f182844e068a26615b9fce00e9e30f2f7f5961a32683d8a5 (plain.exe or plainupdate.exe)
#       - 9451abbc1dcc95616e227543db788c590d2cf6abc7397c6935cb5be1f073324a (plain.exe)
# Note:
#   - Binary is stored as a resource "get_PUAvvhsBiTTEdBbGnUZjOwAgSV"
#   - Azorult compiled on May 27, 2019.
#   - The downloader was observed to download different binaries during
#     separate executions.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Azorult variant outbound connection"; 
flow:to_server,established; urilen:10; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 5.1)"; 
http_header; fast_pattern:only; content:"/index.php"; http_uri; content:"|00 00 00 26|"; depth:4; http_client_body; 
content:"POST"; http_method; content:!"Connection"; http_header; content:!"Accept"; http_header; content:!"Referer"; 
http_header; content:!"Content-Type"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000666; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE IP address check to iplogger.co"; 
flow:to_server,established; urilen:6; content:"Host: iplogger.co|0D 0A|"; fast_pattern:only; http_header; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000667; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE malicious executable AV bypass 
download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"A|00|V|00|/|00 5C 
00|t|00|o|00|r"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service 
pop3; classtype:trojan-activity; sid:8000668; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE malicious executable AV bypass download 
attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"A|00|V|00|/|00 5C 00|t|00|o|00|r"; 
fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000669; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE malicious executable AV bypass 
download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00|APCInjection"; 
fast_pattern:only; content:"|00|threadHijackin_"; metadata:ruleset community, service ftp-data, service http, service 
imap, service pop3; classtype:trojan-activity; sid:8000670; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE malicious executable AV bypass download 
attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00|APCInjection"; 
fast_pattern:only; content:"|00|threadHijackin"; metadata:ruleset community, service smtp; classtype:trojan-activity; 
sid:8000671; rev:1;)

# --------------------
# Title: HiddenWasp Malware Stings Targeted Linux Systems
# Reference: https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/
# Tests: syntax only;
# Yara:
#   - MALWARE_Linux_Trojan_HiddenWasp
#   - INDICATOR_Linux_File_References_Clearing_History
# ClamAV:
#   - MALWARE_Linux.Trojan.HiddenWasp-1
#   - MALWARE_Linux.Trojan.HiddenWasp-2
#   - INDICATOR_Linux_File_References_Clearing_History-1
#   - INDICATOR_Linux_File_References_Clearing_History-2
# Hashes:
#   - de823a4e958168ff8800b9d10b0dbfc911a57dda0f76a120b4e1cc71cada8ae7 (bash script)
# Note:
#   - No access to ELF samples on VTI.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.HiddenWasp outbound connection 
attempt"; flow:to_server,established; content:"/test?data="; fast_pettern:only; http_uri; content:"User-Agent: curl/"; 
http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000672; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Linux.Trojan.HiddenWasp outbound connection attempt"; 
flow:to_server,established; content:"|75 63 65 73 00 01|"; depth:6; fast_pettern; metadata:ruleset community; 
classtype:trojan-activity; sid:8000673; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Linux.Trojan.HiddenWasp inbound connection attempt"; 
flow:to_client,established; content:"|75 63 65 73 00 01|"; depth:6; fast_pettern; metadata:ruleset community; 
classtype:trojan-activity; sid:8000674; rev:1;)

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Multiple signatures 029 Y M via Snort-sigs (Jun 04)
- Re: Multiple signatures 029 Matthew Mickel (Jun 05)