Snort mailing list archives
Multiple signatures 031
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 22 Aug 2019 17:54:58 +0000
Hello, Below are some new rules, and some older ones that weren't picked up from previous posts, with more recent samples are still matching these signatures. PCAPs and Yara/ClamAV signatures are available for some of the cases. Thank you. YM # -------------------- # Title: CVE-2019-0604 Artificats # Reference: Research # Tests: pcap # Detection: # - Yara: NA # - ClamAV: NA # Hashes: NA # Note: # - http_uri content match maybe/should be removed. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder follow up traffic"; flow:to_server,established; content:"Response.Write(|22|UAshell|22|)|3B 0D 0A|"; fast_pattern:only; http_header; content:"/ua.aspx"; http_uri; content:"Cookie:"; http_header; metadata:ruleset community, service http; reference:cve,2019-0604; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604; classtype:attempted-user; sid:8000683; rev:1;) # -------------------- # Title: DSL DNS Change # Reference: Research # Reference: https://csirt.bank.gov.ua/en/news/44 # Tests: pcap (D-Link only) # Detection: NA # Hashes: NA # Note: NA alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link ADSL router unauthenticated remote DNS change attempt"; flow:to_server,established; content:"/dnscfg.cgi?"; fast_pattern:only; http_uri; content:"dnsPrimary="; http_uri; content:"&dnsSecondary"; http_uri; content:"&dnsDynamic="; http_uri; content:"&dnsRefresh="; http_uri; metadata:ruleset community, service http; classtype:attempted-user; sid:8000684; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ARG-W4 ADSL router unauthenticated remote DNS change attempt"; flow:to_server,established; content:"/form2dns.cgi?"; fast_pattern:only; http_uri; content:"dnsmode=1"; http_uri; content:"&dns1="; http_uri; content:"&dns2="; http_uri; content:"&save=apply="; http_uri; metadata:ruleset community, service http; classtype:attempted-user; sid:8000685; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DSLink 260E ADSL router unauthenticated remote DNS change attempt"; flow:to_server,established; content:"/action?dns_status=1"; fast_pattern:only; http_uri; content:"&dns_server_ip1=1"; http_uri; content:"&cmdadd=add"; http_uri; metadata:ruleset community, service http; classtype:attempted-user; sid:8000686; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Secutech ADSL router unauthenticated remote DNS change attempt"; flow:to_server,established; content:"/wan_dns.asp?go=wan_dns.asp"; fast_pattern:only; http_uri; content:"&dnsen=on"; http_uri; content:"&ds1="; http_uri; metadata:ruleset community, service http; classtype:attempted-user; sid:8000687; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TOTOLINK ADSL router unauthenticated remote DNS change attempt"; flow:to_server,established; content:"/formbasetcpipsetup?"; fast_pattern:only; http_uri; content:"dnsmode=dnsmanual"; http_uri; content:"&dns1="; http_uri; content:"&dnsrefresh=1"; metadata:ruleset community, service http; classtype:attempted-user; sid:8000688; rev:1;) # -------------------- # Title: Win.Trojan.MSIL-Proyecto # Reference: Research # Tests: pcap # Detection: NA # Hashes: # - b222b381a414270786cfe7c8e610256f0080e0505d3b28848c17db796f1f4224 # Note: # - One of the two signatrues below maybe ignored in favor of the other. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL-Proyecto outbound connection"; flow:to_server,established; content:"/mkv/inc/"; http_uri; fast_pattern:only; content:".php"; distance:14; http_uri; content:"p="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000689; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL-Proyecto outbound connection"; flow:to_server,established; content:"|3B| Windows NT 6.1|3B| ru|3B|"; http_header; content:"Firefox/4.0"; within:40; http_header; fast_pattern; content:".php"; http_uri; pcre:"/\/[a-z0-9]{14}\.php$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000690; rev:1;) # -------------------- # Title: Win.Trojan.WSHRAT/Cryxos # Reference: Research # Tests: pcap # Detection: # - Yara: # - MALWARE_Win_Trojan_Keylogger_JS # - MALWARE_Win_Trojan_Keylogger_BIN # - ClamAV: # - MALWARE_Win.Trojan.Keylogger-JS # - MALWARE_Win.Trojan.Keylogger-BIN # Hashes: # - 1529f3494b9b5845601303d772bb06d222f1b0e4f7ea180f8434fff6f6a072a2 (.js) # - 27b51b90dde5fecb4199063da57da264266803e29a23910cb13d987164fc2217 (.js) # - 61422d06083e048065f02df046d21df773adb5b6d14cca923931d3f27f3ae761 (.js) # - 923c88d30237f7b6d06791916a9d347cf0da647d0aba20c728d688d49d410204 (.js) # - c30dc16deeb3bd62dfda6aa02568b6ac9a356dff917ebe7aad5253bc2985231d (.js) # - 272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a (second stage binary) # Note: NA alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.WSHRAT/Cryxos variant outbound connection"; flow:to_server,established; content:"User-Agent: WSHRAT"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000691; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.WSHRAT/Cryxos variant second stage outbound connection"; content:"/open-keylogger HTTP/"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000692; rev:1;) # -------------------- # Title: Generic PowerShell dropper # Reference: Research # Tests: pcap # Detection: NA # Hashes: # - b0c869656baa7b328e0a61d7e32001800395fdd2338df463b4691388f6a5f976 (.lnk) # - 3095ecdcab270cd0341911ff220dd6f242919bd597e1f29a2955b47183952e46 (.bat) # - 712b534b452c401260026e7ba0838d9a425acc04606773a91a01fa2775119c33 (.bat) # - b43f92675979251693f52645fcb07e00c9bfa016aae0c56f19bcd9a81c7d2784 (.lnk) # - 42c4e957c0a00e208ac1fddfb2c67fbb4d4ee78e6a4869c275e3015abda86cb0 (AgentTesla) # - 08252420f31da4f617943c2d5841069d0ddde025f19f53b3f3038fdef12a900d (AgentTesla) # Note: # - Dropped payloads are mostly Win.Trojan.AgentTesla. Not all payloads were examined. # - PCRE maybe removed from the rule. # - Observed URLs: # - hxxp://web[.]riderit[.]com:8000/ajp/public/0251e9e6dd2b6761318cf74b9c7cfbcc.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/2eff7f856c921b9679658fc1076ad8df.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/4a122e1be14c64455d732d6809397908.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/4c76a53c02e96376537dd399c26d42e6.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/4ebcbf3ba7ccb02dfb195c7d5ca7787d.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/597684641290261a2d9b5e4f3c31448f.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/824e747ac0a4b302b94c5c8811aecffc.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/921f92a5d1a046bfb48a3c9ea2e85893.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/c516cd9f3d02c0a9657652b835170278.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/c6e905de8a762015cd177be60cd6bd67.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/de33e172deb9cd1a01cc95a3198b5ff2.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/e6f482cc5f9dd0a1d18cb925499c1e6b.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/ef0390ca68e9e2a0e3851e0cf6b22353.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/f7d2dd7b5bdd9919634388790cc9c4fa.php alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper second stage payload download attempt"; flow:to_server,established; content:"/ajp/public/"; fast_pattern:only; http_uri; content:".php"; distance:32; http_uri; pcre:"/[a-z0-9]{32}\.php$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000693; rev:1;) Older rules: # -------------------- # Title: Win.Trojan.Remcos # Reference: Research # Tests: pcap # Detection: # - Yara: MALWARE_Win_Trojan_Remcos # - ClamAV: MALWARE_Win.Trojan.Remcos # Hashes: # - 1b14169a1d9ca041ab78a8e571ed31a474653addfca9fa92b63208dd3bd72a49 # - 44db2df3f3bb2525bc7d36ea6d15cc0f457791c4b9d957f6835ce6facbecfffb # - 8588ae6b0cd64a359929e5990249cfa64ccf1b7e3d8ce8db201b3482d5142b65 # - 70831ec3a25ad0ed98cc867d4a23432cad9ecb96c59b82065ec9f936ff9cdd43 # - a3bb006a69214a66f34953ce4e089101bbecf890716d8e419f77b093b1d956f1 # Notes: # - Signatures were submitted on March 18, 2019 (Multiple signatures 025) and are still valid. alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Remcos initial outbound connection attempt"; flow:to_server,established; content:"[DataStart]"; fast_pattern:only; content:"RemoteHost|7C|cmd|7C|"; distance:8; metadata:ruleset community; classtype:trojan-activity; sid:8000558; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Remcos inbound connection attempt"; flow:to_client,established; dsize:<85; content:"[DataStart]"; fast_pattern:only; content:"|7C|cmd|7C|"; distance:9; metadata:ruleset community; classtype:trojan-activity; sid:8000559; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Remcos outbound connection attempt"; flow:to_server,established; content:"[DataStart]"; fast_pattern:only; content:"|7C|cmd|7C|C|00|o|00|m|00|p|00|u|00|t|00|e|00|r|00 7C|cmd|7C|"; distance:9; metadata:ruleset community; classtype:trojan-activity; sid:8000560; rev:1;) # -------------------- # Title: Win.Trojan.Amadey # Reference: Research # Tests: pcap # Detection: # - Yara: MALWARE_Win_Trojan_Amadey_dnldr # - ClamAV: MALWARE_Win.Trojan.Amadey-dnldr # Hashes: # - 5cd3703b82ad47edee1fcd274dd54ddc57e0ae9d63985d22a4a8246aca8cc6a6 (Amadey) # - ffff323bd3d8ac20f0f6e5f36f4e8bca9443da81e6aa3f380234ca102eb0e019 (VBS drops Amadey) # Note: # - Sigantures were submitted on May 02, 2019 (Multiple singatures 027), and are still valid. # - Amadey binary is encoded within the VBS script. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Amadey downloader variant outbound connection"; flow:to_server,established; content:"&sd="; http_client_body; content:"&vs="; http_client_body; content:"&ar="; http_client_body; content:"&bi="; http_client_body; content:"&lv="; http_client_body; content:"&os="; http_client_body; content:"&av="; http_client_body; content:"&pc="; http_client_body; content:"&un="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000602; rev:2;) # -------------------- # Title: Win.Trojan.LodaLogger # Reference: Research # Reference: https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware # Tests: pcap # Detection: NA # Hashes: # - 18007cd1f63a8bb3ddbc8a947515c71627ed1cc578264f7bb8c6990b9927fbf1 # - 37782247ba0b06455f0cb12feb4365fed1a805bb3762e167ee803783f0f5731e # - 38e736edadcc0d60d0e2cccb7a2bcf3d2a2cd471b9177147224151581d2a9fa3 # - e20eaa5366d498cb9aae3ccaab774ee4210bbef44436a10bb30563e68c94560a # Note: # - Signatures were posted twice on August 14, 2018 (Multiple signatures 009) and May 02, 2019 (Multiple signatures 027) # under different names since they weren't appropriately identified. # - Accroding to network traffic, malware is version 1.0.8. alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.LodaLogger outbound connection"; flow:to_server,established; content:"|7C|WIN_"; fast_pattern; content:"|7C|X64|7C|"; within:10; content:"|7C|Pr"; within:25; metadata:ruleset community; classtype:trojan-activity; sid:8000256; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.LodaLogger outbound connection"; flow:to_server,established; content:"|7C|WIN_"; fast_pattern; content:"|7C|X86|7C|"; within:10; content:"|7C|Pr"; within:25; metadata:ruleset community; classtype:trojan-activity; sid:8000257; rev:3;) # -------------------- # Title: Win.Trojan.Racealer/Racoon Stealer # Reference: Research # Tests: pcaps # Detection: # - Yara: MALWARE_Win_Trojan_Racealer # - ClamAV: MALWARE_Win.Trojan.Racealer # Hashes: # - Older samples: # - 06c7609239d733d28fbb871b0c9459b6fe1e72df18dc0d4850ade5081b77ab80 # - 5c320dfd6b11443cd9a1da5bc57d14cfdd5aa74029bd4ee7380af5ae5c4d3f2d # - 841c6cc82cc2c1fd38531953ffa4559798c082dbeb1852d73a24180fe889e3b4 # - c31757bd0ff0850199dd28d6db0bc174cd7dff38126979bfef5d8a21b361d22c # - Recent samples: # - d08b20a598df0c7a04cd6570e3b2bfcbaa358a324208f352ad4dff2c9f749240 # - fde80c40258088be97efdc3c64bd85637a4ca4ad580c1542c001d50d10a09c97 # Note: # - Signatures submitted on May 07, 2019 (Multiple signatures 027). # - Changed message description and revision. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Racealer/Racoon Stealer outbound connection"; flow:to_server,established; urilen:13; content:"/gate/log.php"; fast_pattern:only; http_uri; content:"params="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000604; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Racealer/Racoon Stealer outbound connection"; flow:to_server,established; content:"/file.php?"; http_uri; content:"hash="; fast_pattern:only; http_uri; content:"&callback="; http_uri; content:"&js="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000605; rev:2;)
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 031 Y M via Snort-sigs (Aug 22)
- Re: Multiple signatures 031 Marcos Rodriguez (Aug 23)