Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Multiple signatures 031

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 22 Aug 2019 17:54:58 +0000
Hello,

Below are some new rules, and some older ones that weren't picked up from previous posts, with more recent samples are 
still matching these signatures. PCAPs and Yara/ClamAV signatures are available for some of the cases.

Thank you.
YM

# --------------------
# Title: CVE-2019-0604 Artificats
# Reference: Research
# Tests: pcap
# Detection:
#  - Yara: NA
#  - ClamAV: NA
# Hashes: NA
# Note:
#  - http_uri content match maybe/should be removed.

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder 
follow up traffic"; flow:to_server,established; content:"Response.Write(|22|UAshell|22|)|3B 0D 0A|"; fast_pattern:only; 
http_header; content:"/ua.aspx"; http_uri; content:"Cookie:"; http_header; metadata:ruleset community, service http; 
reference:cve,2019-0604; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604; 
classtype:attempted-user; sid:8000683; rev:1;)

# --------------------
# Title: DSL DNS Change
# Reference: Research
# Reference: https://csirt.bank.gov.ua/en/news/44
# Tests: pcap (D-Link only)
# Detection: NA
# Hashes: NA
# Note: NA

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link ADSL router unauthenticated remote DNS 
change attempt"; flow:to_server,established; content:"/dnscfg.cgi?"; fast_pattern:only; http_uri; 
content:"dnsPrimary="; http_uri; content:"&dnsSecondary"; http_uri; content:"&dnsDynamic="; http_uri; 
content:"&dnsRefresh="; http_uri; metadata:ruleset community, service http; classtype:attempted-user; sid:8000684; 
rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ARG-W4 ADSL router unauthenticated remote DNS 
change attempt"; flow:to_server,established; content:"/form2dns.cgi?"; fast_pattern:only; http_uri; 
content:"dnsmode=1"; http_uri; content:"&dns1="; http_uri; content:"&dns2="; http_uri; content:"&save=apply="; 
http_uri; metadata:ruleset community, service http; classtype:attempted-user; sid:8000685; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DSLink 260E ADSL router unauthenticated remote 
DNS change attempt"; flow:to_server,established; content:"/action?dns_status=1"; fast_pattern:only; http_uri; 
content:"&dns_server_ip1=1"; http_uri; content:"&cmdadd=add"; http_uri; metadata:ruleset community, service http; 
classtype:attempted-user; sid:8000686; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Secutech ADSL router unauthenticated remote 
DNS change attempt"; flow:to_server,established; content:"/wan_dns.asp?go=wan_dns.asp"; fast_pattern:only; http_uri; 
content:"&dnsen=on"; http_uri; content:"&ds1="; http_uri; metadata:ruleset community, service http; 
classtype:attempted-user; sid:8000687; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TOTOLINK ADSL router unauthenticated remote 
DNS change attempt"; flow:to_server,established; content:"/formbasetcpipsetup?"; fast_pattern:only; http_uri; 
content:"dnsmode=dnsmanual"; http_uri; content:"&dns1="; http_uri; content:"&dnsrefresh=1"; metadata:ruleset community, 
service http; classtype:attempted-user; sid:8000688; rev:1;)

# --------------------
# Title: Win.Trojan.MSIL-Proyecto
# Reference: Research
# Tests: pcap
# Detection: NA
# Hashes:
#  - b222b381a414270786cfe7c8e610256f0080e0505d3b28848c17db796f1f4224
# Note:
#  - One of the two signatrues below maybe ignored in favor of the other.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL-Proyecto outbound connection"; 
flow:to_server,established; content:"/mkv/inc/"; http_uri; fast_pattern:only; content:".php"; distance:14; http_uri; 
content:"p="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000689; 
rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL-Proyecto outbound connection"; 
flow:to_server,established; content:"|3B| Windows NT 6.1|3B| ru|3B|"; http_header; content:"Firefox/4.0"; within:40; 
http_header; fast_pattern; content:".php"; http_uri; pcre:"/\/[a-z0-9]{14}\.php$/U"; metadata:ruleset community, 
service http; classtype:trojan-activity; sid:8000690; rev:1;)

# --------------------
# Title: Win.Trojan.WSHRAT/Cryxos
# Reference: Research
# Tests: pcap
# Detection:
#  - Yara:
#    - MALWARE_Win_Trojan_Keylogger_JS
#    - MALWARE_Win_Trojan_Keylogger_BIN
#  - ClamAV:
#    - MALWARE_Win.Trojan.Keylogger-JS
#    - MALWARE_Win.Trojan.Keylogger-BIN
# Hashes:
#  - 1529f3494b9b5845601303d772bb06d222f1b0e4f7ea180f8434fff6f6a072a2 (.js)
#  - 27b51b90dde5fecb4199063da57da264266803e29a23910cb13d987164fc2217 (.js)
#  - 61422d06083e048065f02df046d21df773adb5b6d14cca923931d3f27f3ae761 (.js)
#  - 923c88d30237f7b6d06791916a9d347cf0da647d0aba20c728d688d49d410204 (.js)
#  - c30dc16deeb3bd62dfda6aa02568b6ac9a356dff917ebe7aad5253bc2985231d (.js)
#  - 272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a (second stage binary)
# Note: NA

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.WSHRAT/Cryxos variant outbound connection"; 
flow:to_server,established; content:"User-Agent: WSHRAT"; fast_pattern:only; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000691; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.WSHRAT/Cryxos variant second stage outbound 
connection"; content:"/open-keylogger HTTP/"; fast_pattern:only; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000692; rev:1;)

# --------------------
# Title: Generic PowerShell dropper
# Reference: Research
# Tests: pcap
# Detection: NA
# Hashes:
#  - b0c869656baa7b328e0a61d7e32001800395fdd2338df463b4691388f6a5f976 (.lnk)
#  - 3095ecdcab270cd0341911ff220dd6f242919bd597e1f29a2955b47183952e46 (.bat)
#  - 712b534b452c401260026e7ba0838d9a425acc04606773a91a01fa2775119c33 (.bat)
#  - b43f92675979251693f52645fcb07e00c9bfa016aae0c56f19bcd9a81c7d2784 (.lnk)
#  - 42c4e957c0a00e208ac1fddfb2c67fbb4d4ee78e6a4869c275e3015abda86cb0 (AgentTesla)
#  - 08252420f31da4f617943c2d5841069d0ddde025f19f53b3f3038fdef12a900d (AgentTesla)
# Note:
#  - Dropped payloads are mostly Win.Trojan.AgentTesla. Not all payloads were examined.
#  - PCRE maybe removed from the rule.
#  - Observed URLs:
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/0251e9e6dd2b6761318cf74b9c7cfbcc.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/2eff7f856c921b9679658fc1076ad8df.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/4a122e1be14c64455d732d6809397908.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/4c76a53c02e96376537dd399c26d42e6.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/4ebcbf3ba7ccb02dfb195c7d5ca7787d.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/597684641290261a2d9b5e4f3c31448f.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/824e747ac0a4b302b94c5c8811aecffc.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/921f92a5d1a046bfb48a3c9ea2e85893.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/c516cd9f3d02c0a9657652b835170278.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/c6e905de8a762015cd177be60cd6bd67.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/de33e172deb9cd1a01cc95a3198b5ff2.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/e6f482cc5f9dd0a1d18cb925499c1e6b.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/ef0390ca68e9e2a0e3851e0cf6b22353.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/f7d2dd7b5bdd9919634388790cc9c4fa.php

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper second stage payload download 
attempt"; flow:to_server,established; content:"/ajp/public/"; fast_pattern:only; http_uri; content:".php"; distance:32; 
http_uri; pcre:"/[a-z0-9]{32}\.php$/U"; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000693; rev:1;)

Older rules:

# --------------------
# Title: Win.Trojan.Remcos
# Reference: Research
# Tests: pcap
# Detection:
#  - Yara: MALWARE_Win_Trojan_Remcos
#  - ClamAV: MALWARE_Win.Trojan.Remcos
# Hashes:
#  - 1b14169a1d9ca041ab78a8e571ed31a474653addfca9fa92b63208dd3bd72a49
#  - 44db2df3f3bb2525bc7d36ea6d15cc0f457791c4b9d957f6835ce6facbecfffb
#  - 8588ae6b0cd64a359929e5990249cfa64ccf1b7e3d8ce8db201b3482d5142b65
#  - 70831ec3a25ad0ed98cc867d4a23432cad9ecb96c59b82065ec9f936ff9cdd43
#  - a3bb006a69214a66f34953ce4e089101bbecf890716d8e419f77b093b1d956f1
# Notes:
#  - Signatures were submitted on March 18, 2019 (Multiple signatures 025) and are still valid.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Remcos initial outbound connection attempt"; 
flow:to_server,established; content:"[DataStart]"; fast_pattern:only; content:"RemoteHost|7C|cmd|7C|"; distance:8; 
metadata:ruleset community; classtype:trojan-activity; sid:8000558; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Remcos inbound connection attempt"; 
flow:to_client,established; dsize:<85; content:"[DataStart]"; fast_pattern:only; content:"|7C|cmd|7C|"; distance:9; 
metadata:ruleset community; classtype:trojan-activity; sid:8000559; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Remcos outbound connection attempt"; 
flow:to_server,established; content:"[DataStart]"; fast_pattern:only; 
content:"|7C|cmd|7C|C|00|o|00|m|00|p|00|u|00|t|00|e|00|r|00 7C|cmd|7C|"; distance:9; metadata:ruleset community; 
classtype:trojan-activity; sid:8000560; rev:1;)

# --------------------
# Title: Win.Trojan.Amadey
# Reference: Research
# Tests: pcap
# Detection:
#  - Yara: MALWARE_Win_Trojan_Amadey_dnldr
#  - ClamAV: MALWARE_Win.Trojan.Amadey-dnldr
# Hashes:
#  - 5cd3703b82ad47edee1fcd274dd54ddc57e0ae9d63985d22a4a8246aca8cc6a6 (Amadey)
#  - ffff323bd3d8ac20f0f6e5f36f4e8bca9443da81e6aa3f380234ca102eb0e019 (VBS drops Amadey)
# Note:
#  - Sigantures were submitted on May 02, 2019 (Multiple singatures 027), and are still valid.
#  - Amadey binary is encoded within the VBS script.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Amadey downloader variant outbound 
connection"; flow:to_server,established; content:"&sd="; http_client_body; content:"&vs="; http_client_body; 
content:"&ar="; http_client_body; content:"&bi="; http_client_body; content:"&lv="; http_client_body; content:"&os="; 
http_client_body; content:"&av="; http_client_body; content:"&pc="; http_client_body; content:"&un="; http_client_body; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000602; rev:2;)

# --------------------
# Title: Win.Trojan.LodaLogger
# Reference: Research
# Reference: https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware
# Tests: pcap
# Detection: NA
# Hashes:
#  - 18007cd1f63a8bb3ddbc8a947515c71627ed1cc578264f7bb8c6990b9927fbf1
#  - 37782247ba0b06455f0cb12feb4365fed1a805bb3762e167ee803783f0f5731e
#  - 38e736edadcc0d60d0e2cccb7a2bcf3d2a2cd471b9177147224151581d2a9fa3
#  - e20eaa5366d498cb9aae3ccaab774ee4210bbef44436a10bb30563e68c94560a
# Note:
#  - Signatures were posted twice on August 14, 2018 (Multiple signatures 009) and May 02, 2019 (Multiple signatures 
027)
#    under different names since they weren't appropriately identified.
#  - Accroding to network traffic, malware is version 1.0.8.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.LodaLogger outbound connection"; 
flow:to_server,established; content:"|7C|WIN_"; fast_pattern; content:"|7C|X64|7C|"; within:10; content:"|7C|Pr"; 
within:25; metadata:ruleset community; classtype:trojan-activity; sid:8000256; rev:3;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.LodaLogger outbound connection"; 
flow:to_server,established; content:"|7C|WIN_"; fast_pattern; content:"|7C|X86|7C|"; within:10; content:"|7C|Pr"; 
within:25; metadata:ruleset community; classtype:trojan-activity; sid:8000257; rev:3;)

# --------------------
# Title: Win.Trojan.Racealer/Racoon Stealer
# Reference: Research
# Tests: pcaps
# Detection:
#  - Yara: MALWARE_Win_Trojan_Racealer
#  - ClamAV: MALWARE_Win.Trojan.Racealer
# Hashes:
#   - Older samples:
#     - 06c7609239d733d28fbb871b0c9459b6fe1e72df18dc0d4850ade5081b77ab80
#     - 5c320dfd6b11443cd9a1da5bc57d14cfdd5aa74029bd4ee7380af5ae5c4d3f2d
#     - 841c6cc82cc2c1fd38531953ffa4559798c082dbeb1852d73a24180fe889e3b4
#     - c31757bd0ff0850199dd28d6db0bc174cd7dff38126979bfef5d8a21b361d22c
#   - Recent samples:
#     - d08b20a598df0c7a04cd6570e3b2bfcbaa358a324208f352ad4dff2c9f749240
#     - fde80c40258088be97efdc3c64bd85637a4ca4ad580c1542c001d50d10a09c97
# Note:
#  - Signatures submitted on May 07, 2019 (Multiple signatures 027).
#  - Changed message description and revision.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Racealer/Racoon Stealer outbound 
connection"; flow:to_server,established; urilen:13; content:"/gate/log.php"; fast_pattern:only; http_uri; 
content:"params="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000604; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Racealer/Racoon Stealer outbound 
connection"; flow:to_server,established; content:"/file.php?"; http_uri; content:"hash="; fast_pattern:only; http_uri; 
content:"&callback="; http_uri; content:"&js="; http_uri;  metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000605; rev:2;)

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: