![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: Multiple signatures 031
From: Marcos Rodriguez <mrodriguez () sourcefire com>
Date: Fri, 23 Aug 2019 09:56:59 -0400
Hi Yaser! Thanks again for your many contributions! We'll get these into our testing process and get back to you as soon as possible. We'd appreciate any pcaps you'd be willing to share. Thanks again! On Thu, Aug 22, 2019 at 1:55 PM Y M via Snort-sigs <snort-sigs () lists snort org> wrote:
Hello, Below are some new rules, and some older ones that weren't picked up from previous posts, with more recent samples are still matching these signatures. PCAPs and Yara/ClamAV signatures are available for some of the cases. Thank you. YM # -------------------- # Title: CVE-2019-0604 Artificats # Reference: Research # Tests: pcap # Detection: # - Yara: NA # - ClamAV: NA # Hashes: NA # Note: # - http_uri content match maybe/should be removed. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder follow up traffic"; flow:to_server,established; content:"Response.Write(|22|UAshell|22|)|3B 0D 0A|"; fast_pattern:only; http_header; content:"/ua.aspx"; http_uri; content:"Cookie:"; http_header; metadata:ruleset community, service http; reference:cve,2019-0604; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604; classtype:attempted-user; sid:8000683; rev:1;) # -------------------- # Title: DSL DNS Change # Reference: Research # Reference: https://csirt.bank.gov.ua/en/news/44 # Tests: pcap (D-Link only) # Detection: NA # Hashes: NA # Note: NA alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link ADSL router unauthenticated remote DNS change attempt"; flow:to_server,established; content:"/dnscfg.cgi?"; fast_pattern:only; http_uri; content:"dnsPrimary="; http_uri; content:"&dnsSecondary"; http_uri; content:"&dnsDynamic="; http_uri; content:"&dnsRefresh="; http_uri; metadata:ruleset community, service http; classtype:attempted-user; sid:8000684; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ARG-W4 ADSL router unauthenticated remote DNS change attempt"; flow:to_server,established; content:"/form2dns.cgi?"; fast_pattern:only; http_uri; content:"dnsmode=1"; http_uri; content:"&dns1="; http_uri; content:"&dns2="; http_uri; content:"&save=apply="; http_uri; metadata:ruleset community, service http; classtype:attempted-user; sid:8000685; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DSLink 260E ADSL router unauthenticated remote DNS change attempt"; flow:to_server,established; content:"/action?dns_status=1"; fast_pattern:only; http_uri; content:"&dns_server_ip1=1"; http_uri; content:"&cmdadd=add"; http_uri; metadata:ruleset community, service http; classtype:attempted-user; sid:8000686; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Secutech ADSL router unauthenticated remote DNS change attempt"; flow:to_server,established; content:"/wan_dns.asp?go=wan_dns.asp"; fast_pattern:only; http_uri; content:"&dnsen=on"; http_uri; content:"&ds1="; http_uri; metadata:ruleset community, service http; classtype:attempted-user; sid:8000687; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TOTOLINK ADSL router unauthenticated remote DNS change attempt"; flow:to_server,established; content:"/formbasetcpipsetup?"; fast_pattern:only; http_uri; content:"dnsmode=dnsmanual"; http_uri; content:"&dns1="; http_uri; content:"&dnsrefresh=1"; metadata:ruleset community, service http; classtype:attempted-user; sid:8000688; rev:1;) # -------------------- # Title: Win.Trojan.MSIL-Proyecto # Reference: Research # Tests: pcap # Detection: NA # Hashes: # - b222b381a414270786cfe7c8e610256f0080e0505d3b28848c17db796f1f4224 # Note: # - One of the two signatrues below maybe ignored in favor of the other. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL-Proyecto outbound connection"; flow:to_server,established; content:"/mkv/inc/"; http_uri; fast_pattern:only; content:".php"; distance:14; http_uri; content:"p="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000689; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL-Proyecto outbound connection"; flow:to_server,established; content:"|3B| Windows NT 6.1|3B| ru|3B|"; http_header; content:"Firefox/4.0"; within:40; http_header; fast_pattern; content:".php"; http_uri; pcre:"/\/[a-z0-9]{14}\.php$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000690; rev:1;) # -------------------- # Title: Win.Trojan.WSHRAT/Cryxos # Reference: Research # Tests: pcap # Detection: # - Yara: # - MALWARE_Win_Trojan_Keylogger_JS # - MALWARE_Win_Trojan_Keylogger_BIN # - ClamAV: # - MALWARE_Win.Trojan.Keylogger-JS # - MALWARE_Win.Trojan.Keylogger-BIN # Hashes: # - 1529f3494b9b5845601303d772bb06d222f1b0e4f7ea180f8434fff6f6a072a2 (.js) # - 27b51b90dde5fecb4199063da57da264266803e29a23910cb13d987164fc2217 (.js) # - 61422d06083e048065f02df046d21df773adb5b6d14cca923931d3f27f3ae761 (.js) # - 923c88d30237f7b6d06791916a9d347cf0da647d0aba20c728d688d49d410204 (.js) # - c30dc16deeb3bd62dfda6aa02568b6ac9a356dff917ebe7aad5253bc2985231d (.js) # - 272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a (second stage binary) # Note: NA alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.WSHRAT/Cryxos variant outbound connection"; flow:to_server,established; content:"User-Agent: WSHRAT"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000691; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.WSHRAT/Cryxos variant second stage outbound connection"; content:"/open-keylogger HTTP/"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000692; rev:1;) # -------------------- # Title: Generic PowerShell dropper # Reference: Research # Tests: pcap # Detection: NA # Hashes: # - b0c869656baa7b328e0a61d7e32001800395fdd2338df463b4691388f6a5f976 (.lnk) # - 3095ecdcab270cd0341911ff220dd6f242919bd597e1f29a2955b47183952e46 (.bat) # - 712b534b452c401260026e7ba0838d9a425acc04606773a91a01fa2775119c33 (.bat) # - b43f92675979251693f52645fcb07e00c9bfa016aae0c56f19bcd9a81c7d2784 (.lnk) # - 42c4e957c0a00e208ac1fddfb2c67fbb4d4ee78e6a4869c275e3015abda86cb0 (AgentTesla) # - 08252420f31da4f617943c2d5841069d0ddde025f19f53b3f3038fdef12a900d (AgentTesla) # Note: # - Dropped payloads are mostly Win.Trojan.AgentTesla. Not all payloads were examined. # - PCRE maybe removed from the rule. # - Observed URLs: # - hxxp://web[.]riderit[.]com:8000/ajp/public/0251e9e6dd2b6761318cf74b9c7cfbcc.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/2eff7f856c921b9679658fc1076ad8df.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/4a122e1be14c64455d732d6809397908.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/4c76a53c02e96376537dd399c26d42e6.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/4ebcbf3ba7ccb02dfb195c7d5ca7787d.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/597684641290261a2d9b5e4f3c31448f.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/824e747ac0a4b302b94c5c8811aecffc.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/921f92a5d1a046bfb48a3c9ea2e85893.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/c516cd9f3d02c0a9657652b835170278.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/c6e905de8a762015cd177be60cd6bd67.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/de33e172deb9cd1a01cc95a3198b5ff2.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/e6f482cc5f9dd0a1d18cb925499c1e6b.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/ef0390ca68e9e2a0e3851e0cf6b22353.php # - hxxp://web[.]riderit[.]com:8000/ajp/public/f7d2dd7b5bdd9919634388790cc9c4fa.php alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper second stage payload download attempt"; flow:to_server,established; content:"/ajp/public/"; fast_pattern:only; http_uri; content:".php"; distance:32; http_uri; pcre:"/[a-z0-9]{32}\.php$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000693; rev:1;) Older rules: # -------------------- # Title: Win.Trojan.Remcos # Reference: Research # Tests: pcap # Detection: # - Yara: MALWARE_Win_Trojan_Remcos # - ClamAV: MALWARE_Win.Trojan.Remcos # Hashes: # - 1b14169a1d9ca041ab78a8e571ed31a474653addfca9fa92b63208dd3bd72a49 # - 44db2df3f3bb2525bc7d36ea6d15cc0f457791c4b9d957f6835ce6facbecfffb # - 8588ae6b0cd64a359929e5990249cfa64ccf1b7e3d8ce8db201b3482d5142b65 # - 70831ec3a25ad0ed98cc867d4a23432cad9ecb96c59b82065ec9f936ff9cdd43 # - a3bb006a69214a66f34953ce4e089101bbecf890716d8e419f77b093b1d956f1 # Notes: # - Signatures were submitted on March 18, 2019 (Multiple signatures 025) and are still valid. alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Remcos initial outbound connection attempt"; flow:to_server,established; content:"[DataStart]"; fast_pattern:only; content:"RemoteHost|7C|cmd|7C|"; distance:8; metadata:ruleset community; classtype:trojan-activity; sid:8000558; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Remcos inbound connection attempt"; flow:to_client,established; dsize:<85; content:"[DataStart]"; fast_pattern:only; content:"|7C|cmd|7C|"; distance:9; metadata:ruleset community; classtype:trojan-activity; sid:8000559; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Remcos outbound connection attempt"; flow:to_server,established; content:"[DataStart]"; fast_pattern:only; content:"|7C|cmd|7C|C|00|o|00|m|00|p|00|u|00|t|00|e|00|r|00 7C|cmd|7C|"; distance:9; metadata:ruleset community; classtype:trojan-activity; sid:8000560; rev:1;) # -------------------- # Title: Win.Trojan.Amadey # Reference: Research # Tests: pcap # Detection: # - Yara: MALWARE_Win_Trojan_Amadey_dnldr # - ClamAV: MALWARE_Win.Trojan.Amadey-dnldr # Hashes: # - 5cd3703b82ad47edee1fcd274dd54ddc57e0ae9d63985d22a4a8246aca8cc6a6 (Amadey) # - ffff323bd3d8ac20f0f6e5f36f4e8bca9443da81e6aa3f380234ca102eb0e019 (VBS drops Amadey) # Note: # - Sigantures were submitted on May 02, 2019 (Multiple singatures 027), and are still valid. # - Amadey binary is encoded within the VBS script. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Amadey downloader variant outbound connection"; flow:to_server,established; content:"&sd="; http_client_body; content:"&vs="; http_client_body; content:"&ar="; http_client_body; content:"&bi="; http_client_body; content:"&lv="; http_client_body; content:"&os="; http_client_body; content:"&av="; http_client_body; content:"&pc="; http_client_body; content:"&un="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000602; rev:2;) # -------------------- # Title: Win.Trojan.LodaLogger # Reference: Research # Reference: https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware # Tests: pcap # Detection: NA # Hashes: # - 18007cd1f63a8bb3ddbc8a947515c71627ed1cc578264f7bb8c6990b9927fbf1 # - 37782247ba0b06455f0cb12feb4365fed1a805bb3762e167ee803783f0f5731e # - 38e736edadcc0d60d0e2cccb7a2bcf3d2a2cd471b9177147224151581d2a9fa3 # - e20eaa5366d498cb9aae3ccaab774ee4210bbef44436a10bb30563e68c94560a # Note: # - Signatures were posted twice on August 14, 2018 (Multiple signatures 009) and May 02, 2019 (Multiple signatures 027) # under different names since they weren't appropriately identified. # - Accroding to network traffic, malware is version 1.0.8. alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.LodaLogger outbound connection"; flow:to_server,established; content:"|7C|WIN_"; fast_pattern; content:"|7C|X64|7C|"; within:10; content:"|7C|Pr"; within:25; metadata:ruleset community; classtype:trojan-activity; sid:8000256; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.LodaLogger outbound connection"; flow:to_server,established; content:"|7C|WIN_"; fast_pattern; content:"|7C|X86|7C|"; within:10; content:"|7C|Pr"; within:25; metadata:ruleset community; classtype:trojan-activity; sid:8000257; rev:3;) # -------------------- # Title: Win.Trojan.Racealer/Racoon Stealer # Reference: Research # Tests: pcaps # Detection: # - Yara: MALWARE_Win_Trojan_Racealer # - ClamAV: MALWARE_Win.Trojan.Racealer # Hashes: # - Older samples: # - 06c7609239d733d28fbb871b0c9459b6fe1e72df18dc0d4850ade5081b77ab80 # - 5c320dfd6b11443cd9a1da5bc57d14cfdd5aa74029bd4ee7380af5ae5c4d3f2d # - 841c6cc82cc2c1fd38531953ffa4559798c082dbeb1852d73a24180fe889e3b4 # - c31757bd0ff0850199dd28d6db0bc174cd7dff38126979bfef5d8a21b361d22c # - Recent samples: # - d08b20a598df0c7a04cd6570e3b2bfcbaa358a324208f352ad4dff2c9f749240 # - fde80c40258088be97efdc3c64bd85637a4ca4ad580c1542c001d50d10a09c97 # Note: # - Signatures submitted on May 07, 2019 (Multiple signatures 027). # - Changed message description and revision. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Racealer/Racoon Stealer outbound connection"; flow:to_server,established; urilen:13; content:"/gate/log.php"; fast_pattern:only; http_uri; content:"params="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000604; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Racealer/Racoon Stealer outbound connection"; flow:to_server,established; content:"/file.php?"; http_uri; content:"hash="; fast_pattern:only; http_uri; content:"&callback="; http_uri; content:"&js="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000605; rev:2;) _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
-- Marcos Rodriguez Cisco Talos _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 031 Y M via Snort-sigs (Aug 22)
- Re: Multiple signatures 031 Marcos Rodriguez (Aug 23)