Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multiple signatures 031

From: Marcos Rodriguez <mrodriguez () sourcefire com>
Date: Fri, 23 Aug 2019 09:56:59 -0400
Hi Yaser!

Thanks again for your many contributions! We'll get these into our
testing process and get back to you as soon as possible.  We'd
appreciate any pcaps you'd be willing to share.  Thanks again!

On Thu, Aug 22, 2019 at 1:55 PM Y M via Snort-sigs
<snort-sigs () lists snort org> wrote:


Hello,

Below are some new rules, and some older ones that weren't picked up from previous posts, with more recent samples 
are still matching these signatures. PCAPs and Yara/ClamAV signatures are available for some of the cases.

Thank you.
YM

# --------------------
# Title: CVE-2019-0604 Artificats
# Reference: Research
# Tests: pcap
# Detection:
#  - Yara: NA
#  - ClamAV: NA
# Hashes: NA
# Note:
#  - http_uri content match maybe/should be removed.

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder 
follow up traffic"; flow:to_server,established; content:"Response.Write(|22|UAshell|22|)|3B 0D 0A|"; 
fast_pattern:only; http_header; content:"/ua.aspx"; http_uri; content:"Cookie:"; http_header; metadata:ruleset 
community, service http; reference:cve,2019-0604; 
reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604; classtype:attempted-user; 
sid:8000683; rev:1;)

# --------------------
# Title: DSL DNS Change
# Reference: Research
# Reference: https://csirt.bank.gov.ua/en/news/44
# Tests: pcap (D-Link only)
# Detection: NA
# Hashes: NA
# Note: NA

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link ADSL router unauthenticated remote 
DNS change attempt"; flow:to_server,established; content:"/dnscfg.cgi?"; fast_pattern:only; http_uri; 
content:"dnsPrimary="; http_uri; content:"&dnsSecondary"; http_uri; content:"&dnsDynamic="; http_uri; 
content:"&dnsRefresh="; http_uri; metadata:ruleset community, service http; classtype:attempted-user; sid:8000684; 
rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ARG-W4 ADSL router unauthenticated remote 
DNS change attempt"; flow:to_server,established; content:"/form2dns.cgi?"; fast_pattern:only; http_uri; 
content:"dnsmode=1"; http_uri; content:"&dns1="; http_uri; content:"&dns2="; http_uri; content:"&save=apply="; 
http_uri; metadata:ruleset community, service http; classtype:attempted-user; sid:8000685; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DSLink 260E ADSL router unauthenticated 
remote DNS change attempt"; flow:to_server,established; content:"/action?dns_status=1"; fast_pattern:only; http_uri; 
content:"&dns_server_ip1=1"; http_uri; content:"&cmdadd=add"; http_uri; metadata:ruleset community, service http; 
classtype:attempted-user; sid:8000686; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Secutech ADSL router unauthenticated remote 
DNS change attempt"; flow:to_server,established; content:"/wan_dns.asp?go=wan_dns.asp"; fast_pattern:only; http_uri; 
content:"&dnsen=on"; http_uri; content:"&ds1="; http_uri; metadata:ruleset community, service http; 
classtype:attempted-user; sid:8000687; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TOTOLINK ADSL router unauthenticated remote 
DNS change attempt"; flow:to_server,established; content:"/formbasetcpipsetup?"; fast_pattern:only; http_uri; 
content:"dnsmode=dnsmanual"; http_uri; content:"&dns1="; http_uri; content:"&dnsrefresh=1"; metadata:ruleset 
community, service http; classtype:attempted-user; sid:8000688; rev:1;)

# --------------------
# Title: Win.Trojan.MSIL-Proyecto
# Reference: Research
# Tests: pcap
# Detection: NA
# Hashes:
#  - b222b381a414270786cfe7c8e610256f0080e0505d3b28848c17db796f1f4224
# Note:
#  - One of the two signatrues below maybe ignored in favor of the other.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL-Proyecto outbound connection"; 
flow:to_server,established; content:"/mkv/inc/"; http_uri; fast_pattern:only; content:".php"; distance:14; http_uri; 
content:"p="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000689; 
rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL-Proyecto outbound connection"; 
flow:to_server,established; content:"|3B| Windows NT 6.1|3B| ru|3B|"; http_header; content:"Firefox/4.0"; within:40; 
http_header; fast_pattern; content:".php"; http_uri; pcre:"/\/[a-z0-9]{14}\.php$/U"; metadata:ruleset community, 
service http; classtype:trojan-activity; sid:8000690; rev:1;)

# --------------------
# Title: Win.Trojan.WSHRAT/Cryxos
# Reference: Research
# Tests: pcap
# Detection:
#  - Yara:
#    - MALWARE_Win_Trojan_Keylogger_JS
#    - MALWARE_Win_Trojan_Keylogger_BIN
#  - ClamAV:
#    - MALWARE_Win.Trojan.Keylogger-JS
#    - MALWARE_Win.Trojan.Keylogger-BIN
# Hashes:
#  - 1529f3494b9b5845601303d772bb06d222f1b0e4f7ea180f8434fff6f6a072a2 (.js)
#  - 27b51b90dde5fecb4199063da57da264266803e29a23910cb13d987164fc2217 (.js)
#  - 61422d06083e048065f02df046d21df773adb5b6d14cca923931d3f27f3ae761 (.js)
#  - 923c88d30237f7b6d06791916a9d347cf0da647d0aba20c728d688d49d410204 (.js)
#  - c30dc16deeb3bd62dfda6aa02568b6ac9a356dff917ebe7aad5253bc2985231d (.js)
#  - 272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a (second stage binary)
# Note: NA

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.WSHRAT/Cryxos variant outbound connection"; 
flow:to_server,established; content:"User-Agent: WSHRAT"; fast_pattern:only; metadata:ruleset community, service 
http; classtype:trojan-activity; sid:8000691; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.WSHRAT/Cryxos variant second stage outbound 
connection"; content:"/open-keylogger HTTP/"; fast_pattern:only; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000692; rev:1;)

# --------------------
# Title: Generic PowerShell dropper
# Reference: Research
# Tests: pcap
# Detection: NA
# Hashes:
#  - b0c869656baa7b328e0a61d7e32001800395fdd2338df463b4691388f6a5f976 (.lnk)
#  - 3095ecdcab270cd0341911ff220dd6f242919bd597e1f29a2955b47183952e46 (.bat)
#  - 712b534b452c401260026e7ba0838d9a425acc04606773a91a01fa2775119c33 (.bat)
#  - b43f92675979251693f52645fcb07e00c9bfa016aae0c56f19bcd9a81c7d2784 (.lnk)
#  - 42c4e957c0a00e208ac1fddfb2c67fbb4d4ee78e6a4869c275e3015abda86cb0 (AgentTesla)
#  - 08252420f31da4f617943c2d5841069d0ddde025f19f53b3f3038fdef12a900d (AgentTesla)
# Note:
#  - Dropped payloads are mostly Win.Trojan.AgentTesla. Not all payloads were examined.
#  - PCRE maybe removed from the rule.
#  - Observed URLs:
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/0251e9e6dd2b6761318cf74b9c7cfbcc.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/2eff7f856c921b9679658fc1076ad8df.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/4a122e1be14c64455d732d6809397908.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/4c76a53c02e96376537dd399c26d42e6.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/4ebcbf3ba7ccb02dfb195c7d5ca7787d.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/597684641290261a2d9b5e4f3c31448f.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/824e747ac0a4b302b94c5c8811aecffc.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/921f92a5d1a046bfb48a3c9ea2e85893.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/c516cd9f3d02c0a9657652b835170278.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/c6e905de8a762015cd177be60cd6bd67.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/de33e172deb9cd1a01cc95a3198b5ff2.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/e6f482cc5f9dd0a1d18cb925499c1e6b.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/ef0390ca68e9e2a0e3851e0cf6b22353.php
#    - hxxp://web[.]riderit[.]com:8000/ajp/public/f7d2dd7b5bdd9919634388790cc9c4fa.php

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper second stage payload 
download attempt"; flow:to_server,established; content:"/ajp/public/"; fast_pattern:only; http_uri; content:".php"; 
distance:32; http_uri; pcre:"/[a-z0-9]{32}\.php$/U"; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000693; rev:1;)

Older rules:

# --------------------
# Title: Win.Trojan.Remcos
# Reference: Research
# Tests: pcap
# Detection:
#  - Yara: MALWARE_Win_Trojan_Remcos
#  - ClamAV: MALWARE_Win.Trojan.Remcos
# Hashes:
#  - 1b14169a1d9ca041ab78a8e571ed31a474653addfca9fa92b63208dd3bd72a49
#  - 44db2df3f3bb2525bc7d36ea6d15cc0f457791c4b9d957f6835ce6facbecfffb
#  - 8588ae6b0cd64a359929e5990249cfa64ccf1b7e3d8ce8db201b3482d5142b65
#  - 70831ec3a25ad0ed98cc867d4a23432cad9ecb96c59b82065ec9f936ff9cdd43
#  - a3bb006a69214a66f34953ce4e089101bbecf890716d8e419f77b093b1d956f1
# Notes:
#  - Signatures were submitted on March 18, 2019 (Multiple signatures 025) and are still valid.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Remcos initial outbound connection 
attempt"; flow:to_server,established; content:"[DataStart]"; fast_pattern:only; content:"RemoteHost|7C|cmd|7C|"; 
distance:8; metadata:ruleset community; classtype:trojan-activity; sid:8000558; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Remcos inbound connection attempt"; 
flow:to_client,established; dsize:<85; content:"[DataStart]"; fast_pattern:only; content:"|7C|cmd|7C|"; distance:9; 
metadata:ruleset community; classtype:trojan-activity; sid:8000559; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Remcos outbound connection attempt"; 
flow:to_server,established; content:"[DataStart]"; fast_pattern:only; 
content:"|7C|cmd|7C|C|00|o|00|m|00|p|00|u|00|t|00|e|00|r|00 7C|cmd|7C|"; distance:9; metadata:ruleset community; 
classtype:trojan-activity; sid:8000560; rev:1;)

# --------------------
# Title: Win.Trojan.Amadey
# Reference: Research
# Tests: pcap
# Detection:
#  - Yara: MALWARE_Win_Trojan_Amadey_dnldr
#  - ClamAV: MALWARE_Win.Trojan.Amadey-dnldr
# Hashes:
#  - 5cd3703b82ad47edee1fcd274dd54ddc57e0ae9d63985d22a4a8246aca8cc6a6 (Amadey)
#  - ffff323bd3d8ac20f0f6e5f36f4e8bca9443da81e6aa3f380234ca102eb0e019 (VBS drops Amadey)
# Note:
#  - Sigantures were submitted on May 02, 2019 (Multiple singatures 027), and are still valid.
#  - Amadey binary is encoded within the VBS script.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Amadey downloader variant outbound 
connection"; flow:to_server,established; content:"&sd="; http_client_body; content:"&vs="; http_client_body; 
content:"&ar="; http_client_body; content:"&bi="; http_client_body; content:"&lv="; http_client_body; content:"&os="; 
http_client_body; content:"&av="; http_client_body; content:"&pc="; http_client_body; content:"&un="; 
http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000602; rev:2;)

# --------------------
# Title: Win.Trojan.LodaLogger
# Reference: Research
# Reference: https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware
# Tests: pcap
# Detection: NA
# Hashes:
#  - 18007cd1f63a8bb3ddbc8a947515c71627ed1cc578264f7bb8c6990b9927fbf1
#  - 37782247ba0b06455f0cb12feb4365fed1a805bb3762e167ee803783f0f5731e
#  - 38e736edadcc0d60d0e2cccb7a2bcf3d2a2cd471b9177147224151581d2a9fa3
#  - e20eaa5366d498cb9aae3ccaab774ee4210bbef44436a10bb30563e68c94560a
# Note:
#  - Signatures were posted twice on August 14, 2018 (Multiple signatures 009) and May 02, 2019 (Multiple signatures 
027)
#    under different names since they weren't appropriately identified.
#  - Accroding to network traffic, malware is version 1.0.8.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.LodaLogger outbound connection"; 
flow:to_server,established; content:"|7C|WIN_"; fast_pattern; content:"|7C|X64|7C|"; within:10; content:"|7C|Pr"; 
within:25; metadata:ruleset community; classtype:trojan-activity; sid:8000256; rev:3;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.LodaLogger outbound connection"; 
flow:to_server,established; content:"|7C|WIN_"; fast_pattern; content:"|7C|X86|7C|"; within:10; content:"|7C|Pr"; 
within:25; metadata:ruleset community; classtype:trojan-activity; sid:8000257; rev:3;)

# --------------------
# Title: Win.Trojan.Racealer/Racoon Stealer
# Reference: Research
# Tests: pcaps
# Detection:
#  - Yara: MALWARE_Win_Trojan_Racealer
#  - ClamAV: MALWARE_Win.Trojan.Racealer
# Hashes:
#   - Older samples:
#     - 06c7609239d733d28fbb871b0c9459b6fe1e72df18dc0d4850ade5081b77ab80
#     - 5c320dfd6b11443cd9a1da5bc57d14cfdd5aa74029bd4ee7380af5ae5c4d3f2d
#     - 841c6cc82cc2c1fd38531953ffa4559798c082dbeb1852d73a24180fe889e3b4
#     - c31757bd0ff0850199dd28d6db0bc174cd7dff38126979bfef5d8a21b361d22c
#   - Recent samples:
#     - d08b20a598df0c7a04cd6570e3b2bfcbaa358a324208f352ad4dff2c9f749240
#     - fde80c40258088be97efdc3c64bd85637a4ca4ad580c1542c001d50d10a09c97
# Note:
#  - Signatures submitted on May 07, 2019 (Multiple signatures 027).
#  - Changed message description and revision.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Racealer/Racoon Stealer outbound 
connection"; flow:to_server,established; urilen:13; content:"/gate/log.php"; fast_pattern:only; http_uri; 
content:"params="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000604; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Racealer/Racoon Stealer outbound 
connection"; flow:to_server,established; content:"/file.php?"; http_uri; content:"hash="; fast_pattern:only; 
http_uri; content:"&callback="; http_uri; content:"&js="; http_uri;  metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000605; rev:2;)
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!




-- 
Marcos Rodriguez
Cisco Talos
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: