Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Backdoor OSCelestial RAT

From: Phillip Lee <phillile () sourcefire com>
Date: Thu, 22 Mar 2018 10:17:15 -0400
Dear Yaser,

This rule has been reviewed and added to the community ruleset (SID: 45979-45980). Modifications were made to include 
the first three bytes prior to Java class name, since these represent the data type and length of the following java 
class names.

Submitted Rules:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC MultiOS.Trojan.OSCelestial variant outbound connection"; 
flow:to_server,established; content:"|72 00 17|com.net.LoginDataPacket"; fast_pattern:only; content:"|74 00 
13|Lcom/net/LoginData"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy 
security-ips drop, ruleset community; 
reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/ 
<http://www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/>; 
classtype:trojan-activity; sid:45979; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC MultiOS.Trojan.OSCelestial variant inbound connection"; 
flow:to_client,established; content:"|74 00 29|net.oscp.client.keylogger.KeystrokeLogger"; fast_pattern:only; 
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset 
community; 
reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/ 
<http://www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/>; 
classtype:trojan-activity; sid:45980; rev:1;)

Thank you for your contribution.  

Sincerely,
Phil Lee
Cisco Talos



On Mar 6, 2017, at 3:17 PM, Tyler Montier <tmontier () sourcefire com> wrote:

Yaser,

Thanks for your submission. We will review the rules and get back to you when they're finished.

Since you have pcaps available, can you send them my way?

Sincerely,

Tyler Montier
Cisco Talos

On Mon, Mar 6, 2017 at 6:06 AM, Y M <snort () outlook com <mailto:snort () outlook com>> wrote:
Hello,


The below rules are for the OSCelestial RAT. I left the OS (Win, Osx, etc.) at the beginning of the rules' messages 
since the sample in question seems to be targeting multiple OSes. The sample was successfully tested on Windows, OS 
X, and Linux (Ubuntu). Other OSes were not tested. 


The last rule may be an overkill but the pattern was obvious to be missed out. Pcap is available.



alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Backdoor.OSCelestial variant outbound connection"; 
flow:to_server,established; content:"|70 73 72 00|"; content:"|17|com.net <http://com.net/>.LoginDataPacket"; 
distance:0; within:24; metadata:ruleset community; 
reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/ 
<http://www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/>; 
classtype:trojan-activity; sid:1000867; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Backdoor.OSCelestial variant outbound connection"; 
flow:to_server,established; content:"|70 73 72 00|"; content:"|11|com.net <http://com.net/>.LoginData"; distance:0; 
within:18; content:"|0E|identification"; content:"|08|maccaddr"; distance:7; within:9; content:"|0F|operatingsystem"; 
distance:7; within:16; content:"|06|pcname"; distance:7; within:7; content:"|08|username"; distance:7; within:9; 
content:"|07|version"; distance:7; within:8; metadata:ruleset community; 
reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/ 
<http://www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/>; 
classtype:trojan-activity; sid:1000868; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Backdoor.OSCelestial variant inbound connection"; 
flow:to_client,established; dsize:>800; content:"|1B|com.net <http://com.net/>.DynamicPluginPacket"; 
fast_pattern:only; content:"|00 14|com.oscp.client.HRDP"; content:"|00 26|net.oscp.client.networking.OpenWebsite"; 
content:"|00 28|"; distance:1; content:".UploadExecute"; distance:25; within:15; content:"|00 27|"; distance:1; 
content:".ReverseProxy"; distance:25; within:14; content:"|00 2A|"; distance:1; content:".DownloadExecute"; 
distance:25; within:17; content:"|00 29|"; distance:1; content:".KeystrokeLogger"; distance:24; within:17; 
content:"|00 27|"; distance:1; content:".JarInjector"; distance:26; within:13; content:"|00 2B|"; distance:1; 
content:".JarInjectUpload"; distance:26; within:17; content:"|00 21|"; distance:1; content:".Explorer"; distance:24; 
within:10; content:"|00 25|"; distance:1; content:".RemoteChat"; distance:25; within:12; content:"|00 25|"; 
distance:1; content:".MessageBox"; distance:25; within:12; content:"|00 23|"; distance:1; content:".DesktopView"; 
distance:22; within:13; content:"|00 29|"; distance:1; content:".PasswordRecovery"; distance:23; within:18; 
content:"|00 21|"; distance:1; content:".WebcamView"; distance:21; within:12; content:"|00 27|"; content:".Terminal"; 
distance:23; within:10; metadata:ruleset community; 
reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/ 
<http://www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/>; 
classtype:trojan-activity; sid:1000869; rev:1;)


Thank you.

YM


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot <http://sdm.link/slashdot>
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs <https://lists.sourceforge.net/lists/listinfo/snort-sigs>

http://www.snort.org <http://www.snort.org/>

Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging 
threats</a>!

------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!



_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: