Re: Win.Trojan.PowerStat

[Tyler Montier <tmontier () sourcefire com>]

Yaser,

Thanks for your submission. We will review the rules and get back to you
when they're finished.

Can you send the pcaps our way?

Regards,
Tyler Montier
Cisco Talos

On Mon, Jan 22, 2018 at 7:29 AM, Y M via Snort-sigs <
snort-sigs () lists snort org> wrote:

> Hi,
>
>
> The below two signatures are originally driven by the following
> references. The sample on VT is referenced in the signatures. Pcap is
> available.
>
>
> https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/
> https://researchcenter.paloaltonetworks.com/2017/11/
> unit42-muddying-the-water-targeted-attacks-in-the-middle-east/
> http://blog.morphisec.com/fileless-attack-framework-discovery
> https://blog.malwarebytes.com/threat-analysis/2017/09/
> elaborate-scripting-fu-used-in-espionage-attack-against-
> saudi-arabia-government_entity/
>
> Opted for two separate signatures as opposed to using pcre.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.PowerStat variant outbound connection to proxy";
> flow:to_server,established; urilen:>50; content:"GET"; http_method;
> content:".php?c="; http_uri; fast_pattern:only; content:"Connection|3A
> 20|"; http_header; content:!"User-Agent"; http_header; content:!"Accept";
> http_header; content:!"Referer"; http_header; content:!"Cookie";
> http_header; content:!"Content"; http_header; metadata:ruleset community,
> service http; reference:url,www.virustotal.com/#/file/
> 16985600c959f6267476da614243a585b1b222213ec938351ef6a26560c992db/detection;
> classtype:trojan-activity; sid:9000004; rev:2;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.PowerStat variant outbound connection to proxy";
> flow:to_server,established; urilen:>50; content:"GET"; http_method;
> content:".aspx?c="; http_uri; fast_pattern:only; content:"Connection|3A
> 20|"; http_header; content:!"User-Agent"; http_header; content:!"Accept";
> http_header; content:!"Referer"; http_header; content:!"Cookie";
> http_header; content:!"Content"; http_header; metadata:ruleset community,
> service http; reference:url,www.virustotal.com/#/file/
> 16985600c959f6267476da614243a585b1b222213ec938351ef6a26560c992db/detection;
> classtype:trojan-activity; sid:9000005; rev:2;)
>
> Thanks.
> YM
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-
> the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!