Snort mailing list archives
Re: Win.Trojan.Bandook + Win.Trojan.CrossRAT
From: Tyler Montier <tmontier () sourcefire com>
Date: Mon, 22 Jan 2018 08:31:49 -0500
Yaser, Thanks for your submission. We will review the rules and get back to you when they're finished. Can you send the pcaps our way? Sincerely, Tyler Montier Cisco Talos On Mon, Jan 22, 2018 at 7:35 AM, Y M via Snort-sigs < snort-sigs () lists snort org> wrote:
Hi, Putting these into one email since they belong to the same report/campaign. Two samples (desktop) were identified and signatures were written against them. Unfortunately, no signatures against the Android samples. Pcaps are available. alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Bandook/Anbacas outbound connection attempt"; flow:to_server,established; dsize:<250; content:"QDAwMD"; depth:6; fast_pattern; content:"&&&"; within:200; isdataat:!0,relative; metadata:ruleset community; reference:url,info.lookout. com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf; reference:url,www.virustotal.com/#/file/bf600e7b27bdd9e396e5c396aba7f0 79c244bfb92ee45c721c2294aa36586206/detection; classtype:trojan-activity; sid:9000012; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CrossRAT outbound HTTP request"; flow:to_server,established; content:"GET"; http_method; content:"/get.php?"; fast_pattern:only; http_uri; content:"action=check"; http_uri; content:!"Connection"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url, info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_ 20180118_us_v.1.0.pdf; reference:url,www.virustotal.com/#/file/ da81aec00b563123d2fbd14fb6a76619c90f81e83c5bd8aa0676922cae96b9ad/detection; classtype:trojan-activity; sid:9000013; rev:1;) tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CrossRAT outbound HTTP request"; flow:to_server,established; content:"POST"; http_method; content:"/get.php?"; fast_pattern:only; http_uri; content:"file1="; http_uri; content:"&file2="; http_uri; content:"&port="; http_uri; content:"&id="; http_uri; content:"&name="; http_uri; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,info.lookout.com/rs/051-ESQ-475/images/ Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf; reference:url, www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a766 19c90f81e83c5bd8aa0676922cae96b9ad/detection; classtype:trojan-activity; sid:9000014; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Uploador - Win.Trojan.CrossRAT"; flow:to_server,established; content:"User-Agent|3A| Uploador|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,info.lookout. com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf; reference:url,www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a766 19c90f81e83c5bd8aa0676922cae96b9ad/detection; classtype:trojan-activity; sid:9000015; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.CrossRAT outbound connection attempt"; flow:to_server,established; content:"S_0001|5B|"; depth:7; fast_pattern; content:"&&&"; within:200; isdataat:!0,relative; metadata:ruleset community; reference:url,info.lookout.com/rs/051-ESQ-475/images/ Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf; reference:url, www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a766 19c90f81e83c5bd8aa0676922cae96b9ad/detection; classtype:trojan-activity; sid:9000016; rev:1;) Thanks. YM _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is- the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Win.Trojan.Bandook + Win.Trojan.CrossRAT Y M via Snort-sigs (Jan 22)
- Re: Win.Trojan.Bandook + Win.Trojan.CrossRAT Tyler Montier (Jan 22)
- Re: Win.Trojan.Bandook + Win.Trojan.CrossRAT Y M via Snort-sigs (Feb 02)
- Re: Win.Trojan.Bandook + Win.Trojan.CrossRAT Tyler Montier (Jan 22)