Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Zebrocy family sigs

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 27 Apr 2018 14:03:31 +0000
Hi,

The below rules are based on the information provided by the reference. The traffic from the hashes listed below was 
tested against the rules. Pcap are available.

# Title: Sednit update: Analysis of Zebrocy
# Reference: https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
# Tests: pcap
# Hashes: 54b14fc84f152b43c63babc46f2597b053e94627 (Delf Downloader), d379b94a3eb4fd9c9a973f64d436d7fc2e9d6762 (AutoIt 
Downloader), 4ccbe222bd97dc229b36efaf52520939da9d51c8 (Delf Backdoor), cdf9c24b86bc9a872035dcf3f53f380c904ed98b (Delf 
Backdoor)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family Delphi downloader 
outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"?fort="; fast_pattern:only; 
http_uri; content:"pol="; http_client_body; content:"Accept-Encoding|3A 20|identity|0D 0A|"; http_header; 
pcre:"/\.(php|dat)\x3ffort\x3d[A-Z0-9]{8,16}/U"; metadata:ruleset community, service http; 
reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/; classtype:trojan-activity; 
sid:8000022; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family Delphi downloader 
outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/protocol.php"; 
fast_pattern:only; http_uri; content:"porg="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset 
community, service http; reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/; 
classtype:trojan-activity; sid:8000023; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family AutoIt downloader 
outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"dbgate="; fast_pattern:only; 
http_client_body; content:"win32="; http_client_body; metadata:ruleset community, service http; 
reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/; classtype:trojan-activity; 
sid:8000024; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family Delphi backdoor 
outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"Content-Disposition: 
form-data|3B| name=|22|userfile|22 3B| filename=|22|"; fast_pattern:only; http_client_body; content:"Accept-Encoding|3A 
20|identity|0D 0A|"; http_header; metadata:ruleset community, service http; 
reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/; classtype:trojan-activity; 
sid:8000025; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family bad known user-agent"; 
flow:to_server,established; content:"User-Agent|3A 20|Mozilla v"; fast_pattern:only; http_header; 
pcre:"/User-Agent\x3a\x20Mozilla\x20v[0-9]/Hi"; metadata:ruleset community, service http; 
reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/; classtype:trojan-activity; 
sid:8000026; rev:1;)

Thanks
YM



_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: