Snort mailing list archives

Re: ThreadKit Documents

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 30 May 2018 19:16:23 +0000

New hash(es) have been added, thanks to the original identifiers.

- 5c526ede8ecd510b985d366b0a9cd8704abc7abdf477b65695016f695d00a1d7
- db5a46b9d8419079ea8431c9d6f6f55e4f7d36f22eee409bd62d72ea79fb8e72
- 52be37fca69737ea52edcc4dbb7549fc63bfd017f36a308d08514534b522e4bc

The following sid(s) from the original post triggered successfully: 8000075, 8000076, 8000077, 8000078, 8000079, 
8000080, 8000081, 8000082.

The following sid(s) from the original post have been modified: 8000084.

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER ThreadKit document - distinct obj 
structure"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|object|5C|obj"; 
content:"|5C|objupdate"; pcre:"/\x5cobject\x5cobj(emb|html)\x5cobjupdate\x5cv[\x5c\x0a\x20]/"; metadata:ruleset 
community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000084; rev:2;)

Pcaps for these should be ready in a minute.

Thanks.
YM

________________________________
From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of O C via Snort-sigs <snort-sigs () lists snort org>
Sent: Tuesday, May 29, 2018 8:37 PM
To: snort-sigs
Subject: [Snort-sigs] ThreadKit Documents

Hi,

The below rules attempt at detecting exploit documents generated by ThreadKit. While there are rules to detect the 
exploit attempts, the permissiveness of the RTF syntax may result in FN. The below sample hashes were worked with and 
pcaps are available for these. As I stumble upon more documents, I will update this thread. I added these under the 
MALWARE-OTHER category since the rules to do not look for the exploits, but the documents themselves.

Some of the rules can be grouped using PCRE, but I kept them separate. Some of the rules may also seem redundant, but 
the idea is to capture as many variants as possible.

If this sounds like a bad idea, please let me know so I won't waste cycles on them.

# --------------------
# Date: 2018-05-28
# Title: ThreadKit Documents
# Tests: pcap
# Reference: Research
# Hashes:
#   - bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c
#   - af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5
#   - 8e1c6f44b02e72b1c1c9af0ffdcee0fbe67fb8ee370bc67e4e01ec43f8b92ec9
#   - 53e8890f0d002d9611675419b3d8d0899b599c59f4557e105211d294bf92f023
#   - 2bb9d0d8166a8d330cb3c5be6fb60539fe29e05cc3acb4ac7ec3da233fb013ec

# HTTP
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package 
embedding TXT file"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; 
content:"|5C|objdata"; distance:0; content:"5061636B61676500"; distance:0; nocase; content:"2E747874"; within:100; 
nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; 
classtype:attempted-user; sid:8000075; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package 
embedding SCT file"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; 
content:"|5C|objdata"; distance:0; content:"5061636B61676500"; distance:0; nocase; content:"2E736374"; within:100; 
nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; 
classtype:attempted-user; sid:8000076; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package 
embedding BAT file"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; 
content:"|5C|objdata"; distance:0; content:"5061636B61676500"; distance:0; nocase; content:"2E626174"; within:100; 
nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; 
classtype:attempted-user; sid:8000077; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package 
embedding EXE file"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; 
content:"|5C|objdata"; distance:0; content:"5061636B61676500"; distance:0; nocase; content:"2E657865"; within:100; 
nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; 
classtype:attempted-user; sid:8000078; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER ThreadKit document - objhtml mmath object 
obfuscation"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; 
content:"|5C|objupdate"; distance:0; content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:100; nocase; 
metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; 
sid:8000079; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER ThreadKit document - objhtml mmath object 
obfuscation OLE2Link"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; 
content:"|5C|objupdate"; distance:0; content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:50; content:"OLE2Link"; 
within:150; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; 
classtype:attempted-user; sid:8000080; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER ThreadKit document - objhtml object 
obfuscation OLE2Link"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; 
content:"|5C|objupdate"; distance:0; content:"|5C|bin"; within:50; nocase; content:"OLE2Link"; within:150; 
metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; 
sid:8000081; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER ThreadKit document - objemb mmath object 
obfuscation"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objemb"; 
content:"|5C|objupdate"; distance:0; content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:100; nocase; 
metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; 
sid:8000082; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER ThreadKit document - picture object 
remote"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"METAFILEPICT"; 
content:"INCLUDEPICTURE |22|http"; distance:0; content:"MZ"; within:200; metadata:ruleset community, service ftp-data, 
service http, service imap, service pop3; classtype:attempted-user; sid:8000083; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER ThreadKit document - distinct obj 
structure"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|object|5C|obj"; 
content:"|5C|objupdate"; pcre:"/\x5cobject\x5cobj(emb|html)\x5cobjupdate\x5cv\x0a\x20/"; metadata:ruleset community, 
service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000084; rev:1;)

# SMTP
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding TXT 
file"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; content:"|5C|objdata"; 
distance:0; content:"5061636B61676500"; distance:0; nocase; content:"2E747874"; within:100; nocase; metadata:ruleset 
community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000085; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding SCT 
file"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; content:"|5C|objdata"; 
distance:0; content:"5061636B61676500"; distance:0; nocase; content:"2E736374"; within:100; nocase; metadata:ruleset 
community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000086; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding BAT 
file"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; content:"|5C|objdata"; 
distance:0; content:"5061636B61676500"; distance:0; nocase; content:"2E626174"; within:100; nocase; metadata:ruleset 
community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000087; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding EXE 
file"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; content:"|5C|objdata"; 
distance:0; content:"5061636B61676500"; distance:0; nocase; content:"2E657865"; within:100; nocase; metadata:ruleset 
community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000088; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER ThreadKit document - objhtml mmath object 
obfuscation"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; 
content:"|5C|objupdate"; distance:0; content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:100; nocase; 
metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; 
sid:8000089; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER ThreadKit document - objhtml mmath object 
obfuscation OLE2Link"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; 
content:"|5C|objupdate"; distance:0; content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:50; content:"OLE2Link"; 
within:150; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; 
classtype:attempted-user; sid:8000090; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER ThreadKit document - objhtml object obfuscation 
OLE2Link"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; 
content:"|5C|objupdate"; distance:0; content:"|5C|bin"; within:50; nocase; content:"OLE2Link"; within:150; 
metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; 
sid:8000091; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER ThreadKit document - objemb mmath object 
obfuscation"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objemb"; 
content:"|5C|objupdate"; distance:0; content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:100; nocase; 
metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; 
sid:8000092; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER ThreadKit document - picture object remote"; 
flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"METAFILEPICT"; content:"INCLUDEPICTURE 
|22|http"; distance:0; content:"MZ"; within:200; metadata:ruleset community, service ftp-data, service http, service 
imap, service pop3; classtype:attempted-user; sid:8000093; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER ThreadKit document - distinct obj structure"; 
flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|object|5C|obj"; content:"|5C|objupdate"; 
pcre:"/\x5cobject\x5cobj(emb|html)\x5cobjupdate\x5cv\x0a\x20/"; metadata:ruleset community, service ftp-data, service 
http, service imap, service pop3; classtype:attempted-user; sid:8000094; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

ThreadKit Documents O C via Snort-sigs (May 29)
- Re: ThreadKit Documents John Levy (May 30)
- Re: ThreadKit Documents Y M via Snort-sigs (May 30)
  - Re: ThreadKit Documents Y M via Snort-sigs (Jun 04)
    - Re: ThreadKit Documents John Levy (Jun 05)