Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ThreadKit Documents

From: John Levy <johlevy () sourcefire com>
Date: Tue, 5 Jun 2018 07:37:38 -0400
Hi Yaser,

Thank you the additional information and for the four additional
submissions from yesterday. We will review the rules for Nocturnal, Joanap,
Danabot, and Autophyte, and we will get back to you when we are done
evaluating them. Lastly and when you get a chance, could you send over the
pcaps for the three new submissions? Thanks again!

Regards,

John Levy
Cisco Talos

On Mon, Jun 4, 2018 at 4:27 PM, Y M via Snort-sigs <
snort-sigs () lists snort org> wrote:


New hash(es) have been added:

- 819e0e82f2f5c3633e00adef10796da3755620546667da4d4942158536b8fbdf
- caed167c45c346e5d0014298311c84c393b2fdff4c122ed56b5cac00763635ee
- a76350c33a56af0bd1b90bc5fb3358cef8cd3eb7b8307760e33d36ea67f18754

The following sid(s) from the original post triggered successfully: 8000077,
8000079, 8000084 (rev:2).

The following sid(s) from the original post have been modified: 8000075-
8000078, 8000084.

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding TXT
file"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
content:"61636B61676500"; distance:0; nocase; content:"2E747874";
within:100; nocase; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; classtype:attempted-user; sid:8000075;
rev:2;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding SCT
file"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
content:"61636B61676500"; distance:0; nocase; content:"2E736374";
within:100; nocase; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; classtype:attempted-user; sid:8000076;
rev:2;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding BAT
file"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
content:"61636B61676500"; distance:0; nocase; content:"2E626174";
within:100; nocase; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; classtype:attempted-user; sid:8000077;
rev:2;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding EXE
file"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
content:"61636B61676500"; distance:0; nocase; content:"2E657865";
within:100; nocase; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; classtype:attempted-user; sid:8000078;
rev:2;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - distinct obj structure";
flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|object|5C|obj"; content:"|5C|objupdate";
pcre:"/\x5cobject\x5cobj(emb|html)\x5cobjupdate\x5cv[\x5c\x0a\x20\x0d]/";
metadata:ruleset community, service ftp-data, service http, service imap,
service pop3; classtype:attempted-user; sid:8000084; rev:3;)

Thanks.
YM


------------------------------
*From:* Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Y M
via Snort-sigs <snort-sigs () lists snort org>
*Sent:* Wednesday, May 30, 2018 10:16 PM
*To:* O C via Snort-sigs
*Subject:* Re: [Snort-sigs] ThreadKit Documents

New hash(es) have been added, thanks to the original identifiers.

- 5c526ede8ecd510b985d366b0a9cd8704abc7abdf477b65695016f695d00a1d7
- db5a46b9d8419079ea8431c9d6f6f55e4f7d36f22eee409bd62d72ea79fb8e72
- 52be37fca69737ea52edcc4dbb7549fc63bfd017f36a308d08514534b522e4bc

The following sid(s) from the original post triggered successfully: 8000075,
8000076, 8000077, 8000078, 8000079, 8000080, 8000081, 8000082.

The following sid(s) from the original post have been modified: 8000084.

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - distinct obj structure";
flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|object|5C|obj"; content:"|5C|objupdate";
pcre:"/\x5cobject\x5cobj(emb|html)\x5cobjupdate\x5cv[\x5c\x0a\x20]/";
metadata:ruleset community, service ftp-data, service http, service imap,
service pop3; classtype:attempted-user; sid:8000084; rev:2;)

Pcaps for these should be ready in a minute.

Thanks.
YM

------------------------------
*From:* Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of O C
via Snort-sigs <snort-sigs () lists snort org>
*Sent:* Tuesday, May 29, 2018 8:37 PM
*To:* snort-sigs
*Subject:* [Snort-sigs] ThreadKit Documents

Hi,

The below rules attempt at detecting exploit documents generated by
ThreadKit. While there are rules to detect the exploit attempts, the
permissiveness of the RTF syntax may result in FN. The below sample hashes
were worked with and pcaps are available for these. As I stumble upon
more documents, I will update this thread. I added these under the
MALWARE-OTHER category since the rules to do not look for the exploits, but
the documents themselves.

Some of the rules can be grouped using PCRE, but I kept them separate.
Some of the rules may also seem redundant, but the idea is to capture as
many variants as possible.

If this sounds like a bad idea, please let me know so I won't waste cycles
on them.

# --------------------
# Date: 2018-05-28
# Title: ThreadKit Documents
# Tests: pcap
# Reference: Research
# Hashes:
#   - bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c
#   - af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5
#   - 8e1c6f44b02e72b1c1c9af0ffdcee0fbe67fb8ee370bc67e4e01ec43f8b92ec9
#   - 53e8890f0d002d9611675419b3d8d0899b599c59f4557e105211d294bf92f023
#   - 2bb9d0d8166a8d330cb3c5be6fb60539fe29e05cc3acb4ac7ec3da233fb013ec

# HTTP
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding TXT
file"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
content:"5061636B61676500"; distance:0; nocase; content:"2E747874";
within:100; nocase; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; classtype:attempted-user; sid:8000075;
rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding SCT
file"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
content:"5061636B61676500"; distance:0; nocase; content:"2E736374";
within:100; nocase; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; classtype:attempted-user; sid:8000076;
rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding BAT
file"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
content:"5061636B61676500"; distance:0; nocase; content:"2E626174";
within:100; nocase; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; classtype:attempted-user; sid:8000077;
rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding EXE
file"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
content:"5061636B61676500"; distance:0; nocase; content:"2E657865";
within:100; nocase; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; classtype:attempted-user; sid:8000078;
rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - objhtml mmath object obfuscation";
flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0;
content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:100; nocase;
metadata:ruleset community, service ftp-data, service http, service imap,
service pop3; classtype:attempted-user; sid:8000079; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - objhtml mmath object obfuscation
OLE2Link"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0;
content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:50;
content:"OLE2Link"; within:150; nocase; metadata:ruleset community, service
ftp-data, service http, service imap, service pop3;
classtype:attempted-user; sid:8000080; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - objhtml object obfuscation
OLE2Link"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0;
content:"|5C|bin"; within:50; nocase; content:"OLE2Link"; within:150;
metadata:ruleset community, service ftp-data, service http, service imap,
service pop3; classtype:attempted-user; sid:8000081; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - objemb mmath object obfuscation";
flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objemb"; content:"|5C|objupdate"; distance:0;
content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:100; nocase;
metadata:ruleset community, service ftp-data, service http, service imap,
service pop3; classtype:attempted-user; sid:8000082; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - picture object remote";
flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"METAFILEPICT"; content:"INCLUDEPICTURE |22|http"; distance:0;
content:"MZ"; within:200; metadata:ruleset community, service ftp-data,
service http, service imap, service pop3; classtype:attempted-user;
sid:8000083; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - distinct obj structure";
flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|object|5C|obj"; content:"|5C|objupdate";
pcre:"/\x5cobject\x5cobj(emb|html)\x5cobjupdate\x5cv\x0a\x20/";
metadata:ruleset community, service ftp-data, service http, service imap,
service pop3; classtype:attempted-user; sid:8000084; rev:1;)

# SMTP
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
ThreadKit document - ActiveX Package embedding TXT file";
flow:to_server,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
content:"5061636B61676500"; distance:0; nocase; content:"2E747874";
within:100; nocase; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; classtype:attempted-user; sid:8000085;
rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
ThreadKit document - ActiveX Package embedding SCT file";
flow:to_server,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
content:"5061636B61676500"; distance:0; nocase; content:"2E736374";
within:100; nocase; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; classtype:attempted-user; sid:8000086;
rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
ThreadKit document - ActiveX Package embedding BAT file";
flow:to_server,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
content:"5061636B61676500"; distance:0; nocase; content:"2E626174";
within:100; nocase; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; classtype:attempted-user; sid:8000087;
rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
ThreadKit document - ActiveX Package embedding EXE file";
flow:to_server,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
content:"5061636B61676500"; distance:0; nocase; content:"2E657865";
within:100; nocase; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; classtype:attempted-user; sid:8000088;
rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
ThreadKit document - objhtml mmath object obfuscation";
flow:to_server,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0;
content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:100; nocase;
metadata:ruleset community, service ftp-data, service http, service imap,
service pop3; classtype:attempted-user; sid:8000089; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
ThreadKit document - objhtml mmath object obfuscation OLE2Link";
flow:to_server,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0;
content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:50;
content:"OLE2Link"; within:150; nocase; metadata:ruleset community, service
ftp-data, service http, service imap, service pop3;
classtype:attempted-user; sid:8000090; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
ThreadKit document - objhtml object obfuscation OLE2Link";
flow:to_server,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0;
content:"|5C|bin"; within:50; nocase; content:"OLE2Link"; within:150;
metadata:ruleset community, service ftp-data, service http, service imap,
service pop3; classtype:attempted-user; sid:8000091; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
ThreadKit document - objemb mmath object obfuscation";
flow:to_server,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objemb"; content:"|5C|objupdate"; distance:0;
content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:100; nocase;
metadata:ruleset community, service ftp-data, service http, service imap,
service pop3; classtype:attempted-user; sid:8000092; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
ThreadKit document - picture object remote"; flow:to_server,established;
flowbits:isset,file.rtf; file_data; content:"METAFILEPICT";
content:"INCLUDEPICTURE |22|http"; distance:0; content:"MZ"; within:200;
metadata:ruleset community, service ftp-data, service http, service imap,
service pop3; classtype:attempted-user; sid:8000093; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
ThreadKit document - distinct obj structure"; flow:to_server,established;
flowbits:isset,file.rtf; file_data; content:"|5C|object|5C|obj";
content:"|5C|objupdate"; pcre:"/\x5cobject\x5cobj(emb|
html)\x5cobjupdate\x5cv\x0a\x20/"; metadata:ruleset community, service
ftp-data, service http, service imap, service pop3;
classtype:attempted-user; sid:8000094; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-
the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!



_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: