Re: Win.Trojan.Nocturnal

[John Levy <johlevy () sourcefire com>]

Hi Yaser,

We reviewed your submissions for this one and decided to tweak the first
rule just a little bit and add it to the community ruleset (sid 46895).
Specifically, we first removed the check for the http_method. Second, we
shortened each content-match to include just the parameter key and value,
and we also shortened the total number of content matches. Lastly, we added
a check for the specific URI used for our fast pattern. Thanks again for
your contribution!

Regards,

John Levy
Cisco Talos

On Jun 4, 2018, at 1:24 PM, Y M via Snort-sigs <snort-sigs () lists snort org>
wrote:

Hi,

Unfortunately, I don't have pcaps for these.

# --------------------
# Date: 2018-06-01
# Title: Thief in the night: New Nocturnal Stealer grabs data on the cheap
# Tests: syntax only
# Reference: https://www.proofpoint.com/us/threat-
insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap,
https://www.virustotal.com/#/file/ae7e5a7b34dc216e9da384fcf9868a
b2c1a1d731f583f893b2d2d4009da15a4e/detection

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Nocturnal outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"Content-Disposition: form-data|3B|
name=|22|hwid|22|"; fast_pattern:only; http_client_body;
content:"Content-Disposition: form-data|3B| name=|22|os|22|";
http_client_body; content:"Content-Disposition: form-data|3B|
name=|22|platform|22|"; http_client_body; content:"Content-Disposition:
form-data|3B| name=|22|profile|22|"; http_client_body;
content:"Content-Disposition: form-data|3B| name=|22|user|22|";
http_client_body; content:"Content-Disposition: form-data|3B|
name=|22|pcount|22|"; http_client_body; content:"Content-Disposition:
form-data|3B| name=|22|cccount|22|"; http_client_body; metadata:ruleset
community, service http; reference:url,www.proofpoint.
com/us/threat-insight/post/thief-night-new-nocturnal-
stealer-grabs-data-cheap; classtype:trojan-activity; sid:8000096; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
known malicious user-agent - Win.Trojan.Nocturnal";
flow:to_server,established; content:"User-Agent: Nocturnal/";
fast_pattern:only; http_header; metadata:ruleset community, service http;
reference:url,www.proofpoint.com/us/threat-insight/post/
thief-night-new-nocturnal-stealer-grabs-data-cheap;
classtype:trojan-activity; sid:8000097; rev:1;)

Thanks.
YM
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-
etiquette

Visit the Snort.org <http://snort.org/> to subscribe to the official Snort
ruleset, make sure to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!