Snort mailing list archives
Multiple signatures
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 27 Jun 2018 13:34:13 +0000
Hi, Below are a set of rules for various detection aggregated in one email. Oddly, I was not able to acquire any of the binaries/payloads, hence, the lack of pcaps. It was just weird. Each set of signatures are separated by "#----". Please let me if this format is not favorable and I will work something out. # -------------------- # Date: 2018-06-17 # Title: CVE-2017-8570 RTF and the Sisfader RAT # Tests: syntax only # Reference: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/ # Confidence: low- # Notes: Rules are based on assumptions of the custom protocol detailed in the reference alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sisfader RAT outbound connection - Register"; flow:to_server,established; content:"|FF DD EE AA|"; within:4; byte_test:1,=,4,4,relative; content:"|0F 01|"; offset:8; metadata:ruleset community; reference:url,www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/; classtype:trojan-activity; sid:8000120; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sisfader RAT outbound connection - Beacon"; flow:to_server,established; content:"|FF DD EE AA|"; within:4; byte_test:1,=,4,4,relative; content:"|F0 E1|"; offset:8; metadata:ruleset community; reference:url,www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/; classtype:trojan-activity; sid:8000121; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sisfader RAT outbound connection - Pong"; flow:to_server,established; content:"|FF DD EE AA|"; within:4; byte_test:1,=,4,4,relative; content:"|F0 E3|"; offset:8; metadata:ruleset community; reference:url,www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/; classtype:trojan-activity; sid:8000122; rev:1;) # -------------------- # Date: 2018-06-21 # Title: Kardon Loader Looks for Beta Testers # Tests: syntax only # Reference: https://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/ # Confidence: low alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kardon loader outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/gate.php"; http_uri; content:"&os="; fast_pattern:only; http_client_body; content:"&pv="; http_client_body; content:"&ip="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/; classtype:trojan-activity; sid:8000123; rev:1;) # -------------------- # Date: 2018-06-21 # Title: Nigelthorn Malware Abuses Chrome Extensions to Cryptomine and Steal Data # Tests: syntax only # Reference: https://blog.radware.com/security/2018/05/nigelthorn-malware-abuses-chrome-extensions/ # Confidence: low- alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Nigelthorn browser plugin social media credentials theft attempt"; flow:to_server,established; content:"GET"; http_method; content:"/php3/"; fast_pattern:only; http_uri; content:".php?"; http_uri; content:"u="; http_uri; content:"&p="; http_header; metadata:ruleset community, service http; reference:url,blog.radware.com/security/2018/05/nigelthorn-malware-abuses-chrome-extensions/; classtype:trojan-activity; sid:8000124; rev:1;) # -------------------- # Date: 2018-06-21 # Title: Red Alert v2.0: Misadventures in Reversing Android Bot Malware # Tests: syntax only # Reference: https://www.trustwave.com/Resources/SpiderLabs-Blog/Red-Alert-v2-0--Misadventures-in-Reversing-Android-Bot-Malware/ # Confidence: low alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.BankerBot outbound connection"; flow:to_server,established; urilen:=5; content:"POST"; http_method; content:"/stbi"; fast_pattern:only; http_uri; content:" Android "; http_header; content:"Content-Type: application/json"; http_header; content:"eyJ"; within:3; http_client_body; metadata:ruleset community, service http; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Red-Alert-v2-0--Misadventures-in-Reversing-Android-Bot-Malware/; classtype:trojan-activity; sid:8000125; rev:1;) # -------------------- # Date: 2018-06-22 # Title: RAT Gone Rogue: Meet ARS VBS Loader # Tests: syntax only # Reference: https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/ # Confidence: low alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"?os="; http_uri; content:"&user="; http_uri; content:"&av="; http_uri; content:"&fw="; http_uri; content:"&hwid="; http_uri; metadata:ruleset community, service http; reference:url,www.flashpoint-intel.com/blog/meet-ars-vbs-loader/; classtype:trojan-activity; sid:8000126; rev:1;) # -------------------- # Date: 2018-06-27 # Title: Six Years and Counting: Inside the Complex Zacinlo Ad Fraud Operation # Tests: syntax only # Reference: https://labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/ # Confidence: low alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"/toolbar/"; http_uri; fast_pattern:only; http_uri; content:"User-Agent: wget"; http_header; content:"Referer:"; http_header; content:"/toolbar"; within:50; http_header; content:!"Accept-"; http_headr; content:!"Content-"; http_header; metadata:ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:8000127; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"/entry/"; http_uri; content:"&mac="; fast_pattern:only; http_uri; content:"User-Agent: wget"; http_header; content:"Referer:"; http_header; content:"/entry/"; within:50; http_header; content:!"Accept-"; http_headr; content:!"Content-"; http_header; metadata:ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:8000128; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"/interface/getFile?"; fast_pattern:only; http_uri; content:"User-Agent: wget"; http_header; content:!"Referer:"; http_header; content:"Accept-"; http_headr; metadata:ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:8000129; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"User-Agent: SmartService|0D 0A|"; fast_pattern:only; http_header; content:"/getFile?"; http_uri; metadata:ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:8000130; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; urilen:>200; content:"/api/"; fast_pattern:only; http_uri; content:"q="; http_uri; content:!"Referer:"; http_header; pcre:"/\/api\/(cpx|ss|lt)\x3fq\x3d/Ui"; metadata:ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:8000131; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"User-Agent: BypassUac|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:8000132; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"/report?s="; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B WOW64) "; http_header; content:!"Referer:"; http_header; content:"Accept"; http_header; metadata:ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:8000133; rev:1;) # -------------------- # Date: 2018-06-27 # Title: RedAlpha: New Campaigns Discovered Targeting the Tibetan Community # Tests: syntax only # Reference: https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf # - Dinwod: https://www.virustotal.com/#/file/e94284e487e59b53efab9d4584fca766883b916118c9a8ff59514087555e9a8e/behavior # - NetHelp: https://www.virustotal.com/#/file/e8b8e4d8694600116b0d7d6062d8f5b77f25e69e993f13be56399cadf175e512/behavior # - SpyGate: https://www.virustotal.com/#/file/30e628bfbf80a8cb432b679fdeaccbe3c0ab7eaee8d0899fba7a16853abf35b9/behavior # Confidence: low- alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dinwod/NetHelp variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:53.0) Gecko/20100101 Chrome /53.0"; fast_pattern:only; http_header; content:"/index.html"; http_uri; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf; classtype:trojan-activity; sid:8000134; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpyGate variant outbound connection"; flow:to_server,established; urilen:<100; content:"/index?"; content:"Accept: */*|0D 0A|Accept-Encoding: gzip, deflate|0D 0A|User-Agent: "; http_header; fast_pattern; content:"Connection: Keep-Alive|0D 0A|"; http_header; content:!"Referer"; http_header; content:!"Content-"; http_header; metadata:ruleset community, service http; reference:url,go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf; classtype:trojan-activity; sid:8000135; rev:1;) # -------------------- # Date: 2018-06-27 # Title: FakeSpy Android Information-Stealing Malware Targets Japanese and Korean-Speaking Users # Tests: syntax only # Reference: # - https://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/ # - https://documents.trendmicro.com/assets/appendix-fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.pdf # Confidence: low- alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andro.Trojan.FakeSpy variant outbound connection"; flow:to_server,established; content:"/jiagu/"; http_uri; content:"/infos"; fast_pattern:only; http_uri; content:" Android "; http_header; metadata:ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/; classtype:trojan-activity; sid:8000136; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andro.Trojan.FakeSpy variant outbound connection"; flow:to_server,established; content:"/servlet/OnLine"; fast_pattern:only; http_uri; content:" Android "; http_header; metadata:ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/; classtype:trojan-activity; sid:8000137; rev:1;) # -------------------- # Date: 2018-06-27 # Title: FakeSpy Android Information-Stealing Malware Targets Japanese and Korean-Speaking Users # Tests: syntax only # Reference: # - https://threatvector.cylance.com/en_us/home/threat-spotlight-urlzone-malware-campaigns-targeting-japan.html # - https://github.com/arbor/urlzone/blob/master/urlzone.py#L94 # - https://totalhash.cymru.com/analysis/?110f2b3114ce891b620d84ca1072d7b46880ca02 # Confidence: low- # Note: Older references show that this is via HTTPS. Newer references show this via HTTP. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.URLZone dropper variant outbound connection"; flow:to_server, established; content:"?tver="; fast_pattern:only; http_uri; content:"&vcmd="; http_uri; content:"&ipcnf="; http_uri; metadata:ruleset community, service http; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-urlzone-malware-campaigns-targeting-japan.html; reference:url,github.com/arbor/urlzone/blob/master/urlzone.py; classtype:trojan-activity; sid:8000138; rev:1;) Thanks. YM
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures Y M via Snort-sigs (Jun 27)
- Re: Multiple signatures John Levy (Jun 27)