Snort mailing list archives
Re: Multiple signatures 008
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 6 Aug 2018 05:50:41 +0000
Adding some updates to this post.. The following Android packages have been identified thus far to exhibit the network patterns in sid 8000226, as seen on the wire: com.divum.MoneyControl (version: 5.0.2) com.zeptolab.cats.google (version: 2.11.1) free.vpn.unblock.proxy.turbovpn (version: 2.4.4) The signature sid 8000230 above maybe ignored since the research author released rules. https://blog.nviso.be/2018/08/02/powershell-inside-a-certificate-part-3/ Thanks. YM ________________________________ From: Marcos Rodriguez <mrodriguez () sourcefire com> Sent: Wednesday, August 1, 2018 10:00 PM To: Y M Cc: snort-sigs Subject: Re: [Snort-sigs] Multiple signatures 008 On Wed, Aug 1, 2018 at 2:57 PM, Y M via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>> wrote: Hi, Pcaps for FormBook and (what appears to be) the Google sinkhole sigs are available. # -------------------- # Date: 2018-07-30 # Title: Win.Trojan.FormBook # Reference: Research # Dropper: # - https://www.virustotal.com/#/file/9cab0520f4d7c3ecbc310e55282861ca20d53959eaf6e93d8d6aa717347819da/detection # - https://app.any.run/tasks/16de6eff-d745-43d0-b463-a542e27ed4e5 # FormBook: # - 6d9a03a5300e820e1cdadee50d0c35d26f4651e57ecaf730c918588433cfc207 # - 5039b1f1fe51ae793991dd75a4af247d7f3d1aee1ef7c5355f7fd3e949650c26 # - a0ce7c1ea60d04434ff18e9e2595d195b9aaaccbdabc7b7005b457e67885b095 # - 092e4c73963f4885ea3017de96fbb8746dd3b8bb8b67b098a1ffa5a9b89963fe # - be87149f2ebdf39660a1b5a546daae5112fff80830233c430ba693279059696e # - 5d99b940b9fd8bf6f97c5dd6ae12ae5fc9fc596678cb056f1cf7c1704904d7d5 # - 2238b58701332233865671be4304c789948b5480ca3f0512a18d2402c73db5e0 # - 310120dbead95d404212997aa0393b99173ba659c3a10f76ac6a96636fa8d283 # - 2d2fb898ab24ffe60db248ab6884f1c66a47d7b57dcbdecfefdf9cdf9334128b # Tests: pcap # Confidence: medium+ # Note: # 1. Flow: Adwind JAR in attachment > Drops FormBook binary from remote source (opendir) > FormBook C&C. # 2. Opendir contained two differernt samples of FormBook (signed.exe and raypal.exe). # 3. The first URI query parameter in the GET request is the form item in client body of the POST request. # 4. SID 38134 may require updates, perhaps $EXTERNAL_NET 1024: instead of hardcoding the port? # 5. There are multiple GET requests, some of which will always end with "&sql=1". alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FormBook variant outbound connection"; flow:to_server,established; urilen:100<>120; content:"&sql=1"; fast_pattern:only; http_uri; content:"/?"; http_uri; content:"Connection: close|0D 0A|"; http_header; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Content"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000224; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FormBook variant outbound connection"; flow:to_server,established; urilen:<6; content:"POST"; http_method; content:"Origin: "; http_header; content:"Referer: "; http_header; content:"Connection: close|0D 0A|"; fast_pattern; http_header; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|"; http_header; content:"="; depth:10; http_client_body; pcre:"/\/[a-z0-9]{2,3}\//U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000225; rev:1;) # -------------------- # Date: 2018-08-01 # Title: Andr.Dropper.Agent # Reference: # - https://www.virustotal.com/#/file/9e5e9add2d75cef55afea99e406cda857734c1297af1695f17e96d251edfe004/detection # Tests: syntax only # Confidence: low alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Dropper.Agent outbound connection"; flow:to_server,established; content:"?platform="; http_uri; content:"&package_name="; fast_pattern:only; http_uri; content:"&screen_size="; http_uri; content:"&network_type="; http_uri; content:"&gaid="; http_uri; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/9e5e9add2d75cef55afea99e406cda857734c1297af1695f17e96d251edfe004/detection<http://www.virustotal.com/#/file/9e5e9add2d75cef55afea99e406cda857734c1297af1695f17e96d251edfe004/detection>; classtype:trojan-activity; sid:8000226; rev:1;) # -------------------- # Date: 2018-08-01 # Title: Win.Backdoor.Sarhust/Hussarini # Reference: # - https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html # - https://www.virustotal.com/#/file/05dcc7856661244d082daa88a074d2f266c70623789a7bb5a919282b178d8f98/detection # Tests: syntax only # Confidence: low alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known malicious user-agent - Win.Backdoor.Sarhust"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 5.5|3B| Windows NT 5.0)"; fast_pattern:only; http_header; content:!"Connection"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/05dcc7856661244d082daa88a074d2f266c70623789a7bb5a919282b178d8f98/detection<http://www.virustotal.com/#/file/05dcc7856661244d082daa88a074d2f266c70623789a7bb5a919282b178d8f98/detection>; classtype:trojan-activity; sid:8000227; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:""MALWARE-CNC Win.Backdoor.Sarhust inbound connection"; flow:to_client,established; file_data; content:"<CHECK>"; fast_pattern:only; content:"</CHECK>"; within:200; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/05dcc7856661244d082daa88a074d2f266c70623789a7bb5a919282b178d8f98/detection<http://www.virustotal.com/#/file/05dcc7856661244d082daa88a074d2f266c70623789a7bb5a919282b178d8f98/detection>; classtype:trojan-activity; sid:8000228; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:""MALWARE-CNC Win.Backdoor.Sarhust inbound connection"; flow:to_client,established; file_data; content:"</CHECK><COMMAND>"; fast_pattern:only; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/05dcc7856661244d082daa88a074d2f266c70623789a7bb5a919282b178d8f98/detection<http://www.virustotal.com/#/file/05dcc7856661244d082daa88a074d2f266c70623789a7bb5a919282b178d8f98/detection>; classtype:trojan-activity; sid:8000229; rev:1;) # -------------------- # Date: 2018-08-01 # Title: PowerShell Inside a Certificate? – Part 1 # Reference: # - https://blog.nviso.be/2018/07/31/powershell-inside-a-certificate-part-1/ # - https://attack.mitre.org/wiki/Technique/T1036 # - https://www.virustotal.com/#/file/eed598fa60ad25cd43f33e4d64cede06b45a5140df3d8e8e92d64c4a83fd4898/detection # Tests: syntax only # Confidence: low alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE file masquerading as a certificate download attempt"; flow:to_client,established; file_data; content:"-----BEGIN CERTIFICATE-----|0D 0A|"; fast_pattern:only; content:!"M"; distance:0; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,blog.nviso.be/2018/07/31/powershell-inside-a-certificate-part-1/<http://blog.nviso.be/2018/07/31/powershell-inside-a-certificate-part-1/>; reference:url,attack.mitre.org/wiki/Technique/T1036<http://attack.mitre.org/wiki/Technique/T1036>; classtype:trojan-activity; sid:8000230; rev:1;) # -------------------- # Date: 2018-08-01 # Title: Google Sinkhole Page/Redirection # Reference: Research # Tests: pcap # Confidence: low # Notes: Additional research is required. alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Google Sinkhole page redirction"; flow:to_client,established; content:"302"; http_stat_code; content:"Location: http://domain-registrar.storage.googleapis.com/expired.html?"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000231; rev:1;) # -------------------- # Date: 2018-08-01 # Title: Win.Backdoor.Bisonal # Reference: https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/ # Tests: syntax only # Confidence: low alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Backdoor.Bisonal variant outbound connection"; flow:to_server,established; urilen:<30; content:"/ks8d"; fast_pattern:only; http_uri; content:"akspbu.txt"; http_uri; content:"POST"; http_method; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000232; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Bisonal variant outbound connection"; flow:to_server,established; content:"|81 B2 A8 97 7E A3 1B 91|"; fast_pattern:only; http_client_body; isdataat:!1,relative; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000233; rev:1;) Thanks. YM Hi Yaser, Thanks for these submissions. We'll get these into our testing process and get back to you as soon as possible. We'd appreciate any pcaps you'd be willing to share. Thanks again! -- Marcos Rodriguez Cisco Talos
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 008 Y M via Snort-sigs (Aug 01)
- Re: Multiple signatures 008 Marcos Rodriguez (Aug 01)
- Re: Multiple signatures 008 Y M via Snort-sigs (Aug 05)
- Re: Multiple signatures 008 Marcos Rodriguez (Aug 06)
- Re: Multiple signatures 008 Y M via Snort-sigs (Aug 05)
- Re: Multiple signatures 008 Marcos Rodriguez (Aug 01)