Re: Multiple signatures 008

[Y M via Snort-sigs <snort-sigs () lists snort org>]

Adding some updates to this post..

The following Android packages have been identified thus far to exhibit the network patterns in sid 8000226, as seen on 
the wire:

com.divum.MoneyControl (version: 5.0.2)
com.zeptolab.cats.google (version: 2.11.1)
free.vpn.unblock.proxy.turbovpn (version: 2.4.4)

The signature sid 8000230 above maybe ignored since the research author released rules.
https://blog.nviso.be/2018/08/02/powershell-inside-a-certificate-part-3/

Thanks.
YM

________________________________
From: Marcos Rodriguez <mrodriguez () sourcefire com>
Sent: Wednesday, August 1, 2018 10:00 PM
To: Y M
Cc: snort-sigs
Subject: Re: [Snort-sigs] Multiple signatures 008

On Wed, Aug 1, 2018 at 2:57 PM, Y M via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort 
org>> wrote:
Hi,

Pcaps for FormBook and (what appears to be) the Google sinkhole sigs are available.

# --------------------
# Date: 2018-07-30
# Title: Win.Trojan.FormBook
# Reference: Research
#     Dropper:
#     - https://www.virustotal.com/#/file/9cab0520f4d7c3ecbc310e55282861ca20d53959eaf6e93d8d6aa717347819da/detection
#     - https://app.any.run/tasks/16de6eff-d745-43d0-b463-a542e27ed4e5
#    FormBook:
#    - 6d9a03a5300e820e1cdadee50d0c35d26f4651e57ecaf730c918588433cfc207
#    - 5039b1f1fe51ae793991dd75a4af247d7f3d1aee1ef7c5355f7fd3e949650c26
#    - a0ce7c1ea60d04434ff18e9e2595d195b9aaaccbdabc7b7005b457e67885b095
#    - 092e4c73963f4885ea3017de96fbb8746dd3b8bb8b67b098a1ffa5a9b89963fe
#    - be87149f2ebdf39660a1b5a546daae5112fff80830233c430ba693279059696e
#    - 5d99b940b9fd8bf6f97c5dd6ae12ae5fc9fc596678cb056f1cf7c1704904d7d5
#    - 2238b58701332233865671be4304c789948b5480ca3f0512a18d2402c73db5e0
#    - 310120dbead95d404212997aa0393b99173ba659c3a10f76ac6a96636fa8d283
#    - 2d2fb898ab24ffe60db248ab6884f1c66a47d7b57dcbdecfefdf9cdf9334128b
# Tests: pcap
# Confidence: medium+
# Note:
#    1. Flow: Adwind JAR in attachment > Drops FormBook binary from remote source (opendir) > FormBook C&C.
#    2. Opendir contained two differernt samples of FormBook (signed.exe and raypal.exe).
#    3. The first URI query parameter in the GET request is the form item in client body of the POST request.
#    4. SID 38134 may require updates, perhaps $EXTERNAL_NET 1024: instead of hardcoding the port?
#    5. There are multiple GET requests, some of which will always end with "&sql=1".

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FormBook variant outbound 
connection"; flow:to_server,established; urilen:100<>120; content:"&sql=1"; fast_pattern:only; http_uri; content:"/?"; 
http_uri; content:"Connection: close|0D 0A|"; http_header; content:!"User-Agent"; http_header; content:!"Accept"; 
http_header; content:!"Content"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000224; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FormBook variant outbound 
connection"; flow:to_server,established; urilen:<6; content:"POST"; http_method; content:"Origin: "; http_header; 
content:"Referer: "; http_header; content:"Connection: close|0D 0A|"; fast_pattern; http_header; content:"Content-Type: 
application/x-www-form-urlencoded|0D 0A|"; http_header; content:"="; depth:10; http_client_body; 
pcre:"/\/[a-z0-9]{2,3}\//U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000225; rev:1;)

# --------------------
# Date: 2018-08-01
# Title: Andr.Dropper.Agent
# Reference:
#     - https://www.virustotal.com/#/file/9e5e9add2d75cef55afea99e406cda857734c1297af1695f17e96d251edfe004/detection
# Tests: syntax only
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Dropper.Agent outbound connection"; 
flow:to_server,established; content:"?platform="; http_uri; content:"&package_name="; fast_pattern:only; http_uri; 
content:"&screen_size="; http_uri; content:"&network_type="; http_uri; content:"&gaid="; http_uri; metadata:ruleset 
community, service http; 
reference:url,www.virustotal.com/#/file/9e5e9add2d75cef55afea99e406cda857734c1297af1695f17e96d251edfe004/detection<http://www.virustotal.com/#/file/9e5e9add2d75cef55afea99e406cda857734c1297af1695f17e96d251edfe004/detection>;
 classtype:trojan-activity; sid:8000226; rev:1;)

# --------------------
# Date: 2018-08-01
# Title: Win.Backdoor.Sarhust/Hussarini
# Reference:
#     - https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html
#     - https://www.virustotal.com/#/file/05dcc7856661244d082daa88a074d2f266c70623789a7bb5a919282b178d8f98/detection
# Tests: syntax only
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known malicious user-agent - 
Win.Backdoor.Sarhust"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 5.5|3B| 
Windows NT 5.0)"; fast_pattern:only; http_header; content:!"Connection"; http_header; metadata:ruleset community, 
service http; 
reference:url,www.virustotal.com/#/file/05dcc7856661244d082daa88a074d2f266c70623789a7bb5a919282b178d8f98/detection<http://www.virustotal.com/#/file/05dcc7856661244d082daa88a074d2f266c70623789a7bb5a919282b178d8f98/detection>;
 classtype:trojan-activity; sid:8000227; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:""MALWARE-CNC Win.Backdoor.Sarhust inbound connection"; 
flow:to_client,established; file_data; content:"<CHECK>"; fast_pattern:only; content:"</CHECK>"; within:200; 
metadata:ruleset community, service http; 
reference:url,www.virustotal.com/#/file/05dcc7856661244d082daa88a074d2f266c70623789a7bb5a919282b178d8f98/detection<http://www.virustotal.com/#/file/05dcc7856661244d082daa88a074d2f266c70623789a7bb5a919282b178d8f98/detection>;
 classtype:trojan-activity; sid:8000228; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:""MALWARE-CNC Win.Backdoor.Sarhust inbound connection"; 
flow:to_client,established; file_data; content:"</CHECK><COMMAND>"; fast_pattern:only; metadata:ruleset community, 
service http; 
reference:url,www.virustotal.com/#/file/05dcc7856661244d082daa88a074d2f266c70623789a7bb5a919282b178d8f98/detection<http://www.virustotal.com/#/file/05dcc7856661244d082daa88a074d2f266c70623789a7bb5a919282b178d8f98/detection>;
 classtype:trojan-activity; sid:8000229; rev:1;)

# --------------------
# Date: 2018-08-01
# Title: PowerShell Inside a Certificate? – Part 1
# Reference:
#    - https://blog.nviso.be/2018/07/31/powershell-inside-a-certificate-part-1/
#    - https://attack.mitre.org/wiki/Technique/T1036
#    - https://www.virustotal.com/#/file/eed598fa60ad25cd43f33e4d64cede06b45a5140df3d8e8e92d64c4a83fd4898/detection
# Tests: syntax only
# Confidence: low

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE file masquerading as a certificate 
download attempt"; flow:to_client,established; file_data; content:"-----BEGIN CERTIFICATE-----|0D 0A|"; 
fast_pattern:only; content:!"M"; distance:0; metadata:ruleset community, service ftp-data, service http, service imap, 
service pop3; 
reference:url,blog.nviso.be/2018/07/31/powershell-inside-a-certificate-part-1/<http://blog.nviso.be/2018/07/31/powershell-inside-a-certificate-part-1/>;
 reference:url,attack.mitre.org/wiki/Technique/T1036<http://attack.mitre.org/wiki/Technique/T1036>; 
classtype:trojan-activity; sid:8000230; rev:1;)

# --------------------
# Date: 2018-08-01
# Title: Google Sinkhole Page/Redirection
# Reference: Research
# Tests: pcap
# Confidence: low
# Notes: Additional research is required.

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Google Sinkhole page redirction"; 
flow:to_client,established; content:"302"; http_stat_code; content:"Location: 
http://domain-registrar.storage.googleapis.com/expired.html?";; fast_pattern:only; http_header; metadata:ruleset 
community, service http; classtype:trojan-activity; sid:8000231; rev:1;)

# --------------------
# Date: 2018-08-01
# Title: Win.Backdoor.Bisonal
# Reference: https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/
# Tests: syntax only
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Backdoor.Bisonal variant outbound connection"; 
flow:to_server,established; urilen:<30; content:"/ks8d"; fast_pattern:only; http_uri; content:"akspbu.txt"; http_uri; 
content:"POST"; http_method; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000232; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Bisonal variant outbound connection"; 
flow:to_server,established; content:"|81 B2 A8 97 7E A3 1B 91|"; fast_pattern:only; http_client_body; 
isdataat:!1,relative; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000233; rev:1;)

Thanks.
YM


Hi Yaser,

Thanks for these submissions.  We'll get these into our testing process and get back to you as soon as possible.  We'd 
appreciate any pcaps you'd be willing to share.  Thanks again!

--
Marcos Rodriguez
Cisco Talos

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!