Snort mailing list archives

Multiple signature 009

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 14 Aug 2018 18:54:30 +0000

Hi,

Pcaps for some the signatures are available.

Below are additional references for SID 8000101 - Win.Trojan.Autophyte (SID:46970), which was posted on April 2018:
http://taylor-blog.issuemakerslab.com/2018/06/continue-to-distribute-malicious-code.html
http://taylor-blog.issuemakerslab.com/2018/07/malware-disguised-as-company-document.html

# --------------------
# Date: 2018-08-07
# Title: Andr.Ransomware.Koler / Andr.Ransomware.Svpeng
# Tests: pcap
# Reference: Research
# Confidence: medium+
# Notes: Screenshots attached.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Ransomware.Koler/Svpeng variant outbound 
connection"; flow:to_server,established; content:".php?id="; http_uri; content:"USER-AGENT: Mozilla/5.0|0D 0A|"; 
fast_pattern:only; http_header; content:"sub="; http_client_body; content:"&code="; http_client_body; content:"&data="; 
http_client_body; metadata:ruleset community, service http; 
reference:url,www.virustotal.com/#/file/3b5b9155bad5d5012f60c6de831768960f68bdad40204a1ffcfdf7f5dc06e9dd/detection; 
classtype:trojan-activity; sid:8000234; rev:1;)

# --------------------
# Date: 2018-08-07
# Title: Analysis of the latest attack activities of APT-C-35 organization (brain worm)
# Tests: syntax only
# Reference: https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty second stage downloader variant 
initial outbound connection"; flow:to_server,established; content:"/football/goal"; fast_pattern:only; http_uri; 
content:"data="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000235; 
rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.yty second stage downloader variant 
initial response connection"; flow:to_server,established; content:"200"; http_stat_code; file_data; content:"loose"; 
depth:5; fast_pattern; isdataat:!1,relative; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000236; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.yty second stage downloader variant 
initial response connection"; flow:to_server,established; content:"200"; http_stat_code; file_data; content:"win"; 
depth:3; fast_pattern; isdataat:!1,relative; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000237; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.EHDevel outbound exfiltration 
attempt"; flow:to_server,established; content:"/panel/bigdata/"; fast_pattern:only; http_uri; content:"data="; 
http_client_body; pcre:"/\/panel\/bigdata\/(file_upload|orderfile)/U"; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000238; rev:1;)

# --------------------
# Date: 2018-08-07
# Title: Tech Support Scam Integrates Call Optimization Service
# Tests: syntax only
# Reference: https://www.symantec.com/blogs/threat-intelligence/tech-support-scam-call-optimization
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Tech support scam landing page detected"; 
flow:to_server,established; content:"/?mid="; http_uri; content:"&number="; fast_pattern:only; content:"&cid="; 
http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000239; rev:1;)

# --------------------
# Date: 2018-08-07
# Title: Win.Trojan.Casdet
# Tests: pcap
# Reference: http://www.virustotal.com/#/file/c0c0d0c792a332ff1263a5f27357017381ecd5e236dfa71d7b49af7787e11c9e/detection
# Confidence: low
# Notes: One of C&C patterns matches SID 8000123 (Win.Trojan.Kardon) submitted
#        on 2018-06-27 (Multiple signatures 000).

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Casdet outbound connection attempt"; 
flow:to_server,established; content:"/gate.php"; fast_pattern:only; http_uri; content:"id="; http_client_body; 
content:"&enabled="; http_client_body; content:"&bv="; http_client_body; content:!"User-Agent"; http_header; 
metadata:ruleset community, service http; 
reference:url,www.virustotal.com/#/file/c0c0d0c792a332ff1263a5f27357017381ecd5e236dfa71d7b49af7787e11c9e/detection; 
classtype:trojan-activity; sid:8000240; rev:1;)

# --------------------
# Date: 2018-08-12
# Title: Familiar Feeling - A Malware Campaign Targeting the Tibetan Diaspora Resurfaces
# Tests: syntax only
# Reference:
#     - https://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/
#     - https://github.com/citizenlab/malware-indicators/tree/master/201808_FamiliarFeeling
# Confidence: low
# Notes:
#     1. The Snort rule in GitHub requires reversing the direction? The
#        "LOGIN" command is sent to the C&C upon infection.
#     2. Added rules for inbound commands.
#     3. All credits goes to CitizenLab.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.DMShell++ initial outbound connection"; 
flow:to_server,established; dsize:<250; content:"LOGIN|7C 2A 7C|"; fast_pattern:only; content:"|7C 2A 7C|"; within:20; 
metadata:ruleset community; 
reference:url,citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/; 
classtype:trojan-activity; sid:8000241; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.DMShell++ inbound command connection"; 
flow:to_server,established; content:"CMD|7C 2A 7C|"; fast_pattern:only; metadata:ruleset community; 
reference:url,citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/; 
classtype:trojan-activity; sid:8000242; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.DMShell++ inbound command connection"; 
flow:to_server,established; content:"FILERECEIVE|7C 2A 7C|"; fast_pattern:only; metadata:ruleset community; 
reference:url,citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/; 
classtype:trojan-activity; sid:8000243; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.DMShell++ inbound command connection"; 
flow:to_server,established; content:"FILEHEAD|7C 2A 7C|"; fast_pattern:only; metadata:ruleset community; 
reference:url,citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/; 
classtype:trojan-activity; sid:8000244; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.DMShell++ inbound command connection"; 
flow:to_server,established; content:"FILESEND|7C 2A 7C|"; fast_pattern:only; metadata:ruleset community; 
reference:url,citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/; 
classtype:trojan-activity; sid:8000245; rev:1;)

# --------------------
# Date: 2018-08-12
# Title: Andr.Trojan.AnubisCrypt
# Tests: emulator, pcap
# Reference: Research
#     - d27034b9f58aa71f08f3c57d893fe07cdd395c9b4e494fbcca2a1d1ca3dce88e
# Confidence: medium

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt initial outbound 
connection"; flow:to_server,established; content:"/checkPanel.php"; fast_pattern:only; http_uri; 
content:"Content-Length: 0"; http_header; content:" Android "; http_header; content:"Content-Type: 
application/x-www-form-urlencoded"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000246; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt initial connection 
response"; flow:to_client,established; file_data; content:"<tag>|2A 2A|"; depth:7; content:"|2A 2A|</tag>"; within:20; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000247; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt outbound connection"; 
flow:to_server,established; content:"/locker.php"; fast_pattern:only; http_uri; content:" Android "; http_header; 
content:"p="; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000248; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt outbound connection"; 
flow:to_server,established; content:"/tuk_tuk.php"; fast_pattern:only; http_uri; content:" Android "; http_header; 
content:"p="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000249; 
rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt outbound connection"; 
flow:to_server,established; content:"/set_data.php"; fast_pattern:only; http_uri; content:" Android "; http_header; 
content:"p="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000250; 
rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt outbound connection"; 
flow:to_server,established; content:"/getSettingsAll.php"; fast_pattern:only; http_uri; content:" Android "; 
http_header; content:"p="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000251; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt outbound connection"; 
flow:to_server,established; content:"/settings.php"; fast_pattern:only; http_uri; content:" Android "; http_header; 
content:"p="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000252; 
rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt outbound connection"; 
flow:to_server,established; content:"/playprot.php"; fast_pattern:only; http_uri; content:" Android "; http_header; 
content:"p="; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000253; rev:1;)

# --------------------
# Date: 2018-08-13
# Title: Office User-Agents and Shortened URLs, Win.Trojan.DelfAgent
# Tests: pcap
# Reference: Research
#     - 016d9ba9042f43a168a43b2334ba4c81b151b7125717314717ce198674d0c6fd
#     - b3be486490acd78ed37b0823d7b9b6361d76f64d26a089ed8fbd42d838f87440
# Confidence: medium
# Notes: SIDs 8000254-8000255 are similar to the SIDs 8000055-8000056 posted 2018-05-25

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office Word User-Agent to a 
potential URL shortener service"; flow:to_server,established; urilen:<10; content:"User-Agent: Microsoft Office Word"; 
fast_pattern:only; http_header; content:"Host: "; http_header; content:"|0D 0A|"; within:14; http_header; 
content:"OPTIONS"; http_method; content:"X-"; http_header; content:!"Accept"; http_header; content:!"Content"; 
http_header; content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header; metadata:ruleset community, 
service http; classtype:misc-activity; sid:8000254; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office Word User-Agent to a 
potential URL shortener service"; flow:to_server,established; urilen:<10; content:"User-Agent: Microsoft Office Word"; 
fast_pattern:only; http_header; content:"Host: "; http_header; content:"|0D 0A|"; within:14; http_header; 
content:"HEAD"; http_method; content:"X-"; http_header; content:!"Accept"; http_header; content:!"Content"; 
http_header; content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header; metadata:ruleset community, 
service http; classtype:misc-activity; sid:8000255; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.DelfAgent outbound connection"; 
flow:to_server,established; content:"|7C|WIN_"; content:"|7C|X64|7C|"; within:10; metadata:ruleset community; 
classtype:trojan-activity; sid:8000256; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.DelfAgent outbound connection"; 
flow:to_server,established; content:"|7C|WIN_"; content:"|7C|X86|7C|"; within:10; metadata:ruleset community; 
classtype:trojan-activity; sid:8000257; rev:1;)

# --------------------
# Date: 2018-08-14
# Title: GOLDFIN: A Persistent Campaign Targeting CIS Countries with SOCKSBOT
# Tests: pcap
# Reference: 
https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf
# Confidence: low

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.SOCKSBOT enumerate processes and take 
screenshot HTTP response"; flow:to_client,established; content:"202"; http_stat_code; content:"OK"; http_stat_msg; 
content:"Server: Apache|0D 0A|"; http_header; content:!"Content"; http_header; content:!"Accept"; http_header; 
content:!"Last-Modified"; http_header; content:!"ETag"; http_header; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000258; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Multiple signature 009 Y M via Snort-sigs (Aug 14)
- Re: Multiple signature 009 Marcos Rodriguez (Aug 14)