Snort mailing list archives
Multiple signature 009
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 14 Aug 2018 18:54:30 +0000
Hi, Pcaps for some the signatures are available. Below are additional references for SID 8000101 - Win.Trojan.Autophyte (SID:46970), which was posted on April 2018: http://taylor-blog.issuemakerslab.com/2018/06/continue-to-distribute-malicious-code.html http://taylor-blog.issuemakerslab.com/2018/07/malware-disguised-as-company-document.html # -------------------- # Date: 2018-08-07 # Title: Andr.Ransomware.Koler / Andr.Ransomware.Svpeng # Tests: pcap # Reference: Research # Confidence: medium+ # Notes: Screenshots attached. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Ransomware.Koler/Svpeng variant outbound connection"; flow:to_server,established; content:".php?id="; http_uri; content:"USER-AGENT: Mozilla/5.0|0D 0A|"; fast_pattern:only; http_header; content:"sub="; http_client_body; content:"&code="; http_client_body; content:"&data="; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/3b5b9155bad5d5012f60c6de831768960f68bdad40204a1ffcfdf7f5dc06e9dd/detection; classtype:trojan-activity; sid:8000234; rev:1;) # -------------------- # Date: 2018-08-07 # Title: Analysis of the latest attack activities of APT-C-35 organization (brain worm) # Tests: syntax only # Reference: https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/ # Confidence: low alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty second stage downloader variant initial outbound connection"; flow:to_server,established; content:"/football/goal"; fast_pattern:only; http_uri; content:"data="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000235; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.yty second stage downloader variant initial response connection"; flow:to_server,established; content:"200"; http_stat_code; file_data; content:"loose"; depth:5; fast_pattern; isdataat:!1,relative; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000236; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.yty second stage downloader variant initial response connection"; flow:to_server,established; content:"200"; http_stat_code; file_data; content:"win"; depth:3; fast_pattern; isdataat:!1,relative; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000237; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.EHDevel outbound exfiltration attempt"; flow:to_server,established; content:"/panel/bigdata/"; fast_pattern:only; http_uri; content:"data="; http_client_body; pcre:"/\/panel\/bigdata\/(file_upload|orderfile)/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000238; rev:1;) # -------------------- # Date: 2018-08-07 # Title: Tech Support Scam Integrates Call Optimization Service # Tests: syntax only # Reference: https://www.symantec.com/blogs/threat-intelligence/tech-support-scam-call-optimization # Confidence: low alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Tech support scam landing page detected"; flow:to_server,established; content:"/?mid="; http_uri; content:"&number="; fast_pattern:only; content:"&cid="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000239; rev:1;) # -------------------- # Date: 2018-08-07 # Title: Win.Trojan.Casdet # Tests: pcap # Reference: http://www.virustotal.com/#/file/c0c0d0c792a332ff1263a5f27357017381ecd5e236dfa71d7b49af7787e11c9e/detection # Confidence: low # Notes: One of C&C patterns matches SID 8000123 (Win.Trojan.Kardon) submitted # on 2018-06-27 (Multiple signatures 000). alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Casdet outbound connection attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; http_uri; content:"id="; http_client_body; content:"&enabled="; http_client_body; content:"&bv="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/c0c0d0c792a332ff1263a5f27357017381ecd5e236dfa71d7b49af7787e11c9e/detection; classtype:trojan-activity; sid:8000240; rev:1;) # -------------------- # Date: 2018-08-12 # Title: Familiar Feeling - A Malware Campaign Targeting the Tibetan Diaspora Resurfaces # Tests: syntax only # Reference: # - https://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/ # - https://github.com/citizenlab/malware-indicators/tree/master/201808_FamiliarFeeling # Confidence: low # Notes: # 1. The Snort rule in GitHub requires reversing the direction? The # "LOGIN" command is sent to the C&C upon infection. # 2. Added rules for inbound commands. # 3. All credits goes to CitizenLab. alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.DMShell++ initial outbound connection"; flow:to_server,established; dsize:<250; content:"LOGIN|7C 2A 7C|"; fast_pattern:only; content:"|7C 2A 7C|"; within:20; metadata:ruleset community; reference:url,citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/; classtype:trojan-activity; sid:8000241; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.DMShell++ inbound command connection"; flow:to_server,established; content:"CMD|7C 2A 7C|"; fast_pattern:only; metadata:ruleset community; reference:url,citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/; classtype:trojan-activity; sid:8000242; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.DMShell++ inbound command connection"; flow:to_server,established; content:"FILERECEIVE|7C 2A 7C|"; fast_pattern:only; metadata:ruleset community; reference:url,citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/; classtype:trojan-activity; sid:8000243; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.DMShell++ inbound command connection"; flow:to_server,established; content:"FILEHEAD|7C 2A 7C|"; fast_pattern:only; metadata:ruleset community; reference:url,citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/; classtype:trojan-activity; sid:8000244; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.DMShell++ inbound command connection"; flow:to_server,established; content:"FILESEND|7C 2A 7C|"; fast_pattern:only; metadata:ruleset community; reference:url,citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/; classtype:trojan-activity; sid:8000245; rev:1;) # -------------------- # Date: 2018-08-12 # Title: Andr.Trojan.AnubisCrypt # Tests: emulator, pcap # Reference: Research # - d27034b9f58aa71f08f3c57d893fe07cdd395c9b4e494fbcca2a1d1ca3dce88e # Confidence: medium alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt initial outbound connection"; flow:to_server,established; content:"/checkPanel.php"; fast_pattern:only; http_uri; content:"Content-Length: 0"; http_header; content:" Android "; http_header; content:"Content-Type: application/x-www-form-urlencoded"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000246; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt initial connection response"; flow:to_client,established; file_data; content:"<tag>|2A 2A|"; depth:7; content:"|2A 2A|</tag>"; within:20; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000247; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt outbound connection"; flow:to_server,established; content:"/locker.php"; fast_pattern:only; http_uri; content:" Android "; http_header; content:"p="; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000248; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt outbound connection"; flow:to_server,established; content:"/tuk_tuk.php"; fast_pattern:only; http_uri; content:" Android "; http_header; content:"p="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000249; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt outbound connection"; flow:to_server,established; content:"/set_data.php"; fast_pattern:only; http_uri; content:" Android "; http_header; content:"p="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000250; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt outbound connection"; flow:to_server,established; content:"/getSettingsAll.php"; fast_pattern:only; http_uri; content:" Android "; http_header; content:"p="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000251; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt outbound connection"; flow:to_server,established; content:"/settings.php"; fast_pattern:only; http_uri; content:" Android "; http_header; content:"p="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000252; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt outbound connection"; flow:to_server,established; content:"/playprot.php"; fast_pattern:only; http_uri; content:" Android "; http_header; content:"p="; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000253; rev:1;) # -------------------- # Date: 2018-08-13 # Title: Office User-Agents and Shortened URLs, Win.Trojan.DelfAgent # Tests: pcap # Reference: Research # - 016d9ba9042f43a168a43b2334ba4c81b151b7125717314717ce198674d0c6fd # - b3be486490acd78ed37b0823d7b9b6361d76f64d26a089ed8fbd42d838f87440 # Confidence: medium # Notes: SIDs 8000254-8000255 are similar to the SIDs 8000055-8000056 posted 2018-05-25 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office Word User-Agent to a potential URL shortener service"; flow:to_server,established; urilen:<10; content:"User-Agent: Microsoft Office Word"; fast_pattern:only; http_header; content:"Host: "; http_header; content:"|0D 0A|"; within:14; http_header; content:"OPTIONS"; http_method; content:"X-"; http_header; content:!"Accept"; http_header; content:!"Content"; http_header; content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header; metadata:ruleset community, service http; classtype:misc-activity; sid:8000254; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office Word User-Agent to a potential URL shortener service"; flow:to_server,established; urilen:<10; content:"User-Agent: Microsoft Office Word"; fast_pattern:only; http_header; content:"Host: "; http_header; content:"|0D 0A|"; within:14; http_header; content:"HEAD"; http_method; content:"X-"; http_header; content:!"Accept"; http_header; content:!"Content"; http_header; content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header; metadata:ruleset community, service http; classtype:misc-activity; sid:8000255; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.DelfAgent outbound connection"; flow:to_server,established; content:"|7C|WIN_"; content:"|7C|X64|7C|"; within:10; metadata:ruleset community; classtype:trojan-activity; sid:8000256; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.DelfAgent outbound connection"; flow:to_server,established; content:"|7C|WIN_"; content:"|7C|X86|7C|"; within:10; metadata:ruleset community; classtype:trojan-activity; sid:8000257; rev:1;) # -------------------- # Date: 2018-08-14 # Title: GOLDFIN: A Persistent Campaign Targeting CIS Countries with SOCKSBOT # Tests: pcap # Reference: https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf # Confidence: low alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.SOCKSBOT enumerate processes and take screenshot HTTP response"; flow:to_client,established; content:"202"; http_stat_code; content:"OK"; http_stat_msg; content:"Server: Apache|0D 0A|"; http_header; content:!"Content"; http_header; content:!"Accept"; http_header; content:!"Last-Modified"; http_header; content:!"ETag"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000258; rev:1;) Thanks. YM
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signature 009 Y M via Snort-sigs (Aug 14)
- Re: Multiple signature 009 Marcos Rodriguez (Aug 14)