Snort mailing list archives

Re: Multiple signature 009

From: Marcos Rodriguez <mrodriguez () sourcefire com>
Date: Tue, 14 Aug 2018 15:12:58 -0400

On Tue, Aug 14, 2018 at 2:54 PM, Y M via Snort-sigs <
snort-sigs () lists snort org> wrote:

Hi,

Pcaps for some the signatures are available.

Below are additional references for SID 8000101 - Win.Trojan.Autophyte
(SID:46970), which was posted on April 2018:
http://taylor-blog.issuemakerslab.com/2018/06/continue-to-distribute-
malicious-code.html
http://taylor-blog.issuemakerslab.com/2018/07/
malware-disguised-as-company-document.html

# --------------------
# Date: 2018-08-07
# Title: Andr.Ransomware.Koler / Andr.Ransomware.Svpeng
# Tests: pcap
# Reference: Research
# Confidence: medium+
# Notes: Screenshots attached.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Ransomware.Koler/Svpeng variant outbound connection";
flow:to_server,established; content:".php?id="; http_uri;
content:"USER-AGENT: Mozilla/5.0|0D 0A|"; fast_pattern:only; http_header;
content:"sub="; http_client_body; content:"&code="; http_client_body;
content:"&data="; http_client_body; metadata:ruleset community, service
http; reference:url,www.virustotal.com/#/file/
3b5b9155bad5d5012f60c6de831768960f68bdad40204a1ffcfdf7f5dc06e9dd/detection;
classtype:trojan-activity; sid:8000234; rev:1;)

# --------------------
# Date: 2018-08-07
# Title: Analysis of the latest attack activities of APT-C-35 organization
(brain worm)
# Tests: syntax only
# Reference: https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.yty second stage downloader variant initial outbound
connection"; flow:to_server,established; content:"/football/goal";
fast_pattern:only; http_uri; content:"data="; http_client_body;
metadata:ruleset community, service http; classtype:trojan-activity;
sid:8000235; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.yty second stage downloader variant initial response
connection"; flow:to_server,established; content:"200"; http_stat_code;
file_data; content:"loose"; depth:5; fast_pattern; isdataat:!1,relative;
metadata:ruleset community, service http; classtype:trojan-activity;
sid:8000236; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.yty second stage downloader variant initial response
connection"; flow:to_server,established; content:"200"; http_stat_code;
file_data; content:"win"; depth:3; fast_pattern; isdataat:!1,relative;
metadata:ruleset community, service http; classtype:trojan-activity;
sid:8000237; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.EHDevel outbound exfiltration attempt";
flow:to_server,established; content:"/panel/bigdata/"; fast_pattern:only;
http_uri; content:"data="; http_client_body; pcre:"/\/panel\/bigdata\/(file_upload|orderfile)/U";
metadata:ruleset community, service http; classtype:trojan-activity;
sid:8000238; rev:1;)

# --------------------
# Date: 2018-08-07
# Title: Tech Support Scam Integrates Call Optimization Service
# Tests: syntax only
# Reference: https://www.symantec.com/blogs/threat-intelligence/
tech-support-scam-call-optimization
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
Tech support scam landing page detected"; flow:to_server,established;
content:"/?mid="; http_uri; content:"&number="; fast_pattern:only;
content:"&cid="; http_uri; metadata:ruleset community, service http;
classtype:trojan-activity; sid:8000239; rev:1;)

# --------------------
# Date: 2018-08-07
# Title: Win.Trojan.Casdet
# Tests: pcap
# Reference: http://www.virustotal.com/#/file/
c0c0d0c792a332ff1263a5f27357017381ecd5e236dfa71d7b49af7787e11c9e/detection
# Confidence: low
# Notes: One of C&C patterns matches SID 8000123 (Win.Trojan.Kardon)
submitted
#        on 2018-06-27 (Multiple signatures 000).

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Casdet outbound connection attempt"; flow:to_server,established;
content:"/gate.php"; fast_pattern:only; http_uri; content:"id=";
http_client_body; content:"&enabled="; http_client_body; content:"&bv=";
http_client_body; content:!"User-Agent"; http_header; metadata:ruleset
community, service http; reference:url,www.virustotal.com/#/file/
c0c0d0c792a332ff1263a5f27357017381ecd5e236dfa71d7b49af7787e11c9e/detection;
classtype:trojan-activity; sid:8000240; rev:1;)

# --------------------
# Date: 2018-08-12
# Title: Familiar Feeling - A Malware Campaign Targeting the Tibetan
Diaspora Resurfaces
# Tests: syntax only
# Reference:
#     - https://citizenlab.ca/2018/08/familiar-feeling-a-malware-
campaign-targeting-the-tibetan-diaspora-resurfaces/
#     - https://github.com/citizenlab/malware-indicators/tree/
master/201808_FamiliarFeeling
# Confidence: low
# Notes:
#     1. The Snort rule in GitHub requires reversing the direction? The
#        "LOGIN" command is sent to the C&C upon infection.
#     2. Added rules for inbound commands.
#     3. All credits goes to CitizenLab.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.DMShell++ initial outbound connection";
flow:to_server,established; dsize:<250; content:"LOGIN|7C 2A 7C|";
fast_pattern:only; content:"|7C 2A 7C|"; within:20; metadata:ruleset
community; reference:url,citizenlab.ca/2018/08/familiar-feeling-a-
malware-campaign-targeting-the-tibetan-diaspora-resurfaces/;
classtype:trojan-activity; sid:8000241; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.DMShell++ inbound command connection";
flow:to_server,established; content:"CMD|7C 2A 7C|"; fast_pattern:only;
metadata:ruleset community; reference:url,citizenlab.ca/
2018/08/familiar-feeling-a-malware-campaign-targeting-
the-tibetan-diaspora-resurfaces/; classtype:trojan-activity; sid:8000242;
rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.DMShell++ inbound command connection";
flow:to_server,established; content:"FILERECEIVE|7C 2A 7C|";
fast_pattern:only; metadata:ruleset community; reference:url,
citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-
the-tibetan-diaspora-resurfaces/; classtype:trojan-activity; sid:8000243;
rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.DMShell++ inbound command connection";
flow:to_server,established; content:"FILEHEAD|7C 2A 7C|";
fast_pattern:only; metadata:ruleset community; reference:url,
citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-
the-tibetan-diaspora-resurfaces/; classtype:trojan-activity; sid:8000244;
rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.DMShell++ inbound command connection";
flow:to_server,established; content:"FILESEND|7C 2A 7C|";
fast_pattern:only; metadata:ruleset community; reference:url,
citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-
the-tibetan-diaspora-resurfaces/; classtype:trojan-activity; sid:8000245;
rev:1;)

# --------------------
# Date: 2018-08-12
# Title: Andr.Trojan.AnubisCrypt
# Tests: emulator, pcap
# Reference: Research
#     - d27034b9f58aa71f08f3c57d893fe07cdd395c9b4e494fbcca2a1d1ca3dce88e
# Confidence: medium

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.AnubisCrypt initial outbound connection";
flow:to_server,established; content:"/checkPanel.php"; fast_pattern:only;
http_uri; content:"Content-Length: 0"; http_header; content:" Android ";
http_header; content:"Content-Type: application/x-www-form-urlencoded";
http_header; metadata:ruleset community, service http;
classtype:trojan-activity; sid:8000246; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Andr.Trojan.AnubisCrypt initial connection response";
flow:to_client,established; file_data; content:"<tag>|2A 2A|"; depth:7;
content:"|2A 2A|</tag>"; within:20; metadata:ruleset community, service
http; classtype:trojan-activity; sid:8000247; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.AnubisCrypt outbound connection"; flow:to_server,established;
content:"/locker.php"; fast_pattern:only; http_uri; content:" Android ";
http_header; content:"p="; metadata:ruleset community, service http;
classtype:trojan-activity; sid:8000248; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.AnubisCrypt outbound connection"; flow:to_server,established;
content:"/tuk_tuk.php"; fast_pattern:only; http_uri; content:" Android ";
http_header; content:"p="; http_client_body; metadata:ruleset community,
service http; classtype:trojan-activity; sid:8000249; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.AnubisCrypt outbound connection"; flow:to_server,established;
content:"/set_data.php"; fast_pattern:only; http_uri; content:" Android ";
http_header; content:"p="; http_client_body; metadata:ruleset community,
service http; classtype:trojan-activity; sid:8000250; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.AnubisCrypt outbound connection"; flow:to_server,established;
content:"/getSettingsAll.php"; fast_pattern:only; http_uri; content:"
Android "; http_header; content:"p="; http_client_body; metadata:ruleset
community, service http; classtype:trojan-activity; sid:8000251; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.AnubisCrypt outbound connection"; flow:to_server,established;
content:"/settings.php"; fast_pattern:only; http_uri; content:" Android ";
http_header; content:"p="; http_client_body; metadata:ruleset community,
service http; classtype:trojan-activity; sid:8000252; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.AnubisCrypt outbound connection"; flow:to_server,established;
content:"/playprot.php"; fast_pattern:only; http_uri; content:" Android ";
http_header; content:"p="; metadata:ruleset community, service http;
classtype:trojan-activity; sid:8000253; rev:1;)

# --------------------
# Date: 2018-08-13
# Title: Office User-Agents and Shortened URLs, Win.Trojan.DelfAgent
# Tests: pcap
# Reference: Research
#     - 016d9ba9042f43a168a43b2334ba4c81b151b7125717314717ce198674d0c6fd
#     - b3be486490acd78ed37b0823d7b9b6361d76f64d26a089ed8fbd42d838f87440
# Confidence: medium
# Notes: SIDs 8000254-8000255 are similar to the SIDs 8000055-8000056
posted 2018-05-25

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"INDICATOR-COMPROMISE Microsoft Office Word User-Agent to a potential
URL shortener service"; flow:to_server,established; urilen:<10;
content:"User-Agent: Microsoft Office Word"; fast_pattern:only;
http_header; content:"Host: "; http_header; content:"|0D 0A|"; within:14;
http_header; content:"OPTIONS"; http_method; content:"X-"; http_header;
content:!"Accept"; http_header; content:!"Content"; http_header;
content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header;
metadata:ruleset community, service http; classtype:misc-activity;
sid:8000254; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"INDICATOR-COMPROMISE Microsoft Office Word User-Agent to a potential
URL shortener service"; flow:to_server,established; urilen:<10;
content:"User-Agent: Microsoft Office Word"; fast_pattern:only;
http_header; content:"Host: "; http_header; content:"|0D 0A|"; within:14;
http_header; content:"HEAD"; http_method; content:"X-"; http_header;
content:!"Accept"; http_header; content:!"Content"; http_header;
content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header;
metadata:ruleset community, service http; classtype:misc-activity;
sid:8000255; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.DelfAgent outbound connection"; flow:to_server,established;
content:"|7C|WIN_"; content:"|7C|X64|7C|"; within:10; metadata:ruleset
community; classtype:trojan-activity; sid:8000256; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.DelfAgent outbound connection"; flow:to_server,established;
content:"|7C|WIN_"; content:"|7C|X86|7C|"; within:10; metadata:ruleset
community; classtype:trojan-activity; sid:8000257; rev:1;)

# --------------------
# Date: 2018-08-14
# Title: GOLDFIN: A Persistent Campaign Targeting CIS Countries with
SOCKSBOT
# Tests: pcap
# Reference: https://www.accenture.com/t00010101T000000Z__w__/gb-en/_
acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf
# Confidence: low

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.SOCKSBOT enumerate processes and take screenshot HTTP response";
flow:to_client,established; content:"202"; http_stat_code; content:"OK";
http_stat_msg; content:"Server: Apache|0D 0A|"; http_header;
content:!"Content"; http_header; content:!"Accept"; http_header;
content:!"Last-Modified"; http_header; content:!"ETag"; http_header;
metadata:ruleset community, service http; classtype:trojan-activity;
sid:8000258; rev:1;)

Thanks.
YM
--


Hi Yaser,

Your submissions are much appreciated! We'll get these into our testing
process and get back to you as soon as possible.  We'd appreciate any pcaps
you'd be willing to share.  Thanks again!

Marcos Rodriguez
Cisco Talos

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Multiple signature 009 Y M via Snort-sigs (Aug 14)
- Re: Multiple signature 009 Marcos Rodriguez (Aug 14)