Snort mailing list archives
Re: Multiple signature 009
From: Marcos Rodriguez <mrodriguez () sourcefire com>
Date: Tue, 14 Aug 2018 15:12:58 -0400
On Tue, Aug 14, 2018 at 2:54 PM, Y M via Snort-sigs < snort-sigs () lists snort org> wrote:
Hi, Pcaps for some the signatures are available. Below are additional references for SID 8000101 - Win.Trojan.Autophyte (SID:46970), which was posted on April 2018: http://taylor-blog.issuemakerslab.com/2018/06/continue-to-distribute- malicious-code.html http://taylor-blog.issuemakerslab.com/2018/07/ malware-disguised-as-company-document.html # -------------------- # Date: 2018-08-07 # Title: Andr.Ransomware.Koler / Andr.Ransomware.Svpeng # Tests: pcap # Reference: Research # Confidence: medium+ # Notes: Screenshots attached. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Ransomware.Koler/Svpeng variant outbound connection"; flow:to_server,established; content:".php?id="; http_uri; content:"USER-AGENT: Mozilla/5.0|0D 0A|"; fast_pattern:only; http_header; content:"sub="; http_client_body; content:"&code="; http_client_body; content:"&data="; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/ 3b5b9155bad5d5012f60c6de831768960f68bdad40204a1ffcfdf7f5dc06e9dd/detection; classtype:trojan-activity; sid:8000234; rev:1;) # -------------------- # Date: 2018-08-07 # Title: Analysis of the latest attack activities of APT-C-35 organization (brain worm) # Tests: syntax only # Reference: https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/ # Confidence: low alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty second stage downloader variant initial outbound connection"; flow:to_server,established; content:"/football/goal"; fast_pattern:only; http_uri; content:"data="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000235; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.yty second stage downloader variant initial response connection"; flow:to_server,established; content:"200"; http_stat_code; file_data; content:"loose"; depth:5; fast_pattern; isdataat:!1,relative; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000236; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.yty second stage downloader variant initial response connection"; flow:to_server,established; content:"200"; http_stat_code; file_data; content:"win"; depth:3; fast_pattern; isdataat:!1,relative; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000237; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.EHDevel outbound exfiltration attempt"; flow:to_server,established; content:"/panel/bigdata/"; fast_pattern:only; http_uri; content:"data="; http_client_body; pcre:"/\/panel\/bigdata\/(file_upload|orderfile)/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000238; rev:1;) # -------------------- # Date: 2018-08-07 # Title: Tech Support Scam Integrates Call Optimization Service # Tests: syntax only # Reference: https://www.symantec.com/blogs/threat-intelligence/ tech-support-scam-call-optimization # Confidence: low alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Tech support scam landing page detected"; flow:to_server,established; content:"/?mid="; http_uri; content:"&number="; fast_pattern:only; content:"&cid="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000239; rev:1;) # -------------------- # Date: 2018-08-07 # Title: Win.Trojan.Casdet # Tests: pcap # Reference: http://www.virustotal.com/#/file/ c0c0d0c792a332ff1263a5f27357017381ecd5e236dfa71d7b49af7787e11c9e/detection # Confidence: low # Notes: One of C&C patterns matches SID 8000123 (Win.Trojan.Kardon) submitted # on 2018-06-27 (Multiple signatures 000). alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Casdet outbound connection attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; http_uri; content:"id="; http_client_body; content:"&enabled="; http_client_body; content:"&bv="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/ c0c0d0c792a332ff1263a5f27357017381ecd5e236dfa71d7b49af7787e11c9e/detection; classtype:trojan-activity; sid:8000240; rev:1;) # -------------------- # Date: 2018-08-12 # Title: Familiar Feeling - A Malware Campaign Targeting the Tibetan Diaspora Resurfaces # Tests: syntax only # Reference: # - https://citizenlab.ca/2018/08/familiar-feeling-a-malware- campaign-targeting-the-tibetan-diaspora-resurfaces/ # - https://github.com/citizenlab/malware-indicators/tree/ master/201808_FamiliarFeeling # Confidence: low # Notes: # 1. The Snort rule in GitHub requires reversing the direction? The # "LOGIN" command is sent to the C&C upon infection. # 2. Added rules for inbound commands. # 3. All credits goes to CitizenLab. alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.DMShell++ initial outbound connection"; flow:to_server,established; dsize:<250; content:"LOGIN|7C 2A 7C|"; fast_pattern:only; content:"|7C 2A 7C|"; within:20; metadata:ruleset community; reference:url,citizenlab.ca/2018/08/familiar-feeling-a- malware-campaign-targeting-the-tibetan-diaspora-resurfaces/; classtype:trojan-activity; sid:8000241; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.DMShell++ inbound command connection"; flow:to_server,established; content:"CMD|7C 2A 7C|"; fast_pattern:only; metadata:ruleset community; reference:url,citizenlab.ca/ 2018/08/familiar-feeling-a-malware-campaign-targeting- the-tibetan-diaspora-resurfaces/; classtype:trojan-activity; sid:8000242; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.DMShell++ inbound command connection"; flow:to_server,established; content:"FILERECEIVE|7C 2A 7C|"; fast_pattern:only; metadata:ruleset community; reference:url, citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting- the-tibetan-diaspora-resurfaces/; classtype:trojan-activity; sid:8000243; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.DMShell++ inbound command connection"; flow:to_server,established; content:"FILEHEAD|7C 2A 7C|"; fast_pattern:only; metadata:ruleset community; reference:url, citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting- the-tibetan-diaspora-resurfaces/; classtype:trojan-activity; sid:8000244; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.DMShell++ inbound command connection"; flow:to_server,established; content:"FILESEND|7C 2A 7C|"; fast_pattern:only; metadata:ruleset community; reference:url, citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting- the-tibetan-diaspora-resurfaces/; classtype:trojan-activity; sid:8000245; rev:1;) # -------------------- # Date: 2018-08-12 # Title: Andr.Trojan.AnubisCrypt # Tests: emulator, pcap # Reference: Research # - d27034b9f58aa71f08f3c57d893fe07cdd395c9b4e494fbcca2a1d1ca3dce88e # Confidence: medium alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt initial outbound connection"; flow:to_server,established; content:"/checkPanel.php"; fast_pattern:only; http_uri; content:"Content-Length: 0"; http_header; content:" Android "; http_header; content:"Content-Type: application/x-www-form-urlencoded"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000246; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt initial connection response"; flow:to_client,established; file_data; content:"<tag>|2A 2A|"; depth:7; content:"|2A 2A|</tag>"; within:20; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000247; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt outbound connection"; flow:to_server,established; content:"/locker.php"; fast_pattern:only; http_uri; content:" Android "; http_header; content:"p="; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000248; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt outbound connection"; flow:to_server,established; content:"/tuk_tuk.php"; fast_pattern:only; http_uri; content:" Android "; http_header; content:"p="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000249; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt outbound connection"; flow:to_server,established; content:"/set_data.php"; fast_pattern:only; http_uri; content:" Android "; http_header; content:"p="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000250; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt outbound connection"; flow:to_server,established; content:"/getSettingsAll.php"; fast_pattern:only; http_uri; content:" Android "; http_header; content:"p="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000251; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt outbound connection"; flow:to_server,established; content:"/settings.php"; fast_pattern:only; http_uri; content:" Android "; http_header; content:"p="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000252; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt outbound connection"; flow:to_server,established; content:"/playprot.php"; fast_pattern:only; http_uri; content:" Android "; http_header; content:"p="; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000253; rev:1;) # -------------------- # Date: 2018-08-13 # Title: Office User-Agents and Shortened URLs, Win.Trojan.DelfAgent # Tests: pcap # Reference: Research # - 016d9ba9042f43a168a43b2334ba4c81b151b7125717314717ce198674d0c6fd # - b3be486490acd78ed37b0823d7b9b6361d76f64d26a089ed8fbd42d838f87440 # Confidence: medium # Notes: SIDs 8000254-8000255 are similar to the SIDs 8000055-8000056 posted 2018-05-25 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office Word User-Agent to a potential URL shortener service"; flow:to_server,established; urilen:<10; content:"User-Agent: Microsoft Office Word"; fast_pattern:only; http_header; content:"Host: "; http_header; content:"|0D 0A|"; within:14; http_header; content:"OPTIONS"; http_method; content:"X-"; http_header; content:!"Accept"; http_header; content:!"Content"; http_header; content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header; metadata:ruleset community, service http; classtype:misc-activity; sid:8000254; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office Word User-Agent to a potential URL shortener service"; flow:to_server,established; urilen:<10; content:"User-Agent: Microsoft Office Word"; fast_pattern:only; http_header; content:"Host: "; http_header; content:"|0D 0A|"; within:14; http_header; content:"HEAD"; http_method; content:"X-"; http_header; content:!"Accept"; http_header; content:!"Content"; http_header; content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header; metadata:ruleset community, service http; classtype:misc-activity; sid:8000255; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.DelfAgent outbound connection"; flow:to_server,established; content:"|7C|WIN_"; content:"|7C|X64|7C|"; within:10; metadata:ruleset community; classtype:trojan-activity; sid:8000256; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.DelfAgent outbound connection"; flow:to_server,established; content:"|7C|WIN_"; content:"|7C|X86|7C|"; within:10; metadata:ruleset community; classtype:trojan-activity; sid:8000257; rev:1;) # -------------------- # Date: 2018-08-14 # Title: GOLDFIN: A Persistent Campaign Targeting CIS Countries with SOCKSBOT # Tests: pcap # Reference: https://www.accenture.com/t00010101T000000Z__w__/gb-en/_ acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf # Confidence: low alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.SOCKSBOT enumerate processes and take screenshot HTTP response"; flow:to_client,established; content:"202"; http_stat_code; content:"OK"; http_stat_msg; content:"Server: Apache|0D 0A|"; http_header; content:!"Content"; http_header; content:!"Accept"; http_header; content:!"Last-Modified"; http_header; content:!"ETag"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000258; rev:1;) Thanks. YM --
Hi Yaser, Your submissions are much appreciated! We'll get these into our testing process and get back to you as soon as possible. We'd appreciate any pcaps you'd be willing to share. Thanks again! Marcos Rodriguez Cisco Talos
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signature 009 Y M via Snort-sigs (Aug 14)
- Re: Multiple signature 009 Marcos Rodriguez (Aug 14)