Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multiple signatures 011

From: Marcos Rodriguez via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 22 Aug 2018 10:13:56 -0400
On Wed, Aug 22, 2018 at 9:13 AM, Y M via Snort-sigs <
snort-sigs () lists snort org> wrote:


Hi,

Pcaps for the majority of the rules below are available.

# --------------------
# Date: 2018-08-21
# Title: Russian Army Exhibition Decoy Leads to New BISKVIT Malware
# Tests: syntax only
# Reference: https://www.fortinet.com/blog/threat-research/russian-army-
exhibition-decoy-leads-to-new-biskvit-malware.html
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Biskvit access token request outbound connection";
flow:to_server,established; content:"POST"; http_method;
content:"/api/auth/token"; fast_pattern:only; http_uri;
content:"Authorization"; http_header; content:"Expect"; http_header;
content:"|7B 22|ApiKey|22|"; depth:9; http_client_body;
content:!"User-Agent"; http_header; metadata:ruleset community, service
http; reference:url,www.fortinet.com/blog/threat-research/
russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html;
classtype:trojan-activity; sid:8000267; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Biskvit access token response inbound connection";
flow:to_server,established; file_data; content:"|7B 22|access_token|22|";
content:"|22|expires_in|22|"; content:"|22|refresh_token|22|";
metadata:ruleset community, service http; reference:url,www.fortinet.
com/blog/threat-research/russian-army-exhibition-decoy-
leads-to-new-biskvit-malware.html; classtype:trojan-activity;
sid:8000268; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Biskvit get job request outbound connection";
flow:to_server,established; content:"/api/job"; fast_pattern:only;
http_uri; content:"Authorization"; http_header; content:!"User-Agent";
http_header; metadata:ruleset community, service http; reference:url,
www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-
leads-to-new-biskvit-malware.html; classtype:trojan-activity;
sid:8000269; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Biskvit get job response inbound connection";
flow:to_server,established; file_data; content:"|7B 22|id|22|";
content:"|22|resultUri|22|"; content:"|22|tasks|22|";
content:"|22|executeOptions|22|"; metadata:ruleset community, service
http; reference:url,www.fortinet.com/blog/threat-research/
russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html;
classtype:trojan-activity; sid:8000270; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Biskvit download package request outbound connection";
flow:to_server,established; content:"/api/package/"; fast_pattern:only;
http_uri; content:"Authorization"; http_header; content:!"User-Agent";
http_header; pcre:"/\/api\/package\/[a-f0-9]{24,32}/U"; metadata:ruleset
community, service http; reference:url,www.fortinet.
com/blog/threat-research/russian-army-exhibition-decoy-
leads-to-new-biskvit-malware.html; classtype:trojan-activity;
sid:8000271; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Biskvit download package request outbound connection";
flow:to_server,established; content:"POST"; http_method;
content:"/api/job/"; fast_pattern:only; http_uri; content:"Authorization";
http_header; content:"|7B 22|State|22|"; http_client_body;
content:"|22|Data|22|"; http_client_body; content:!"User-Agent";
http_header; pcre:"/\/api\/job\/[a-f0-9]{24,32}/U"; metadata:ruleset
community, service http; reference:url,www.fortinet.
com/blog/threat-research/russian-army-exhibition-decoy-
leads-to-new-biskvit-malware.html; classtype:trojan-activity;
sid:8000272; rev:1;)

# --------------------
# Date: 2018-08-21
# Title: Fake Plugins with Popuplink.js Redirect to Scam Sites
# Tests: syntax only
# Reference: https://blog.sucuri.net/2018/08/fake-plugins-with-
popuplink-js-redirect-to-scam-sites.html
# Confidence: low+
# Notes:
#    1. JS file name could be anything. Maybe remove http_uri content
match and set a flowbit on SID 8000275?
#    2. Some websites/requests maybe within SSL.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
potentially infected website with Popuplink.js Redirector";
flow:to_server,established; content:"/popuplink.js?ver=";
fast_pattern:only; http_uri; content:"Referer"; http_header;
content:"index_is_shown"; http_cookie; metadata:ruleset community, service
http; reference:url,blog.sucuri.net/2018/08/fake-plugins-with-
popuplink-js-redirect-to-scam-sites.html; classtype:trojan-activity;
sid:8000273; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
potentially infected website with Popuplink.js Redirector";
flow:to_server,established; content:"/popuplink.js?ver=";
fast_pattern:only; http_uri; content:"Referer"; http_header;
content:"update_is_shown"; http_cookie; metadata:ruleset community, service
http; reference:url,blog.sucuri.net/2018/08/fake-plugins-with-
popuplink-js-redirect-to-scam-sites.html; classtype:trojan-activity;
sid:8000274; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
potentially infected website with Popuplink.js Redirector";
flow:to_client,established; file_data; content:"/popuplink.js?ver=";
content:"|22|wp_cfg_"; content:"|22|url|22|"; metadata:ruleset community,
service http; reference:url,blog.sucuri.net/2018/08/fake-plugins-with-
popuplink-js-redirect-to-scam-sites.html; classtype:trojan-activity;
sid:8000275; rev:1;)

# --------------------
# Date: 2018-08-21
# Title: A Quick Look Into the Oracle WebLogic Attacks
# Tests: syntax only
# Reference:
#    - http://www.kahusecurity.com/2018/05/a-quick-look-into-the-
oracle-weblogic-attacks/
#    - https://blog.khairulazam.net/2018/06/07/analyzing-oracle-
weblogic-attack/
# Hashes:
#    - 250b334bd70c7a800906b6da7e8fc3d6238f1f426c89fc4b020bb52e48e479eb
#    - 1aa8f0e14fe092d85a37d4d7b5ac2ca7d92ee82f28d02cbee71f6b5f22a0e7dc
# Confidence: low+

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
known malicious User-Agent - Oracle WebLogic post-compromise outbound
connection"; flow:to_server,established; content:"User-Agent: PowerShell/";
fast_pattern:only; http_header; content:"Microsoft Windows"; distance:0;
http_header; pcre:"/User-Agent\x3a\x20PowerShell\/(PMA|WL)/H";
metadata:ruleset community, service http; reference:url,www.
kahusecurity.com/2018/05/a-quick-look-into-the-oracle-weblogic-attacks/;
classtype:trojan-activity; sid:8000276; rev:1;)

# --------------------
# Date: 2018-08-22
# Title: AZORult -> BabylonRAT
# Tests: pcaps
# Reference: https://traffic.moe/2018/08/22/index.html
# Hashes:
#    - AZORult    : 9ee000a5f6ddfe1fe58991690b95a9
9b2797343386203fddd64a5e9e0892d404
#    - Babylob RAT: 416cb01b767ebf97e71e6296555587
1ad47672fc843bf2c93a4559c14e794462

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.AZORult variant outbound connection";
flow:to_server,established; urilen:10; content:"POST /index.php HTTP/1.0";
fast_pattern:only; content:"Connection: close|0D 0A|"; http_header;
content:"Content-Type: application/octet-stream|0D 0A|"; http_header;
content:!"User-Agent"; http_header; content:!"Accept:"; http_header;
content:!"Referer"; http_header; metadata:ruleset community, service http;
classtype:trojan-activity; sid:8000277; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.Babylon RAT outbound connection"; flow:to_server,established;
dsize:4; content:"|FF|"; offset:1; content:"|FF|"; distance:1;
isdataat:!1,relative; metadata:ruleset community;
classtype:trojan-activity; sid:8000278; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Babylon RAT inbound connection"; flow:to_client,established;
dsize:8; content:"|FF|"; offset:1; content:"|FF|"; distance:5;
isdataat:!1,relative; metadata:ruleset community;
classtype:trojan-activity; sid:8000279; rev:1;)

Thanks.
YM



Hiya Yaser,

Thanks again for your many contributions! We'll get these into our testing
process and get back to you as soon as possible.  We'd appreciate any pcaps
you'd be willing to share.  Thanks again!

-- 


Marcos Rodriguez

Cisco Talos

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: