Snort mailing list archives
Multiple signatures 014
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 12 Sep 2018 17:03:30 +0000
Hi, Pcaps and ClamAV/Yara signatures are available for the majority of the cases below. Thanks. YM # -------------------- # Date: 2018-08-29 # Title: A walk through the AcridRain Stealer # Reference: Triage from: https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/ # Tests: pcap # Yara: # - MALWARE_Win_Trojan_AcridRain # ClamAV: # - MALWARE_Win.Trojan.AcridRain # Hashes (triage): # - fb9581e5432392c7fac47b5883a381659345c08d3c26764e689f3110d5d6be53 # - 009d46cbfb0e8796ed754a18020491b1a1e6a3dccbdc2f8843cbace9def60896 # - 3d28392d2dc1292a95b6d8f394c982844a9da0cdd84101039cf6ca3cf9874c1c # - 56c73dbd50d9161476b904f542491b6f27c6a42fccd661a3032ab1e01b0ca8f5 # - 769df72c4c32e94190403d626bd9e46ce0183d3213ecdf42c2725db9c1ae960b # - 7afa4e20058a95dec77629f22195a0d9af796fa2dfadf0ce73786e46654ea8b7 # - 7b045eec693e5598b0bb83d21931e9259c8e4825c24ac3d052254e4925738b43 # - 80217425c6fd2f588a42121ff061b085fd26510e9b9b44bfee8a3c693425ed3c # - 80c6632fac75e4b5769e11f1ee5603821e73a0bacff8300c7373220f20f3535a # - 8fffaaaae976e558ee64f1f7d2e3670c19497c5b78e9a59c3ccc37c9ae177c66 # - b78c78477cd7f5a0571a5db6fd0062e25f8659a9d7b428b7709d8d587c11b453 # - db8f74ebd5ddd43f07f580ee72c2e18fb3f9ab7465479b2a81c366df4509375f # - fdf613b16fc7025ec8f3a8833064c8feb292a7cc103f7c10f1133c9832f2d3fd alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AcridRain outbound connection"; flow:to_server,established; content:"/Upload/"; fast_pattern:only; http_uri; content:"form-data|3B| name=|22|file|22|"; http_client_body; content:"form-data|3B| name=|22|id|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000311; rev:1;) # -------------------- # Date: 2018-09-02 # Title: Win.Trojan.Arkei (a.k.a Win.Trojan.Nocturnal?) # Reference: Research # Tests: pcap # Yara: # - MALWARE_Win_Trojan_Nocturnal # ClamAV: # - MALWARE_Win.Trojan.Nocturnal # Hashes: # - 0892104dceefa48f5fac31d030432689ee151ab577f0e1e0f2d6676238a70de9 # - 5283b968056136a34c2e89c352c02c5b4422a5aa75b261a2f7713f24ad56abc5 # - bae982b9b1712e05f2fad90e0227bb21341eac9766a395641f07c22c3368debe # Notes: HTTP POST traffic partially matches SID:8000096 - Win.Trojan.Nocturnal sumbitted a while back. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known malicious User-Agent - Win.Trojan.Nocturnal/Arkei"; flow:to_server,established; content:"User-Agent: Arkei/"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000322; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nocturnal/Arkei outbound connection"; flow:to_server,established; content:"/server/grubConfig"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000323; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nocturnal/Arkei outbound connection"; flow:to_server,established; content:"/server/gate"; fast_pattern:only; http_uri; content:"name=|22|hwid|22|"; http_client_body; content:"name=|22|os|22|"; http_client_body; content:"name=|22|platform|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000324; rev:1;) # -------------------- # Date: 2018-09-02 # Title: PowerPool malware exploits ALPC LPE zero-day vulnerability # Reference: Triage from: https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/ # Tests: pcap + sandbox # Yara: # - MALWARE_Win_Trojan_PowerPool_Stage_1 # - MALWARE_Win_Trojan_PowerPool_Stage_2 # ClamAV: # - MALWARE_Win.Trojan.PowerPool_Stage_1 # - MALWARE_Win.Trojan.PowerPool_Stage_2 # Hashes: # 1st_stage: # - 035f97af0def906fbd8f7f15fb8107a9e852a69160669e7c0781888180cd46d5 # - 8c2e729bc086921062e214b7e4c9c4ddf324a0fa53b4ed106f1341cfe8274fe4 # - 8c32d6f2408115476c5552a4e3e86a3cc5e7148cc0111a4b464509461f3c0d20 # - fb05c7b6087ebaf129036639e3cd9cd199ab450d69c2faac4a51064c1505334d # 2nd_stage: # - 58a50840c04cd15f439f1cc1b684e9f9fa22c0d64f44a391d9e2b1222e5cd6bd # - af2abf0748013a7084507f8e96f6e7c21a3f962fbbb148dcbb482a98c06940a1 # Notes: # 1. Triage on C&C and Yara revealed additional samples. # 2. Sandbox execution reveals C&C not mentioned in original reference. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PowerPool first stage outbound connection attempt"; flow:to_server,established; content:"/?id="; http_uri; content:"&info="; distance:16; fast_pattern; http_uri; content:!"Accept-"; http_header; content:!"Referer"; http_header; content:!"Content"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000329; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PowerPool second stage heartbeat outbound connection attempt"; flow:to_server,established; urilen:6; content:"/heart"; http_uri; fast_pattern:only; content:"User-Agent: Mozilla/4.0 (compatible|3b| )"; http_header; content:"|22|sessionid|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000330; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PowerPool second stage execute command outbound connection"; flow:to_server,established; urilen:8; content:"/cmdpool"; http_uri; fast_pattern:only; content:"User-Agent: Mozilla/4.0 (compatible|3b| )"; http_header; content:"|22|dos|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000331; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PowerPool second stage lsit directory outbound connection"; flow:to_server,established; urilen:8; content:"/cmdpool"; http_uri; fast_pattern:only; content:"User-Agent: Mozilla/4.0 (compatible|3b| )"; http_header; content:"|22|folder|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000332; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE outbound IP address check to l2.io"; flow:to_server,established; urilen:3; content:"/ip"; fast_pattern:only; http_uri; content:"Host: www.l2.io"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000333; rev:1;) # -------------------- # Date: 2018-09-08 # Title: CVE-2018-5002 Exploit/Infection Chain # Reference: # - https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack # - https://researchcenter.paloaltonetworks.com/2018/09/unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/ # Tests: pcap alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER CVE-2018-5002 infection chain detected"; flow:to_server,established; content:"/doc?token="; fast_pattern:only; http_uri; content:"x-flash-version"; http_header; content:!"Referer"; http_header; pcre:"/\/doc\x3ftoken\x3d[a-f0-9]{32}$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000334; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER CVE-2018-5002 infection chain detected"; flow:to_server,established; urilen:<70; content:"/stab/"; fast_pattern:only; http_uri; content:".png?x="; http_uri; content:"Referer"; http_header; content:"x-flash-version"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000335; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER CVE-2018-5002 infection chain detected"; flow:to_server,established; urilen:<45; content:"POST"; http_method; content:"/download/"; http_uri; content:"Referer"; http_header; content:"x-flash-version"; http_header; content:"Content-Type: application/x-www-form-urlencoded"; http_header; pcre:"/\/download\/[a-f0-9]{32}\/$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000336; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER CVE-2018-5002 infection chain detected"; flow:to_server,established; urilen:<40; content:"POST"; http_method; content:"/log/"; http_uri; content:"Content-Type: text/plain"; http_header; pcre:"/\/log\/[a-f0-9]{32}$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000337; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER CVE-2018-5002 infection chain detected"; flow:to_server,established; urilen:<40; content:"POST"; http_method; content:"/home/"; http_uri; content:"Content-Type: text/plain"; http_header; pcre:"/\/home\/[a-f0-9]{32}$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000338; rev:1;) # -------------------- # Date: 2018-09-08 # Title: OilRig targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE # Reference: # - https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/ # Tests: syntax only # Notes: # - Computer name maximum allowed length (CN) = 63 > (Win7/Win10) # - User name maximum allowed length (UN) = 20 > (Win7/Win10) # - Separartor (SP, \) = 1 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt"; flow:to_server,established; urilen:<90; content:"/khc?"; depth:5; http_uri; content:"|5C|"; http_uri; pcre:"/\/khc\?[A-F0-9]{3,84}$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000339; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt"; flow:to_server,established; urilen:<91; content:"/tahw?"; depth:6; http_uri; content:"|5C|"; http_uri; pcre:"/\/chk\?[A-F0-9]{3,84}$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000340; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt"; flow:to_server,established; urilen:<1100; content:"/pser?"; depth:6; http_uri; content:"|5C|"; http_uri; pcre:"/\/pser\?[A-F0-9]{3,84}(BBZ|BBY)[A-F0-9]{,1000}/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000341; rev:1;) # -------------------- # Date: 2018-08-29 # Title: Click me if you can, Office social engineering with embedded objects # Reference: https://securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html # Tests: pcap (file2pcap) # Yara: # - FILE_OFFICE_RTF_Shell_Explorer_Execution # - FILE_OFFICE_RTF_Forms_HTML_Execution # ClamAV: # - FILE_OFFICE_OLE_Shell_Explorer_Execution # - FILE_OFFICE_ActiveX_Forms_HTML_Execution # Notes: # 1. Documents were converted to RTF and they appear to achieve the same behavior when opened with Word. # 2. First 6 signatures in this set match what is observed in the generated files. # 3. Remaining singatures target Forms.HTML:* variants for referencing HTTP URLs instead of file URLs. # 4. ClamAV signatures don't care if the files are RTF or other. alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF Shell.Explorer.1 CLSID referencing embedded LNK file with remote content"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"c32ab2eac130cf11a7eb0000c05bae0b"; nocase; fast_pattern:only; content:"4c00000001140200"; nocase; content:"6800740074007000"; metadata:ruleset community, service http; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000312; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF Shell.Explorer.1 CLSID referencing embedded LNK file with remote content"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"c32ab2eac130cf11a7eb0000c05bae0b"; nocase; fast_pattern:only; content:"4c00000001140200"; nocase; content:"6800740074007000"; metadata:ruleset community, service smtp; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000313; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing executable file URL"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"12d11255c65ccf118d6700aa00bdce1d"; nocase; content:"660069006c0065003a"; nocase; content:"6500780065"; metadata:ruleset community, service http; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000314; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing executable file URL"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"12d11255c65ccf118d6700aa00bdce1d"; nocase; content:"660069006c0065003a"; nocase; content:"6500780065"; metadata:ruleset community, service smtp; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000315; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing executable file URL"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"10d11255c65ccf118d6700aa00bdce1d"; nocase; content:"660069006c0065003a"; nocase; content:"6500780065"; metadata:ruleset community, service http; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000316; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing executable file URL"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"10d11255c65ccf118d6700aa00bdce1d"; nocase; content:"660069006c0065003a"; nocase; content:"6500780065"; metadata:ruleset community, service smtp; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000317; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing HTTP URL"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"12d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070"; metadata:ruleset community, service http; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000318; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing HTTP URL"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"12d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070"; metadata:ruleset community, service smtp; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000319; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing HTTP URL"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"10d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070"; metadata:ruleset community, service http; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000320; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing HTTP URL"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"10d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070"; metadata:ruleset community, service smtp; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000321; rev:1;) # -------------------- # Date: 2018-09-03 # Title: Ruler is a tool for interacting with Exchange servers remotely with the the aim of # abusing client-side Outlook features and gain a shell remotely. # Reference: Research # - https://github.com/sensepost/ruler # - https://attack.mitre.org/wiki/Technique/T1190 # - https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1046 # Tests: syntax only alert tcp any any -> $HOME_NET 80 (msg:"INDICATOR-SCAN Ruler interaction attempt"; flow:to_server,established; content:"User-Agent: ruler|0D 0A|"; fast_pattern:only; http_header; content:"/autodiscover/autodiscover.xml"; http_uri; metadata:ruleset community, service http; reference:url,attack.mitre.org/wiki/Technique/T1027; classtype:web-application-activity; sid:8000327; rev:1;)
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 014 Y M via Snort-sigs (Sep 12)
- Re: Multiple signatures 014 Marcos Rodriguez via Snort-sigs (Sep 12)