Re: Multiple signatures - 001

[Marcos Rodriguez <mrodriguez () sourcefire com>]

On Thu, Jun 28, 2018 at 9:44 AM, Y M via Snort-sigs <
snort-sigs () lists snort org> wrote:

> Hi,
>
> The last patch of signatures had syntax errors, although the tests stated
> 'syntax only'. I apologize for that. Pcaps available only for Pbot and
> TechSupportScam traffic. Notes are included within each set of rules.
>
> # --------------------
> # Date: 2018-06-27
> # Title: TechScamSupport Binaries
> # Tests: pcaps
> # Reference: https://twitter.com/nao_sec/status/1011999821643767809
> #     - https://www.virustotal.com/#/file/c9adabc7516e38ce611cbde5856fbe
> 6b06e8afee4422d754aa810aec59ecd8d8/detection
> #     - https://www.virustotal.com/#/file/05c84e23571624b75645247d475ccf
> 88bb51eb8624c4564fd69e5a4ca1a65c96/detection
> #     - https://www.virustotal.com/#/file/276c235e7c0bc443bf87e02341fb5f
> e5a1ca1d7e249927fd1b8bd66bd43a70c1/detection
> # Confidence: medium
> # Note: first rule is derived from the pcaps. Remaining two rules are
> derived the strings within the binaries.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.TechSupportScam installed binary outbound connection";
> flow:to_server,established; content:"/register.php?"; fast_pattern:only;
> http_uri; content:"p="; http_uri; content:"&code="; http_uri;
> content:!"User-Agent"; http_header; metadata:ruleset community, service
> http; reference:url,www.virustotal.com/#/file/
> c9adabc7516e38ce611cbde5856fbe6b06e8afee4422d754aa810aec59ecd8d8/detection;
> reference:url,www.virustotal.com/#/file/05c84e23571624b75645247d475ccf
> 88bb51eb8624c4564fd69e5a4ca1a65c96/detection; reference:url,
> www.virustotal.com/#/file/276c235e7c0bc443bf87e02341fb5f
> e5a1ca1d7e249927fd1b8bd66bd43a70c1/detection; classtype:trojan-activity;
> sid:8000139; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.TechSupportScam installed binary outbound connection";
> flow:to_server,established; content:"/update_new.php?"; fast_pattern:only;
> http_uri; content:"code="; http_uri; content:!"User-Agent"; http_header;
> metadata:ruleset community, service http; reference:url,www.virustotal.
> com/#/file/c9adabc7516e38ce611cbde5856fbe6b06e8afee4422d754aa810aec59ec
> d8d8/detection; reference:url,www.virustotal.com/#/file/
> 05c84e23571624b75645247d475ccf88bb51eb8624c4564fd69e5a4ca1a65c96/detection;
> reference:url,www.virustotal.com/#/file/276c235e7c0bc443bf87e02341fb5f
> e5a1ca1d7e249927fd1b8bd66bd43a70c1/detection; classtype:trojan-activity;
> sid:8000140; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.TechSupportScam installed binary outbound connection";
> flow:to_server,established; content:"/show_new.php?"; fast_pattern:only;
> http_uri; content:"code="; http_uri; content:!"User-Agent"; http_header;
> metadata:ruleset community, service http; reference:url,www.virustotal.
> com/#/file/c9adabc7516e38ce611cbde5856fbe6b06e8afee4422d754aa810aec59ec
> d8d8/detection; reference:url,www.virustotal.com/#/file/
> 05c84e23571624b75645247d475ccf88bb51eb8624c4564fd69e5a4ca1a65c96/detection;
> reference:url,www.virustotal.com/#/file/276c235e7c0bc443bf87e02341fb5f
> e5a1ca1d7e249927fd1b8bd66bd43a70c1/detection; classtype:trojan-activity;
> sid:8000141; rev:1;)
>
> # --------------------
> # Date: 2018-06-27
> # Title: Pbot: evolving adware
> # Tests: pcaps
> # Reference: https://securelist.com/pbot-evolving-adware/86242/
> #     - https://www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fa
> d77eba9a6e07f8766c7e1393cae890fdf6/detection
> #     - https://www.virustotal.com/#/file/d9041db2bbaedf3626d271fa82dc3d
> facc153b233f6be5241866bfdb0c5839e5/detection
> #     - https://www.virustotal.com/#/file/4105cfbe86187aa66ed30302be96bc
> 9b3925a7baa5da101f4aa40354b1aa10cf/detection
> # Confidence: medium
> # Note: first rule is derived from the pcap. Remaining rules are derived
> from reference and the detailed reports of VT Tencent HABO
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER
> Win.Adware.Pbot variant outbound connection"; flow:to_server,established;
> content:"/collect.php?"; fast_pattern:only; http_uri; content:"pid=";
> http_uri; content:"&cid="; http_uri; content:"&sid="; http_uri;
> content:"&act="; http_uri; metadata:ruleset community, service http;
> reference:url,www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fa
> d77eba9a6e07f8766c7e1393cae890fdf6/detection; classtype:trojan-activity;
> sid:8000142; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER
> Win.Adware.Pbot variant outbound connection"; flow:to_server,established;
> content:"/installstarted"; fast_pattern:only; http_uri; content:"&de=";
> http_uri; content:"&_v="; http_uri; content:"&_s="; http_uri;
> metadata:ruleset community, service http; reference:url,www.virustotal.
> com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f8766c7e1393cae890
> fdf6/detection; classtype:trojan-activity; sid:8000143; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER
> Win.Adware.Pbot variant outbound connection"; flow:to_server,established;
> content:"/installended"; fast_pattern:only; http_uri; content:"&de=";
> http_uri; content:"&_v="; http_uri; content:"&_s="; http_uri;
> metadata:ruleset community, service http; reference:url,www.virustotal.
> com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f8766c7e1393cae890
> fdf6/detection; classtype:trojan-activity; sid:8000144; rev:1;)
>
> # --------------------
> # Date: 2018-06-27
> # Title: LuckyMouse hits national data center to organize country-level
> waterholing campaign
> # Tests: syntatx only, Shodan, RiskIQ, Censys, ThreatMiner
> # Reference: https://securelist.com/luckymouse-hits-national-data-
> center/86083/
> # Confidence: low-
> # Note: The droppers and backdoor communicate with specific IP address.
> According to Shodan
> #       RiskIQ, CIRCL (via threatminer.org), and Censys a self-signed
> TLSv1.0 certificate
> #       was Last Seen on 2018-03-27, matching the month of the activity
> mentioned by the reference.
> #       This was the only certificate associated with this IP address
> within the suspected time
> #       frame. However, the same certificate have been associated with
> multiple IP addresses.
> # SHA1: ee14e4ab0b243b397315e094935f5b74a67a1bc7
>
> alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC
> Win.Backdoor.HyperBro inbound self-signed certificate";
> flow:to_client,established; content:"|16 03 01|"; content:"|0B|";
> distance:3; content:"au"; nocase; content:"some-state"; nocase;
> content:"internet widgets ltd"; nocase; metadata:ruleset community, service
> ssl; classtype:trojan-activity; sid:8000145; rev:1;)
>
> # --------------------
> # Date: 2018-06-28
> # Title: RadRAT An all-in-one toolkit for complex espionage ops
> # Tests: syntatx only, strings found in all samples
> # Reference: https://download.bitdefender.com/resources/files/News/
> CaseStudies/study/200/Bitdefender-Whitepaper-RADrat-
> crea2645-A4-en-EN-interactive.pdf
> # Confidence: low--
> # Note: All the samples, including the test binaries contained the same
> network-related artifacts
> #       that maybe sig'able. These include the user-agent and the POST
> URL, and some the dropbox URIs.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.RadRat outbound connection"; flow:to_server,established;
> urilen:2; content:"Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:35.0)
> Gecko/20100101 Firefox/35.0"; fast_pattern:only; http_header; content:"/A";
> http_uri; content:"POST"; http_method; content:!"Referer"; http_method;
> metadata:ruleset community, service http; reference:url,download.
> bitdefender.com/resources/files/News/CaseStudies/study/
> 200/Bitdefender-Whitepaper-RADrat-crea2645-A4-en-EN-interactive.pdf;
> classtype:trojan-activity; sid:8000146; rev:1;)
>
> # --------------------
> # Date: 2018-06-28
> # Title: MysteryBot; a new Android banking Trojan ready for Android 7 and 8
> # Tests: syntatx only, Android logcat
> # Reference: https://www.threatfabric.com/blogs/mysterybot__a_new_
> android_banking_trojan_ready_for_android_7_and_8.html
> # Confidence: low--
> # Note: The network artificates displayed by VT Droidy and Tencent HABO
> are partial. Reviewing the logcat from
> #       http://sanddroid.xjtu.edu.cn/report?apk_md5=
> 78DD186DFB6AC49B91B4B16C2F5C1C3F
> #       provides a better version of the network artificats, which also
> match the ones reported by VT and Tencent.
> #       The malware appears to be sending a base64 encoded JSON data as a
> query string.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Andro.Trojan.MysteryBot banker outbound connection"; flow:to_server,
> established; urilen:250<>300; content:"/gate.php?i=eyAiYW";
> fast_pattern:only; http_uri; metadata:ruleset community, service http;
> reference:url,www.threatfabric.com/blogs/mysterybot__a_new_android_
> banking_trojan_ready_for_android_7_and_8.html; classtype:trojan-activity;
> sid:8000147; rev:1;)
>
> Thanks.
> YM

Hi Yaser,

Thanks for these submissions. We will review each of them and get back to
you when finished.


-- 
Marcos Rodriguez
Cisco Talos

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!