Snort mailing list archives

Multiple signatures 016

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 25 Oct 2018 15:24:57 +0000

Hi,

Hope all sig makers are doing great today. Pcaps and Yara/ClamAV signatures are available for all of the cases below.

Thank you.

# --------------------
# Date: 2018-10-06
# Title: ARS Loader evolution, a new stealer (ZeroEvil) and AirNaine (TA545)
# Reference: Triage from: https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/
# Tests: pcap
# Yara:
#    - TOOL_PWS_LaZagne
# ClamAV:
#    - TOOL.PWS.LaZagne
# Hashes:
#    - cb197616e12daff971b86544eb06554583e95b137b69a4b7cbe83c7de2a38948
#    - 29eadfb89fa2af7567f34b20778c1dc2a1be2f5b8aa84f642da0291a68de32d0
#    - 1c963f531b1870f8edffcc9a9a96019c296801f69ea0a9dda555d91cf791a837
#    - 2c90585b53a28a3413099c94c38f250ca5b17f72ddf6a4e346421eb0a6bdd881
#    - 82cbdd4822630e179b685733490dc61db4761151656e1663ab91430f32ce86b6
#    - 0e1320fd39174b14b7e817491d5e95807e66226d60659a07eb0e4bdedb06bea1
# Notes:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader / ZeroEvil variant 
outbound connection"; flow:to_server,established; content:"/logs_gate.php?plugin="; fast_pattern:only; http_uri; 
content:"|3B| name=|22|file|22|"; http_client_body; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000373; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader variant outbound 
connection"; flow:to_server,established; content:"/plugin_gate.php?plugin="; fast_pattern:only; http_uri; content:"|3B| 
name=|22|file|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000374; 
rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader variant / ZeroEvil 
outbound connection"; flow:to_server,established; content:"/gate.php"; http_uri; content:"version="; http_client_body; 
fast_pattern; content:!"Referer"; http_header; pcre:"/version\x3d([0-9]{3}\x255F)+/P"; metadata:ruleset community, 
service http; classtype:trojan-activity; sid:8000375; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader variant outbound 
connection"; flow:to_server,established; content:"/screenshot_gate.php?hwid="; fast_pattern:only; http_uri; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000376; rev:1;)

# --------------------
# Date: 2018-10-10
# Title: MuddyWater
# Reference: Triage from:
#    - https://s.tencent.com/research/report/509.html
#    - https://securelist.com/muddywater/88059/
# Tests: pcap
# Yara:
#    - FILE_OFFICE_OLE_Dropper_Doc
#    - TOOL_CNC_Shootback
#    - TOOL_PWS_Credstealer
# ClamAV:
#    - FILE_OFFICE.OLE.Dropper.Doc
#    - TOOL_PWS.Credstealer
#    - TOOL_CNC.Shootback
#    - Doc.Dropper.Agent-HSB1
#    - Doc.Dropper.Agent-HSB2
#    - Doc.Dropper.Agent-HSB3
#    - Doc.Dropper.Agent-HSB4
# Hashes:
#    - 009cc0f34f60467552ef79c3892c501043c972be55fe936efb30584975d45ec0: Composite Document File V2 Document
#    - 153117aa54492ca955b540ac0a8c21c1be98e9f7dd8636a36d73581ec1ddcf58: Composite Document File V2 Document
#    - 18479a93fc2d5acd7d71d596f27a5834b2b236b44219bb08f6ca06cf760b74f6: Composite Document File V2 Document
#    - 18cf5795c2208d330bd297c18445a9e25238dd7f28a1a6ef55e2a9239f5748cd: Composite Document File V2 Document
#    - 209fb398318a0d346b933b0c408467fce8dea36c10cd0f69ce4b342e28cee9dc: Composite Document File V2 Document
#    - 2a49d29d58d4d962bee5430e40f488bb79ebab92cf13db5bb4708f3eaf95caed: Composite Document File V2 Document
#    - 2cea0b740f338c513a6390e7951ff3371f44c7c928abf14675b49358a03a5d13: Composite Document File V2 Document
#    - 38556ba0b512636006c00b51f24ac92755bd1f1b21b4ae1812abf6bf9543221e: Composite Document File V2 Document
#    - 3da24cd3af9a383b731ce178b03c68a813ab30f4c7c8dfbc823a32816b9406fb: Composite Document File V2 Document
#    - 3eb27ecfbe5381b9cf4dcba2486e9773d9893b92c95032be784e0d2198740539: Composite Document File V2 Document
#    - 3f14a1210d1f2cdb916275bf32cb49159b6f49a54f246bdcb0e967cd0edb8e82: Composite Document File V2 Document
#    - 40ffcbf044ec951242a92a09b6a239183def2e74fc18e5975fa70e849d875a2e: Composite Document File V2 Document
#    - 41a32a19c78a542ab4d0701c31d9ef6c7f019c9bc604ab9415f4790b7ac6c591: Composite Document File V2 Document
#    - 5c7d16bd89ef37fe02cac1851e7214a01636ee4061a80bfdbde3a2d199721a79: Composite Document File V2 Document
#    - 5f2a6601d349af00a4cc101a638003af2f330879c333168cbf6a7a123dfb3928: Composite Document File V2 Document
#    - 6a68e8b12960257621cb89f979c1fbbd0f13c2338fad0f64e133deb95c99b2f9: Composite Document File V2 Document
#    - 707d2128a0c326626adef0d3a4cab78562abd82c2bd8ede8cc82f86c01f1e024: Composite Document File V2 Document
#    - 76e9988dad0278998861717c774227bf94112db548946ef617bfaa262cb5e338: Composite Document File V2 Document
#    - 818253f297fea7d8a2324ee1a233aabbaf3b0b4b9cdaa1ebd676fe00f2247388: PE32+ executable (console) x86-64, for MS 
Windows
#    - 9038ba1b7991ff38b802f28c0e006d12d466a8e374d2f2a83a039aabcbe76f5c: Composite Document File V2 Document
#    - 94625dd8151814dd6186735a6a6a87b2a4c71c04b8402caf314fb6f98434eaad: Composite Document File V2 Document
#    - abc269676eab9cf71f4f00195d1be02c10ea5bfb383fa1396dc108e0f6f9b9be: Composite Document File V2 Document
#    - b9c70adbc731b1b2779ab35bb0fab29ae703e2a4a7214c5e2749b02daf326a9b: Composite Document File V2 Document
#    - bbcafdb4fd7bf107d8b85934286d531536b7a0a30e5eeed07e27f0f7afcf8a77: Composite Document File V2 Document
#    - bfb4fc96c1ba657107c7c60845f6ab720634c8a9214943b5221378a37a8916cd: Composite Document File V2 Document
#    - c87799cce6d65158da97aa31a5160a0a6b6dd5a89dea312604cc66ed5e976cc9: Composite Document File V2 Document
#    - eff78c23790ee834f773569b52cddb01dc3c4dd9660f5a476af044ef6fe73894: Composite Document File V2 Document
#    - f2f573af0f76fe0f21bbe630a4bb50b1c1836eb24429bfb8c93673276f27e374: Composite Document File V2 Document
#    - f6707b5f41192353be3311fc7f48ee30465038366386b909e6cefaade70c91bc: PE32+ executable (console) x86-64, for MS 
Windows

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Doc.Dropper.Agent outbound connection"; 
flow:to_server,established; content:"/main.php?t="; http_uri; content:"&type=info"; http_uri; fast_pattern:only; 
content:"&f=s"; http_uri; content:"&id="; http_uri; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000378; rev:1;)

# --------------------
# Date: 2018-10-23
# Title: Win.Trojan.Micropsia
# Reference: Research
# Tests: pcap + sandbox
# Yara:
#    - MALWARE_Win_Trojan_Micropsia
# ClamAV:
#    - MALWARE_Win.Trojan.Micropsia-1
#    - MALWARE_Win.Trojan.Micropsia-2
# Hashes:
#    - 0180e2b601ae643e7adf1784c313dd2d10d114bd2b5692eb6e9c031a6e448ed1
#    - 027b1042621f86394fd7da27c5310e4906f41b96f6e5474875e63d39b32a9c11
#    - 0d05f333f1ce2567eb8f42f7a9098a7e044b1cccac9133d65872445608c89665
#    - 228ea63f4f03e98aae13fafc4d850f7cdd6344fa824427f7ec42f31a2ae8345d
#    - 3522805eba6bf69f801028252985bd71437875db051c2ed2c8d9f40cefc86edb
#    - 368845729255ab7fcfb5c0b6c153929d5ccb8d1f9a40cc02ca7c026b4b6813ec
#    - 370f8196b9351289796df63d927e496107d3d6af26272bddf769721beee7de91
#    - 5bab8a360d1d08e37e4e6c052f7fce13a291ad9b99f950770a647222bfc4d6b4
#    - 75329e7b79284f63c1383244b20fb0d9c4bb1e9c4feba04307f1223db30c9203
#    - 9cb5ef0b17eea1a43d5d323277e08645574c53ab1f65b0031a6fc323f52b0079
#    - b60bca59de9c7f9c796de3e5c3a1466c0929c7355f4db8c59548af357777e59b
#    - b6f8b5ba026af863e878eded79f40e5efa1dd7ce725cd0479e5f062dbf4fdd4f
#    - c4e79e151986dc5e16ce763321de90d8c214909df7210ec05e590c4375423a76
#    - dd185667015d23438a994adc9e9b30572a1e7479c05f563e0b6c71b8c6023685
#    - e326d427695efc1f1eea5f86b545d16b46b45ef3cc0151e22d8a583f391571a9
#    - e477b5e00699a9ccb3868de543c29087042fd44c631f8fcda5faaf7922382146
#    - effa0e01adad08ae4bc787678ce67510d013a06d1a10d39ec6b19e2449e25fbd
#    - f70681c7e8ab419fd0938802a823337abad936cccc0ace9ee232f2b874e561f1
#    - fb95a719c4b26bb577cea5837cac6ba9fdfcfd240bc2fc7b1d0759bf392d5191

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Micropsia variant infection report 
outbound connection"; flow:to_server,established; content:"/api/"; http_uri; content:"Accept-Encoding: UTF8|0D 0A|"; 
http_header; content:"-Embt-Boundary-"; fast_pattern; http_client_body; content:"::Windows"; within:1000; 
http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000379; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Micropsia variant screenshot 
exfiltration outbound connection"; flow:to_server,established; content:"/api/"; http_uri; content:"-Embt-Boundary-"; 
http_header; fast_pattern:only; content:"Accept: image/"; http_header; content:"Accept-Encoding: UTF8|0D 0A|"; 
http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000380; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Micropsia variant heartbeat outbound 
connection"; flow:to_server,established; content:"POST"; http_method; content:"/api/"; http_uri; content:"Googlebot"; 
http_header; fast_pattern:only; content:"-Embt-Boundary-"; http_header; content:"Accept-Encoding: UTF8|0D 0A|"; 
http_header; content:"-Embt-Boundary-"; http_client_body; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000381; rev:1;)

# --------------------
# Date: 2018-07-25, Updated: 2018-10-23
# Title: AgentTesla SMTP Exfil.
# Reference: Research
# Test: pcap + sandbox
# Yara:
#   - MALWARE_Win_Keylogger_AgentTesla
# ClamAv:
#   - MALWARE_Win.Keylogger.AgentTesla-1
#   - MALWARE_Win.Keylogger.AgentTesla-2
#   - MALWARE_Win.Keylogger.AgentTesla-3
# Hashes:
#   - 030228c5caa62e7727e0a664ef18fdf5663e7edbc2d2f7e5c38bf06526a5023e
#   - 0c5f9ab0d84eada4be9e6f86cf81a2b3dd0fbb708342eded078a152490ceb15e
#   - b9253b60188214a143b2b7d2b0a3b1adb1d0834b6fc231b9da7b61c9c3184e92
#   - 4827ceccbdd20c966bdaa3648f67cb82f319bcbc1766dd134c4fac3f5483179e
#   - Updated:
#   - 0676b96e49d703a5d09f4b42d108a725603f17da080fc8a7a182bf63eac0ec39
#   - 4aa0b4fb7554a5dbaca53bcdc3bc6f69fd1772d444d29c5513bc95d2b49c1c97
#   - 4aa2b0ad01e19160db78a327fa0080f13ef0b6fb514b36d64430a4f08d356385
#   - 58fe2c7eddb9e31a670eee8397031608f6f1bb30dc1b92df6565551f0118599c
#   - 5a5d5b0c3917a59751c4c8404f9711b07395f058a29187fc3a37c2db94a0cc64
#   - 64d85ae3f57011ed0b6795712ec436c1ad85c6775fb00c71a1bec6d379950484
#   - 869799260e8fe99eca1de03f9baf4de1388de7f7ef41fb70eb03c9cd56dc6e24
#   - 97b42e993ec5a3a94e684a12e231cba6a67fab8ff5aa2e4be1ba15a01f015784
#   - 98939aa778b7528b635c5336dfd9d7a3ca292de233c2866e50408af34b211921
#   - a0b515b02f3e9a6a8738ba40dc2dbb6cecc375b0a69bf44b4a33a7daafeac29a
#   - a8605e3124ea7db12ae794943e1aeeeadb9c8563a81be4060d95f9d370d9fbf9
#   - c3521771621a724196f6b89fb3ed9fd1c1567dd0157d11a2c060b41128f7cbb9
#   - c36a1a233fe7b9a4ef5418000825636bd67c6582a7215a9a82ea863374805ab9
#   - d21242ac305be4cbb3ea072ddfe56be87965ea37a1d85808cee1926018c44395
#   - e21cc93868d9a1126bc7563a56387477ac9aece7dcc7c17dbd4f0c0c1848a886
#   - f2968fc4d637bc878207c704b7984014cc9a04f468d8242576fe9bf7a4d57659
# Notes:
#   - CVE-2017-11882 > opendir(s) > dropped binary.
#   - opendirs(s) files dumpped (see screenshots).
#   - the "test.doc" is also a CVE-2017-11882.
#   - operated by "operations[at]tms-tamkers[.]com"
#   - sid 8000207 was utterly wrong, fixed in rev:2.

alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC Win.Keylogger.AgentTesla outbound SMTP connection"; 
flow:to_server,established; content:"|0D 0A|Subject: "; content:"Passwords Recovered From: "; within:150; fast_pattern; 
metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000207; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC Win.Keylogger.AgentTesla outbound SMTP connection"; 
flow:to_server,established; content:"|0D 0A|Subject: "; content:"Screen Capture From: "; within:150; fast_pattern; 
metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000382; rev:1;)

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Multiple signatures 016 Y M via Snort-sigs (Oct 25)
- Re: Multiple signatures 016 Marcos Rodriguez (Oct 25)