Snort mailing list archives

Re: Multiple signatures 016

From: Marcos Rodriguez <mrodriguez () sourcefire com>
Date: Thu, 25 Oct 2018 13:43:18 -0400

On Thu, Oct 25, 2018 at 11:32 AM Y M via Snort-sigs
<snort-sigs () lists snort org> wrote:


Hi,

Hope all sig makers are doing great today. Pcaps and Yara/ClamAV signatures are available for all of the cases below.

Thank you.

# --------------------
# Date: 2018-10-06
# Title: ARS Loader evolution, a new stealer (ZeroEvil) and AirNaine (TA545)
# Reference: Triage from: https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/
# Tests: pcap
# Yara:
#    - TOOL_PWS_LaZagne
# ClamAV:
#    - TOOL.PWS.LaZagne
# Hashes:
#    - cb197616e12daff971b86544eb06554583e95b137b69a4b7cbe83c7de2a38948
#    - 29eadfb89fa2af7567f34b20778c1dc2a1be2f5b8aa84f642da0291a68de32d0
#    - 1c963f531b1870f8edffcc9a9a96019c296801f69ea0a9dda555d91cf791a837
#    - 2c90585b53a28a3413099c94c38f250ca5b17f72ddf6a4e346421eb0a6bdd881
#    - 82cbdd4822630e179b685733490dc61db4761151656e1663ab91430f32ce86b6
#    - 0e1320fd39174b14b7e817491d5e95807e66226d60659a07eb0e4bdedb06bea1
# Notes:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader / ZeroEvil variant 
outbound connection"; flow:to_server,established; content:"/logs_gate.php?plugin="; fast_pattern:only; http_uri; 
content:"|3B| name=|22|file|22|"; http_client_body; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000373; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader variant outbound 
connection"; flow:to_server,established; content:"/plugin_gate.php?plugin="; fast_pattern:only; http_uri; 
content:"|3B| name=|22|file|22|"; http_client_body; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000374; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader variant / ZeroEvil 
outbound connection"; flow:to_server,established; content:"/gate.php"; http_uri; content:"version="; 
http_client_body; fast_pattern; content:!"Referer"; http_header; pcre:"/version\x3d([0-9]{3}\x255F)+/P"; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000375; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader variant outbound 
connection"; flow:to_server,established; content:"/screenshot_gate.php?hwid="; fast_pattern:only; http_uri; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000376; rev:1;)

# --------------------
# Date: 2018-10-10
# Title: MuddyWater
# Reference: Triage from:
#    - https://s.tencent.com/research/report/509.html
#    - https://securelist.com/muddywater/88059/
# Tests: pcap
# Yara:
#    - FILE_OFFICE_OLE_Dropper_Doc
#    - TOOL_CNC_Shootback
#    - TOOL_PWS_Credstealer
# ClamAV:
#    - FILE_OFFICE.OLE.Dropper.Doc
#    - TOOL_PWS.Credstealer
#    - TOOL_CNC.Shootback
#    - Doc.Dropper.Agent-HSB1
#    - Doc.Dropper.Agent-HSB2
#    - Doc.Dropper.Agent-HSB3
#    - Doc.Dropper.Agent-HSB4
# Hashes:
#    - 009cc0f34f60467552ef79c3892c501043c972be55fe936efb30584975d45ec0: Composite Document File V2 Document
#    - 153117aa54492ca955b540ac0a8c21c1be98e9f7dd8636a36d73581ec1ddcf58: Composite Document File V2 Document
#    - 18479a93fc2d5acd7d71d596f27a5834b2b236b44219bb08f6ca06cf760b74f6: Composite Document File V2 Document
#    - 18cf5795c2208d330bd297c18445a9e25238dd7f28a1a6ef55e2a9239f5748cd: Composite Document File V2 Document
#    - 209fb398318a0d346b933b0c408467fce8dea36c10cd0f69ce4b342e28cee9dc: Composite Document File V2 Document
#    - 2a49d29d58d4d962bee5430e40f488bb79ebab92cf13db5bb4708f3eaf95caed: Composite Document File V2 Document
#    - 2cea0b740f338c513a6390e7951ff3371f44c7c928abf14675b49358a03a5d13: Composite Document File V2 Document
#    - 38556ba0b512636006c00b51f24ac92755bd1f1b21b4ae1812abf6bf9543221e: Composite Document File V2 Document
#    - 3da24cd3af9a383b731ce178b03c68a813ab30f4c7c8dfbc823a32816b9406fb: Composite Document File V2 Document
#    - 3eb27ecfbe5381b9cf4dcba2486e9773d9893b92c95032be784e0d2198740539: Composite Document File V2 Document
#    - 3f14a1210d1f2cdb916275bf32cb49159b6f49a54f246bdcb0e967cd0edb8e82: Composite Document File V2 Document
#    - 40ffcbf044ec951242a92a09b6a239183def2e74fc18e5975fa70e849d875a2e: Composite Document File V2 Document
#    - 41a32a19c78a542ab4d0701c31d9ef6c7f019c9bc604ab9415f4790b7ac6c591: Composite Document File V2 Document
#    - 5c7d16bd89ef37fe02cac1851e7214a01636ee4061a80bfdbde3a2d199721a79: Composite Document File V2 Document
#    - 5f2a6601d349af00a4cc101a638003af2f330879c333168cbf6a7a123dfb3928: Composite Document File V2 Document
#    - 6a68e8b12960257621cb89f979c1fbbd0f13c2338fad0f64e133deb95c99b2f9: Composite Document File V2 Document
#    - 707d2128a0c326626adef0d3a4cab78562abd82c2bd8ede8cc82f86c01f1e024: Composite Document File V2 Document
#    - 76e9988dad0278998861717c774227bf94112db548946ef617bfaa262cb5e338: Composite Document File V2 Document
#    - 818253f297fea7d8a2324ee1a233aabbaf3b0b4b9cdaa1ebd676fe00f2247388: PE32+ executable (console) x86-64, for MS 
Windows
#    - 9038ba1b7991ff38b802f28c0e006d12d466a8e374d2f2a83a039aabcbe76f5c: Composite Document File V2 Document
#    - 94625dd8151814dd6186735a6a6a87b2a4c71c04b8402caf314fb6f98434eaad: Composite Document File V2 Document
#    - abc269676eab9cf71f4f00195d1be02c10ea5bfb383fa1396dc108e0f6f9b9be: Composite Document File V2 Document
#    - b9c70adbc731b1b2779ab35bb0fab29ae703e2a4a7214c5e2749b02daf326a9b: Composite Document File V2 Document
#    - bbcafdb4fd7bf107d8b85934286d531536b7a0a30e5eeed07e27f0f7afcf8a77: Composite Document File V2 Document
#    - bfb4fc96c1ba657107c7c60845f6ab720634c8a9214943b5221378a37a8916cd: Composite Document File V2 Document
#    - c87799cce6d65158da97aa31a5160a0a6b6dd5a89dea312604cc66ed5e976cc9: Composite Document File V2 Document
#    - eff78c23790ee834f773569b52cddb01dc3c4dd9660f5a476af044ef6fe73894: Composite Document File V2 Document
#    - f2f573af0f76fe0f21bbe630a4bb50b1c1836eb24429bfb8c93673276f27e374: Composite Document File V2 Document
#    - f6707b5f41192353be3311fc7f48ee30465038366386b909e6cefaade70c91bc: PE32+ executable (console) x86-64, for MS 
Windows

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Doc.Dropper.Agent outbound connection"; 
flow:to_server,established; content:"/main.php?t="; http_uri; content:"&type=info"; http_uri; fast_pattern:only; 
content:"&f=s"; http_uri; content:"&id="; http_uri; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000378; rev:1;)

# --------------------
# Date: 2018-10-23
# Title: Win.Trojan.Micropsia
# Reference: Research
# Tests: pcap + sandbox
# Yara:
#    - MALWARE_Win_Trojan_Micropsia
# ClamAV:
#    - MALWARE_Win.Trojan.Micropsia-1
#    - MALWARE_Win.Trojan.Micropsia-2
# Hashes:
#    - 0180e2b601ae643e7adf1784c313dd2d10d114bd2b5692eb6e9c031a6e448ed1
#    - 027b1042621f86394fd7da27c5310e4906f41b96f6e5474875e63d39b32a9c11
#    - 0d05f333f1ce2567eb8f42f7a9098a7e044b1cccac9133d65872445608c89665
#    - 228ea63f4f03e98aae13fafc4d850f7cdd6344fa824427f7ec42f31a2ae8345d
#    - 3522805eba6bf69f801028252985bd71437875db051c2ed2c8d9f40cefc86edb
#    - 368845729255ab7fcfb5c0b6c153929d5ccb8d1f9a40cc02ca7c026b4b6813ec
#    - 370f8196b9351289796df63d927e496107d3d6af26272bddf769721beee7de91
#    - 5bab8a360d1d08e37e4e6c052f7fce13a291ad9b99f950770a647222bfc4d6b4
#    - 75329e7b79284f63c1383244b20fb0d9c4bb1e9c4feba04307f1223db30c9203
#    - 9cb5ef0b17eea1a43d5d323277e08645574c53ab1f65b0031a6fc323f52b0079
#    - b60bca59de9c7f9c796de3e5c3a1466c0929c7355f4db8c59548af357777e59b
#    - b6f8b5ba026af863e878eded79f40e5efa1dd7ce725cd0479e5f062dbf4fdd4f
#    - c4e79e151986dc5e16ce763321de90d8c214909df7210ec05e590c4375423a76
#    - dd185667015d23438a994adc9e9b30572a1e7479c05f563e0b6c71b8c6023685
#    - e326d427695efc1f1eea5f86b545d16b46b45ef3cc0151e22d8a583f391571a9
#    - e477b5e00699a9ccb3868de543c29087042fd44c631f8fcda5faaf7922382146
#    - effa0e01adad08ae4bc787678ce67510d013a06d1a10d39ec6b19e2449e25fbd
#    - f70681c7e8ab419fd0938802a823337abad936cccc0ace9ee232f2b874e561f1
#    - fb95a719c4b26bb577cea5837cac6ba9fdfcfd240bc2fc7b1d0759bf392d5191

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Micropsia variant infection report 
outbound connection"; flow:to_server,established; content:"/api/"; http_uri; content:"Accept-Encoding: UTF8|0D 0A|"; 
http_header; content:"-Embt-Boundary-"; fast_pattern; http_client_body; content:"::Windows"; within:1000; 
http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000379; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Micropsia variant screenshot 
exfiltration outbound connection"; flow:to_server,established; content:"/api/"; http_uri; content:"-Embt-Boundary-"; 
http_header; fast_pattern:only; content:"Accept: image/"; http_header; content:"Accept-Encoding: UTF8|0D 0A|"; 
http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000380; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Micropsia variant heartbeat 
outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/api/"; http_uri; 
content:"Googlebot"; http_header; fast_pattern:only; content:"-Embt-Boundary-"; http_header; 
content:"Accept-Encoding: UTF8|0D 0A|"; http_header; content:"-Embt-Boundary-"; http_client_body; metadata:ruleset 
community, service http; classtype:trojan-activity; sid:8000381; rev:1;)

# --------------------
# Date: 2018-07-25, Updated: 2018-10-23
# Title: AgentTesla SMTP Exfil.
# Reference: Research
# Test: pcap + sandbox
# Yara:
#   - MALWARE_Win_Keylogger_AgentTesla
# ClamAv:
#   - MALWARE_Win.Keylogger.AgentTesla-1
#   - MALWARE_Win.Keylogger.AgentTesla-2
#   - MALWARE_Win.Keylogger.AgentTesla-3
# Hashes:
#   - 030228c5caa62e7727e0a664ef18fdf5663e7edbc2d2f7e5c38bf06526a5023e
#   - 0c5f9ab0d84eada4be9e6f86cf81a2b3dd0fbb708342eded078a152490ceb15e
#   - b9253b60188214a143b2b7d2b0a3b1adb1d0834b6fc231b9da7b61c9c3184e92
#   - 4827ceccbdd20c966bdaa3648f67cb82f319bcbc1766dd134c4fac3f5483179e
#   - Updated:
#   - 0676b96e49d703a5d09f4b42d108a725603f17da080fc8a7a182bf63eac0ec39
#   - 4aa0b4fb7554a5dbaca53bcdc3bc6f69fd1772d444d29c5513bc95d2b49c1c97
#   - 4aa2b0ad01e19160db78a327fa0080f13ef0b6fb514b36d64430a4f08d356385
#   - 58fe2c7eddb9e31a670eee8397031608f6f1bb30dc1b92df6565551f0118599c
#   - 5a5d5b0c3917a59751c4c8404f9711b07395f058a29187fc3a37c2db94a0cc64
#   - 64d85ae3f57011ed0b6795712ec436c1ad85c6775fb00c71a1bec6d379950484
#   - 869799260e8fe99eca1de03f9baf4de1388de7f7ef41fb70eb03c9cd56dc6e24
#   - 97b42e993ec5a3a94e684a12e231cba6a67fab8ff5aa2e4be1ba15a01f015784
#   - 98939aa778b7528b635c5336dfd9d7a3ca292de233c2866e50408af34b211921
#   - a0b515b02f3e9a6a8738ba40dc2dbb6cecc375b0a69bf44b4a33a7daafeac29a
#   - a8605e3124ea7db12ae794943e1aeeeadb9c8563a81be4060d95f9d370d9fbf9
#   - c3521771621a724196f6b89fb3ed9fd1c1567dd0157d11a2c060b41128f7cbb9
#   - c36a1a233fe7b9a4ef5418000825636bd67c6582a7215a9a82ea863374805ab9
#   - d21242ac305be4cbb3ea072ddfe56be87965ea37a1d85808cee1926018c44395
#   - e21cc93868d9a1126bc7563a56387477ac9aece7dcc7c17dbd4f0c0c1848a886
#   - f2968fc4d637bc878207c704b7984014cc9a04f468d8242576fe9bf7a4d57659
# Notes:
#   - CVE-2017-11882 > opendir(s) > dropped binary.
#   - opendirs(s) files dumpped (see screenshots).
#   - the "test.doc" is also a CVE-2017-11882.
#   - operated by "operations[at]tms-tamkers[.]com"
#   - sid 8000207 was utterly wrong, fixed in rev:2.

alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC Win.Keylogger.AgentTesla outbound SMTP connection"; 
flow:to_server,established; content:"|0D 0A|Subject: "; content:"Passwords Recovered From: "; within:150; 
fast_pattern; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000207; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC Win.Keylogger.AgentTesla outbound SMTP connection"; 
flow:to_server,established; content:"|0D 0A|Subject: "; content:"Screen Capture From: "; within:150; fast_pattern; 
metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000382; rev:1;)
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!


Hi Yaser,

Thanks for these submissions, we'll get these into our testing process
and get back to you as soon as possible.  We'd appreciate any pcaps
you'd be willing to share.  Thanks again!

-- 
Marcos Rodriguez
Cisco Talos
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Multiple signatures 016 Y M via Snort-sigs (Oct 25)
- Re: Multiple signatures 016 Marcos Rodriguez (Oct 25)