Snort mailing list archives
Re: Multiple signatures 017
From: Marcos Rodriguez <mrodriguez () sourcefire com>
Date: Mon, 5 Nov 2018 16:00:24 -0500
On Mon, Nov 5, 2018 at 12:28 PM Y M via Snort-sigs <snort-sigs () lists snort org> wrote:
Hi, You folks beat me to the octopus sigs! Pcaps and Yara/ClamAV signatures for the majority of the cases below are available. Have a good week! YM # -------------------- # Date: 2018-10-27 # Title: New TeleBots backdoor: First evidence linking Industroyer to NotPetya # Reference: Triage from: https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/ # Tests: syntax only # Yara: # - MALWARE_Linux_Backdoor_Exaramel # - MALWARE_Win_Backdoor_Exaramel # ClamAV: # - MALWARE_Linux.Backdoor.Exaramel # - MALWARE_Win.Backdoor.Exaramel # Hashes: # - Linux: c39b4105e1b9da1a9cccb1dace730b1c146496c591ce0927fb035d48e9cb5c0f # - Windows: 2f12fd3fb35f8690eea80dd48de98660c55df7f5c26b49d0cc82aaf3635b0c7a # Notes: # - C&C is over TOR/HTTPS, and domains are unique so we tag on DNS. alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC DNS request to known malicious domain - Backdoor.Exaramel"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|um10eset|03|net"; fast_pattern:only; metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000386; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC DNS request to known malicious domain - Backdoor.Exaramel"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|esetsmart|03|org"; fast_pattern:only; metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000387; rev:1;) # -------------------- # Date: 2018-10-27 # Title: The wolf in sheep's clothing - undressed # Reference: Triage from: # - https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/AncelKuprins-VB2018-WolfSheep.pdf # - https://pastebin.com/nwyggzcG # Tests: syntax only # Yara: # - MALWARE_Win_Trojan_W1 # - MALWARE_Andr_Trojan_SpyCall # ClamAV: # - MALWARE_Win.Trojan.W1 # - MALWARE_Andr.Trojan.SpyCall # Hashes: # - Windows: # - 27445bfe412ae3a3e2542baba1fde2f8bf3189260c998e0abdd55b9f2465821f # - 4537d7d5a7f744421233288d2cb7b494cb19908f51f65b02db766a6fe02713ac # - 4a3206065d0183754e2c7b31c2064c290d4b9d065b9a87f4d73b05c8057a3f9b # - af853941660dc87d9b70abab0987fcaf01664c99555888db0d229bdd441a6ab2 # - ff871d3ff60b46113997f55827a3bf05cbe39410fb2e25a1feac21091c673e6a # - Android: # - 279cd4ad4830939d1b8a47807236d2bbaa1560667db43cf153e385ac60389e43 # - 9635af62370c885d988f957a1b7e2890f39cd056a6f35547459963f974fd3096 # - 30f65c67058a26ee9e99dfe3cc10f610cb09432a38bda93b3eebead632de4956 # - a85ee0d6c05655aa4e64984626649f7f1ac379a9397c6ee1f5d0a1d75bb3455a # - dd7015560c77570dd771162bae547211299f7934e77e3dd05cb390c0b0baf54e alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.SpyCall outbound connection"; flow:to_server,established; content:"/mobileIpInfo"; fast_pattern:only; http_uri; content:"device_id="; http_client_body; content:"&upload_datatime="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000388; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.SpyCall outbound connection"; flow:to_server,established; content:"/deviceStatus?"; fast_pattern:only; http_uri; content:"total_space="; http_uri; content:"&battery_status="; http_uri; content:"&uuid="; http_uri; content:"&space_available="; http_uri; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000389; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.SpyCall outbound connection"; flow:to_server,established; content:"/deviceInfo"; fast_pattern:only; http_uri; content:"uuid="; http_client_body; content:"&data="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000390; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.SpyCall outbound connection"; flow:to_server,established; content:"/wifiInfo"; fast_pattern:only; http_uri; content:"data="; http_client_body; content:"&device_id="; http_client_body; content:"&upload_datatime="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000391; rev:1;) # -------------------- # Date: 2018-10-30 # Title: VestaCP compromised in a new supply-chain attack # Reference: Triage from: https://www.welivesecurity.com/2018/10/18/new-linux-chachaddos-malware-distributed-servers-vestacp-installed/ # Tests: syntax only # Yara: # - MALWARE_Linux_Trojan_ChaChaDDoS # ClamAV: # - MALWARE_Linux.Trojan.ChaChaDDoS # Hashes: # - fba737436bdbf1461b3092b79fea0770302aeaed79389eb60b5c45c3bfc9f693 # - 90c7789444442b1d660c85bf6aedeb78d5a8448cb15f9c8b1e946e24a7a2ced1 # - 5486da1345850f9074802c1f68833bfa63835aadd7fe649f8f424e359846438f alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.ChaChaDDoS outbound connection"; flow:to_server,established; content:"TE: trailers"; fast_pattern:only; http_header; content:"Connection: close, TE|0D 0A|"; http_header; content:"macaddresss="; http_client_body; content:"&device="; http_client_body; content:"&type="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000393; rev:1;) # -------------------- # Date: 2018-11-01 # Title: Paleontology: The Unknown Origins of Lazarus Malware # Reference: Triage from: https://www.intezer.com/paleontology-the-unknown-origins-of-lazarus-malware/ # Tests: pcaps # Yara: # - MALWARE_Win_Trojan_CasperTroy # ClamAV: # - MALWARE_Win.Trojan.CasperTroy # Hashes: # - 458ffcc41959599f8dab1fd4366c9a50efefa376e42971c4a436aa7fd697a396 # - d1cf03fbcb6471d44b914c2720821582fb3dd81cb543f325b2780a5e95046395 # - 926a2e8c2baa90d504d48c0d50ca73e0f400d565ee6e07ad6dafdd0d7b948b0e # - c62ec66e45098d2c41bfd7a674a5f76248cf4954225c2d3a2cfcd023daa93522 # - ec73fe2ecc2e0425e4aeb1f01581b50c5b1f8e85475c20ea409de798e6469608 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CasperTroy outbound connection"; flow:to_server,established; content:"/write_ok.php"; fast_pattern:only; content:"|3B| name=|22|image|22|"; http_client_body; content:"|3B| name=|22|PHP_SESS_ID|22|"; http_client_body; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000394; rev:1;) # -------------------- # Date: 2018-10-30 # Title: Obfuscated CVE-2017-11882 RTFs # Reference: Research # Tests: pcap (f2p) # Yara: # - FILE_OFFICE_RTF_CVE_2017_11882_Obf1 # ClamAV: # - FILE_OFFICE.RTF.CVE_2017_11882-Obf1 # Hashes: # - 435c008f237fc813012fde304f6ebfae1bff52983a8f9883725be4a7859b7604 # - 6a0c1e962f7776b33cf7ea434b3291a72a7656b7d8fa52f1aa919c2877c476b0 # - 75f74810d00e2e483f55097d8ea85a5b6c8120653b208627f42e623e67bab7a2 # - adb6c1460b90340a3939f78ddc1f9dd2c3d53c45025b9dbe6d553cda2a11bcca # Notes: # - Drops stuff from Bit.ly: # - hxxp://bit[.]ly/2MCgjQ3 # - hxxp://bit[.]ly/2xwfwdO # - hxxp://bit[.]ly/2MDaLVp # - hxxp://bit[.]ly/2MCTonI alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Equation Editor RTF remote shell download/execution attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objdata"; content:"6551754174496F4E2E33"; nocase; fast_pattern:only; content:"4C6F61644C696272617279"; nocase; content:"55524C446F776E6C6F6164546F46696C65"; nocase; distance:0; content:"5368656C6C45786563757465"; nocase; distance:0; metadata:ruleset community, service smtp; reference:cve,2017-11882; classtype:attempted-user; sid:8000392; rev:1;) # -------------------- # Date: 2018-11-01 # Title: opendir with different malware families # Reference: Research # Tests: pcaps # Yara: # - MALWARE_Win_Keylogger_AutoIt_Dropper_PAK # - MALWARE_Win_Keylogger_AutoIt_Dropper_UNPAK # - MALWARE_Win_Keylogger_AgentTesla_Raw # - MALWARE_Win_Trojan_FormBook_VAR # ClamAV: # - MALWARE_Win_Keylogger_AutoIt_Dropper # - MALWARE_Win_Keylogger_AgentTesla_Raw # - MALWARE_Win_Trojan_FormBook_VAR # Hashes: # - AutoIt (Unpacked): # - 07668be9095b8818c8a59b4c7dc201b21c985ab831c2a1f784c0b236657e8fda # - 09225b1adb8e07f293d97f7015cc95322043d4cc2e1cc9b1a4d5418afe319d72 # - 0eb1d233dd748cdbc5ee0a16812bf754de23347ea92340174ce0a06247feafa2 # - 13c7e4150d97b4b6b23fc7875cae60ead3a06ce95750421622c6b821f5bcde7a # - 140e01a1984a36e027a06741caa2e542fdc9dba119ed5a927fef49fab2ba9edf # - 356393a7f178c8952a389c38417b7045c6522e82434d277d8f8a10b325593e0b # - 49bfff21144860d8d4258ef16d424ea1c1288bd6a2b5d00fd6e854589fe59443 # - 4baf2f63d4647a5b9bae81e01c1d96644bbb23fc7b45fb516048208631aaeef9 # - 61bb7840ffd5f1b02121dcc759ec9a3e100f37235f41cc38c5d5885bbc628378 # - a4f10a8fbd9fa2946df515c951b1cb77f625aa39577852308e1ac1c1fe0346a0 # - b4c735e9a9661367a894f40585f041ccecb45671802245f72f78c7fc8bfac820 # - d39fb394aa7d4e2995b639584ae20570699fb4ee85f2ef5f069aba70cf619bfd # - e76f82ef5682cf9d84f2fbccad114f987e76083713f5ae22ee01f0192ac3ab2d # - ec334c40cf02b54e6dfdfce3b84fd8b7f531979e4ad87355ea963e348a56c905 # - f242a9d0018d25c0b5bb1f846bfd87dca5d02538ab011d1c022973738184cd03 # - f68b44a1006bbc5f9e9ebbf053cf01dadd1f0ef97e924e0e5fdc2babd2e41491 # - AgentTesla: # - 692f007b9d03f7edc4c966180ce8bdfadc907660748c9b2f41c2050cf98117b2 # - 7053ab67fe41285a3d14939fc48951667e22fa8f5889d479145cd2e34c52a5a1 # - FormBook: # - 5fd356d494c6d628e67932a02b981c73c9d2835a95d35a7c7b9b9669ad8525c8 # - dc752377ff7837cb30c747da01a60622aa5147cb87c91a63053c721864e109d9 # - eb74f48ad128d469e9865cefeec2abb0c150d77bee7c0b30fb0e188f878dea97 # Notes: # - Previous SIDs 8000207 and 8000382 trigger on AgentTesla traffic. # - Previous SID 8000225 triggers on FormBook traffic. # - Keylogger AutoIt dropps PWS LaZagne, Yara TOOL_PWS_LaZagne is still valid, # C&C over smtps. # - opendir and sample keylogs screenshot attached. # - opendir still alive and changing binaries. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE suspicious AutoIt outbound connection attempt"; flow:to_server,established; urilen:<20; content:"User-Agent: AutoIt|0D 0A|"; fast_pattern:only; http_header; content:!"Connection"; http_header; content:!"Accept"; http_header; content:!"Content"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000395; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE PWS LaZagne tool download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"LaZagne"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000396; rev:1;) # -------------------- # Date: 2018-11-02 # Title: Win.Trojan.Backnet # Reference: Triage from: https://twitter.com/thor_scanner/status/1058345481401708545 # Tests: pcap # Yara: # - MALWARE_Win_Trojan_Backnet # - FILE_OFFICE_PUB_MSIEXEC_Remote # ClamAV: # - MALWARE_Win.Trojan.Backnet # - FILE_OFFICE.PUB.MSIEXEC_Remote # Hashes: # - Pub docs: # - 07668be9095b8818c8a59b4c7dc201b21c985ab831c2a1f784c0b236657e8fda # - 09225b1adb8e07f293d97f7015cc95322043d4cc2e1cc9b1a4d5418afe319d72 # - 0eb1d233dd748cdbc5ee0a16812bf754de23347ea92340174ce0a06247feafa2 # - 13c7e4150d97b4b6b23fc7875cae60ead3a06ce95750421622c6b821f5bcde7a # - Backnet: # - 4ce82644eaa1a00cdb6e2f363743553f2e4bd1eddb8bc84e45eda7c0699d9adc # Notes: # - Both SIDs are for the same detection but one does not rely on uri. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Backnet variant outbound connection"; flow:to_server,established; content:"/backnet/"; nocase; fast_pattern:only; http_uri; content:"data="; http_client_body; content:"host_key"; distance:0; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000397; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Backnet variant outbound connection"; flow:to_server,established; content:"data="; http_client_body; content:"host_key"; distance:0; http_client_body; content:"name"; distance:0; http_client_body; fast_pattern; content:"Expect:"; http_header; content:!"User-Agent"; http_header; content:!"Connection"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000398; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE MSI outbound connection to short URL"; flow:to_server,established; flowbits:isset,file.pub|file.doc; urilen:<10; content:"User-Agent: Windows Installer|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000399; rev:1;) alert tcp any any -> any 25 (msg:"FILE-OFFICE Microsoft Office Publisher file with msiexec and wscript execution"; flow:to_server,established; flowbits:isset,file.pub; file_data; content:"msiexec.exe"; nocase; fast_pattern:only; content:"WScript.Shell"; nocase; distance:0; metadata:ruleset community, service smtp; classtype:attempted-user; sid:8000400; rev:1;)
Hi Yaser, Thanks so much for the latest batch of goodness. We'd appreciate any pcaps, etc you'd be willing to share! Thanks again! -- Marcos Rodriguez Cisco Talos _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Multiple signatures 017 Y M via Snort-sigs (Nov 05)
- Re: Multiple signatures 017 Marcos Rodriguez (Nov 05)