Snort mailing list archives

Multiple signatures 018

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 15 Nov 2018 14:11:59 +0000

Hi,

Pcaps and Yara/ClamAV signatures are available for the majority of the below cases.

Thank you.
YM

# --------------------
# Date: 2018-11-07
# Title: Inside VSSDestroy Ransomware
# Reference: Triage from: https://threatvector.cylance.com/en_us/home/threat-spotlight-inside-vssdestroy-ransomware.html
# Tests: pcap
# Yara:
#   - MALWARE_Win_Ransomware_VSSDestroy_VAR
# ClamAV:
#   - MALWARE_Win.Ransomware.VSSDestroy-VAR
# Hashes:
#   - 193697be39290126d24363482627ff49ad7ff76ad12bbac43f53c0a3a614db5d
#   - 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95
#   - 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53
#   - d0c7b512610a1a206dbf4b4d8c352a26a26978abe8b5d0d3255f0b02196482a1
# Notes:
#   - The IP check is observed with and without a User-Agent and the domain may change..

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.VSSDestroy variant post-infection 
outbound connection"; flow:to_server,established; content:"/addrecord.php?"; fast_pattern:only; http_uri; 
content:"apikey="; http_uri; content:"&compuser="; http_uri; content:"&sid="; http_uri; content:"&phase="; http_uri; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000401; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE User-Agent associated with external IP 
address check detected"; flow:to_server,established; content:"User-Agent: IP retriever"; nocase; fast_pattern:only; 
http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000402; rev:1;)

# --------------------
# Date: 2018-11-08
# Title: DarkPulsar
# Reference: https://securelist.com/darkpulsar/88199/
# Tests: syntax only
# Yara: NA
# ClamAV: NA
# Hashes: 96f10cfa6ba24c9ecd08aa6d37993fe4 (lab generated?)

alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-CNC Win.Trojan.Doublepulsar variant successful connection"; 
flow:to_server,established; flowbits:isset,smb.trans2.mid65|smb.trans2.mid66; content:"|FF|SMB|73 00 00 00 00|"; 
depth:9; offset:4; content:"|40 00|"; within:2; distance:21; content:"|04 D6 47 33 4B AB 5E 08 4A 7D 1D 3B 72 8C 7D 91 
00|"; within:17; distance:27; flowbits:set,smb.trans2.mid66; metadata:ruleset community, service netbios-ssn; 
classtype:trojan-activity; sid:8000403; rev:1;)

# --------------------
# Date: 2018-11-09
# Title: Malware Targeting Brazil Uses Legitimate Windows Components WMI and CertUtil as Part of its Routine
# Reference: Triage from:
#   - 
https://blog.trendmicro.com/trendlabs-security-intelligence/malware-targeting-brazil-uses-legitimate-windows-components-wmi-and-certutil-as-part-of-its-routine/
#   - http://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html
# Tests: pcap
# Yara:
#   - MALWARE_Win_LNK_Downloader_VAR1
#   - MALWARE_Win_Trojan_Guildma_DLL_Main
#   - MALWARE_Win_Trojan_Guildma_DLL_Module_1
#   - MALWARE_Win_Trojan_Guildma_DLL_Module_2
#   - MALWARE_Win_Trojan_Guildma_DLL_Module_3
# ClamAV:
#   - MALWARE_Win.LNK.Downloader-VAR1-RAW
#   - MALWARE_Win.LNK.Downloader-VAR1-CON
#   - MALWARE_Win.Trojan.Guildma_DLL_Main
#   - MALWARE_Win.Trojan.Guildma_DLL_Module_1
#   - MALWARE_Win.Trojan.Guildma_DLL_Module_2
#   - MALWARE_Win.Trojan.Guildma_DLL_Module_3
# Hashes:
#   - LNKs:
#     - 1a1cbfe0e0d004f00a9829dfe0eae0d6d171154f53a93f2e8ee66757c207f6aa
#     - 2ae32ad396f48165e8eb9fdaf8138ce078a3f1dfd6220352e5bf0f50bdf47d61
#     - 2f170ee85862fbcf2fccf8099e254d9a07ad78ffc54ac76150911108a971aad6
#     - 32063e61a7a9011dc74fe59df7469ee09b6b56539728d23ab9cab2afa5ce949e
#     - 4a5f133f5f8671fdd54da4e46c983054c7d5eee82ffdca80b6946f855c034394
#     - 4c93229e1a429bd4a69596a4687dd7b51d7de4a3b9c74d70a396de90f25fd929
#     - 5caa69f928c159c1869d2819691d12a066920518927ac24d1a9434cceb95fbe8
#     - 63276c25d37bf7f7e3a19a921a6f250c35fa3907910e57f4bbb69f27750286db
#     - 695e03c97eaed0303c9527e579e69b1ba280c448476edcf97d7a289b439fa39a
#     - 795524849b20948a339c8daaa68c0c261d0c13a42cc3d485b50d9f08cad39b4b
#     - 959ca35720eccc22fa3789c2f2883a1038f2f7e3a0ba39ef56583390be93e731
#     - 990e8ead229c89fd28502381ee735abf4cd4d694822db3490674497004940097
#     - b4e830993ef79ffc641a2ac9612f74d030fd13aedf0dfbe233bb9ed79800cfed
#     - d69e5621277e2523f110b3237ecfd103525d80df74233ac56505e73d3ca50e06
#     - de03a803cf3f754e44062b6b023fc4bf5af4c7483f874bc3599b658ad9891fc0
#   - Guildma DLLs (unpacked):
#     - 18aaca5812401af6c2236053f60064b7ad5a050433a9d912fe70d409526f01c7
#     - 1dbcc0a79876552a85eee727168236fc87fc4120d622871f1b1f0c563d1164d2
#     - 31c90b6838ba4e1f7649abaf233f0de33a39056dc157971d4d932c579eeb12ee
#     - 370faf00c5c85962a586064ec428780f0534310630eed5a801bd21e1709319bd
#     - 43aed13087af5d719fe6f49964006c0f4ccb5fc7e4ca2500ee770027690e82ca
#     - 612f3800e67eb442a6d8d2665a0a1097cd36e1e6d6ddb817eb001be13b4fb3f7
#     - 644d2baa94dc8272a1ffe464ed03e38d882856363ce0560180e831b2e0b38c5b
#     - 69ec793c08669b86935f9aaa38a038f92c41f429a2d2a3592556b0a70d54cf78
#     - 6ff74a393fa29beced417c47709b61b96cca4fcac2ac25166665dd76a0682067
#     - 7798f7f0fd5ff2f646653ed02580b771c99fee5b847303063e15e7ad0d4b37b0
#     - 888bd1fda851543408aba27c8c481c697bcbbf5701c8963f7b2e3931d8f1dfda
#     - 8d1f5282948204325d51bb42d3b48c6d1b4266c2b36814bc800b755e95133246
#     - 96c48e25630607c6b15c057d43e543db85a6cdfff8956a2cc803867e5e0105ee
#     - b346cc298f92f33a3cd37ca2069f89e5216496e06479b0a2044e9ca6bc686993
#     - b951bb402207e0aaba9da0159801632b1e94a316d1f773a39add75ea802546b5
#     - f19b24abde1a29572d57efbee8ebc0f36c0d87d40d7b0615c0c512081eaa7a6f
#     - f89f02d38dc1ab0a8459e7a9d7d9776fd0f80a774988681bb369937d1bb06baa
# Notes:
#   - Added 25029, 25056, 25089, etc to stream5 and http_inspect
#   - The "/v131" seems consistent but may change, ex.: the preceeding
#     "/03/" to "/09".
#   - Additional module(s) may exist, but were not sig'ed.
#   - Banking trojan targeting Brazil, uses LNKs and DLLs, uses image file
#     extensions for downloads, similarities to Metamorfo campaign?

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.LNK.Downloader variant initial outbound connection"; 
flow:to_server,established; urilen:<25; content:"/v"; http_uri; content:".xsl?"; distance:3; http_uri; content:".xsl"; 
within:15; http_uri; content:!"Content"; http_header; content:!"Referer"; http_header; metadata:ruleset community, 
service http; classtype:trojan-activity; sid:8000404; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Guildma plugin request outbound connection"; 
flow:to_server,established; urilen:<40; content:".zip?"; http_uri; content:"User-Agent: Microsoft BITS/";http_header; 
fast_pattern:only; content:!"Content"; http_header; content:!"Referer"; http_header; 
pcre:"/\.(jpg|gif|dll)\.zip\x3f[0-9]{9}/U"; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000405; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Guildma plugin request outbound connection"; 
flow:to_server,established; urilen:<40; content:".zip?"; http_uri; content:"User-Agent: CertUtil URL 
Agent";http_header; fast_pattern:only; content:!"Content"; http_header; content:!"Referer"; http_header; 
pcre:"/\.(jpg|gif|dll)\.zip\x3f[0-9]{9}/U"; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000406; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Guildma plugin request outbound connection"; 
flow:to_server,established; urilen:<40; content:".zip?"; http_uri; content:"User-Agent: 
Microsoft-CryptoAPI/";http_header; fast_pattern:only; content:!"Content"; http_header; content:!"Referer"; http_header; 
pcre:"/\.(jpg|gif|dll)\.zip\x3f[0-9]{9}/U"; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000407; rev:1;)

alert tcp any any -> any 25 (msg:"MALWARE-OTHER Win.LNK.Downloader variant file via SMTP"; flow:to_server,established; 
flowbits:isset,file.lnk; file_data; content:"W|00|M|00|I|00|C|00|.|00|e|00|x|00|e"; nocase; fast_pattern:only; 
content:"g|00|e|00|t|00 20 00|/|00|f|00|o|00|r|00|m|00|a|00|t|00|:"; distance:0; content:"|22 00|h|00|t|00|t|00|p"; 
distance:0; metadata:ruleset community, service smtp; classtype:attempted-user; sid:8000408; rev:1;)

# --------------------
# Date: 2018-11-11
# Title: Win.Trojan.Emotet variant
# Reference: Research
# Tests: pcap
# Yara:
#   - MALWARE_Pdf_Dropper_Emotet
#   - MALWARE_Doc_Dropper_Emotet
# ClamAV:
#   - MALWARE_Pdf.Dropper.Emotet
#   - MALWARE_Doc.Dropper.Emotet
# Hashes:
#   - PDFs:
#     - 39e69a23fc772b1fd07dbb6a4832980f19b2f053f4b8586da1e258652b0ed24e
#     - bc1bab82efb24da0bea2425eb5357dd81f93bfa3cfbb8898f2b5e978a09026ad
#   - Docs:
#     - 65e4c3c3407f22722aeb6b0e477027e01aa381d83209f713b48f8b4f738528f9
#   - EXEs:
#     - ebecb74b4fc9dd33d0fbea870741ea8e7d02f98de8ef5da3490716aa4976238b
# Notes:
#   - Flow: SMTP > Pdf with link > HTTP (link) > Doc with pwsh > HTTP (pwsh) > Exe > HTTP (exe) C&C.
#   - Need more samples to confirm Yara/ClamAV detection/behavior.
#   - C&C appear to be more consistent across samples than files.
#   - Emotet C&C was published in last advisory, so removing from here.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Emotet IP address check attempt"; 
flow:to_server,established; urilen:11; content:"/whoami.php"; fast_pattern:only; http_uri; content:" MSIE "; 
http_header; content:"Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; content:!"Content"; http_header; 
content:!"Accept"; http_header; content:!"Referer"; http_header; content:!"Connection"; http_header; metadata:ruleset 
community, service http; classtype:trojan-activity; sid:8000410; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Emotet payload request outbound 
connection"; flow:to_server,established; urilen:<15; content:"/wp-content/"; http_uri; content:!"User-Agent"; 
http_header; content:!"Content"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; 
content:!"Connection"; http_header; pcre:"/\/wp-content\/[A-Z]/U"; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000411; rev:1;)

# --------------------
# Date: 2018-11-11
# Title: Malware “WellMess” Targeting Linux and Windows
# Reference: Triage from: https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html
# Tests: syntax only
# Yara:
#   - MALWARE_Win_Trojan_WellMess_DotNet
#   - MALWARE_Win_Trojan_WellMess_GoLang
#   - MALWARE_Elf_Trojan_WellMess_GoLang
# ClamAV:
#   - MALWARE_Win.Trojan.WellMess_DotNet
#   - MALWARE_Win.Trojan.WellMess_GoLang
#   - MALWARE_Elf.Trojan.WellMess_GoLang
# Hashes:
#   - 0b8e6a11adaa3df120ec15846bb966d674724b6b92eae34d63b665e0698e0193
#   - bec1981e422c1e01c14511d384a33c9bcc66456c1274bbbac073da825a3f537d
#   - 2285a264ffab59ab5a1eb4e2b9bcab9baf26750b6c551ee3094af56a4442ac41
# Notes:
#   - Additional samples were found, but not visible :(
#   - This is probably the worst sig ever, just in case your eyes hurt.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan.WellMess outbound connection attempt"; 
flow:to_server,established; urilen:1; content:"POST"; http_method; content:"Cookie"; http_header; 
content:"Content-Type: application/x-www-form-urlencoded"; http_header; content:"Expect: 100-Continue"; http_header; 
content:"Accept-Encoding: deflate|0D 0A|"; http_header; content:!"Referer"; http_header; content:!"="; within:20; 
http_client_body; pcre:"/[A-Za-z0-9\.\x20\x2c\x2a].*/P"; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000413; rev:1;)

# --------------------
# Date: 2018-11-15
# Title: Opendir, LegacyDrawing_AutoLoad: Win.Trojan.Stimilina / Win.Ransomware.Delf-6651871-0 / AZORult
# Reference: Research
# Tests: pcaps
# Yara:
#   - FILE_OFFICE_OLE_Dropper_CVE_2017_11882
#   - FILE_OFFICE_Doc_Dropper_LegacyDrawing_AutoLoad
#   - MALWARE_Win_Trojan_Stimilina
# ClamAV:
#   - FILE_OFFICE_OLE.Dropper.CVE_2017_11882
#   - FILE_OFFICE_Doc.Dropper.LegacyDrawing_AutoLoad
# Hashes:
#   - Dropper:
#     - b9d8a288dd9fd62fb2354854a3cd80e55d988ea0ea434d4adc249bb5d59c71f3
#   - Binaries:
#     - 0cd169df12982d013f201966d57fa77c233cadbb68ead042aa6b27cfd4c058ef
#     - 172fddc26079fc7f3c48bac462e9f9f2c8c208f2c98d9910499f3500cefaa17c
#     - 1f04343aebbc630e8c0479f3035dc012d353c0bdd6c4d2356ea8948a3af735c1
#     - 926b9fbe6a71ea6d79c0366de78d99ccb5ea818277285dcf21996a505e1476b1
#     - a15333778d612df71e987dd385b9c5e32ef25bcc7dd4331672fb17e300c3acd0
#     - bdbe4e3ff7a86e5ab002f8884a37f06ae45dc53f9b8a4e180f77ee32d9456058
#     - c9dd349152aa035bf2dc9a66d3394ade75fcb0e5b2e33e9c55abbecf23818813
#     - cd664442b99d6719fbfc5f481adc13424d6d6135b2b761e98f794b952621b344
#     - d4eeb08cf122e14fab3396d9413e63d083dfc6eea8c9dd4a75e5b51b256dea3f
#     - d4eeb08cf122e14fab3396d9413e63d083dfc6eea8c9dd4a75e5b51b256dea3f
#     - dd2929b27483554b5005f677ae90126da7ecedce3166fe31b07ca7530a02bba1
#     - e3c2b60bffed7c3b861641b59815ddd4e049f0958df61d59d76c93da6181dac1
#     - eb2718ee5898279c17d0a663132ce06efb4fac275654b48d54ba9a30c851c59a
# Notes:
#   - Never seen the dropper technique before, though similar to Remote Template,
#     combined with CVE-2017-11882.
#   - Fetches configuration from C&C server in base64 format at the end.
#   - All binaries uploaded to VT, HA, and AA. Opendir screenshot attached.
#   - More eyes-hurting signatures :).

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Stimilina variant outbound 
connection"; flow:to_server,established; urilen:<30; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 
5.1)|0D 0A|"; http_header; content:"|2F|"; offset:1; depth:1; fast_pattern; http_client_body; content:"POST"; 
http_method; content:!"Connection"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; 
pcre:"/\x2f(\xfa|\xfb)*/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000414; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Stimilina variant config retrieval 
inbound connection"; flow:to_client,established; file_data; content:"</n><d>"; content:"</d>"; distance:0; 
pcre:"/<\/n><d>[A-Za-z0-9+=]+<\/d>/"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000415; 
rev:1;)

# --------------------
# Date: 2018-11-15
# Title: XpertRAT
# Reference: Research
# Tests: pcaps
# Yara: NA
# ClamAV: NA
# Hashes:
#   - Droppers:
#     - 15c438d27607046e787136625f5d5192d647662a87fbdfb5ce88e912dff61c24
#     - 364c0c208bec32f13613844c89668baeb79df2bb915c5cf562f132056436d1fe
#     - 4e11624e421251b1f38daef7f7fdefb5c6b363b92d9a1015f8f655d7630208d5
#     - 64eb94c2934492b893e0eb05388d1600908bd6d19f698549f27c6143b297baaf
#     - 920f006948f2a029245bdcf0dc84b2d3153920202abfc0825c77d72e65ddb3ff
#     - b4a1f7f7bc991d8e4077921875a901dd957bcef0e91034052f953d4c3a280d45
#     - d6608695f412f7f0f938fbab2d84e1cad9df0278f2a8d1c02aafeb4ac737c9b4
#   - Binaries:
#     - 064d1d9a20f737679bb7ce912854c7ab29f78a0716ee8bc8dc69ade02acdca5a
#     - 1d3c280c402e62057131f64bedd12a4aa1f08bd5854e1e177f1581edc934c225
#     - 2654d67e5286c2d1d9fc3c4c72788854ca1b01277e2c4bd598c96eb37b17c05f
#     - 3126681755833f7236efbda8f3e949eeb38d0f6f06a3a44530d24d6d60c17205
#     - 329f8804c800b723fad251a88556875f2f2a2624f55f5d6bc4c1b4c56ba67b53
#     - 350aa4e3bab3e53f4a0160e770e2f4a733fcdfd80e4aec3da9e2753e8d59b659
#     - 36eb43b50f6b9b7943d7fef904991d5df0859e5e0dd17620ede4c5bdcdaf3485
#     - 4c4b3ad8895c8ea779e3e359b8f3610f061d4d865170e32b7af648ff0268e2b8
#     - 5cd67222bf8fa8ecfe8a71b0f43033e6c8c92b4fb460c38eb5000be8ef024e7b
#     - 98a0e4de95408f8c394b56d480670a95961fba578209a3a3bb92f17fabb67e70
#     - c63b13c9c9349180bcc667d5f1a1776b80aa1e0804aee3737ba0a89b964144df
#     - ca0f1eeff7976e051f7a4a1bc7503a781ad7d9e73dabb7930a37677015c25649
#     - d48413c73228d35c248909d7908dabfa3032c4eac259578191c8efe0b0f6bdda
#     - f10ccf9d9c47973cee6566eea584202f61e1ab5e79f7a14853db24b37e2eeb49

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.XpertRAT inbound connection"; 
flow:to_client,established; dsize:<12; content:"|7C 30 7C A1 40 23 40 21|"; offset:3; depth:8; fast_pattern; 
isdataat:!1,relative; metadata:ruleset community; classtype:trojan-activity; sid:8000416; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.XpertRAT outbound connection"; 
flow:to_server,established; dsize:10; content:"|7C|root|7C|"; offset:3; depth:6; fast_pattern; isdataat:!1,relative; 
metadata:ruleset community; classtype:trojan-activity; sid:8000417; rev:1;)

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Multiple signatures 018 Y M via Snort-sigs (Nov 15)
- Re: Multiple signatures 018 Marcos Rodriguez (Nov 15)