Multiple signature 020

[Y M via Snort-sigs <snort-sigs () lists snort org>]

Hello,

Here is a new set of Snort signatures. Pcaps and Yara/ClamAV rules are also available for all cases.

Thank you and happy holidays/new year.
YM

# --------------------
# Date: 2018-11-28
# Title: Fake flasg updates to propagating cryptocurrency mining
# Reference: Research
# Tests: pcaps
# Yara:
#   - MALWARE_Win_Trojan_ExpressCMS
# ClamAV:
#   - MALWARE_Win.Trojan.ExpressCMS
# Hashes:
#   - 08486e2639cbd7f21416ce17db1fd0edffaa3c521dd8458123b60f9ba4bfe74f
#   - fdf8147843781e43ae4781e62ef65126920c3b38c4736687d5f41b8fac9f6471
# Note:
#   - Yara/ClamAV signatures focus less on mining functionality.
#   - Newly observed URL:
#     - 95[.]163[.]180[.]206/flashplayer_down[.]php?clickid=[a-z0-9]{16}
#     - 95[.]163[.]208[.]11/flashplayer_down[.]php?clickid=[a-z0-9]{16}

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Fake Flash Player download attempt"; 
flow:to_server,established; content:"/flashplayer_down.php?"; fast_pattern:only; http_uri; content:"clickid="; 
distance:0; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000425; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ExpressCMS outbound connection 
attempt"; flow:to_server,established; content:"/click.php?cnv_id="; fast_pattern:only; http_uri; metadata:ruleset 
community, service http; classtype:trojan-activity; sid:8000426; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ExpressCMS outbound connection 
attempt"; flow:to_server,established; content:"/click.php?key="; fast_pattern:only; http_uri; content:"id="; within:15; 
http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000427; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ExpressCMS outbound connection 
attempt"; flow:to_server,established; content:"User-Agent: jdlnb|0D 0A|"; fast_pattern:only; http_header; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000428; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ExpressCMS outbound connection 
attempt"; flow:to_server,established; content:"Gkjfdshfkjjd: dsdjdsjdhv"; fast_pattern:only; http_header; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000429; rev:1;)

# --------------------
# Date: 2018-11-29
# Title: Sofacy, APT28
# Reference: Triage from:
#   - http://malware.prevenity.com/2018/11/spear-phishing-attack-on-gov-in-poland.html
#   - https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/
#   - 
https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf
# Tests: pcaps
# Yara:
#   - MALWARE_Win_Trojan_Zebrocy
# ClamAV:
#   - MALWARE_Doc.Dropper.RemotTempalteH
#   - MALWARE_Doc.Dropper.RemotTempalteF
# Hashes:
#   - 1851d96696d3db565c028e7fb5164d7c8428973b939b9e6185dd573e7408b194
#   - 2b19497db8cb05cd3d22996efe5af8eac0f2ea51e80f606b7b8a79dfaa2f58e2
#   - 34bdb5b364358a07f598da4d26b30bac37e139a7dc2b9914debb3a16311f3ded
#   - 77ff53211bd994293400cb3f93e3d3df6754d8d477cb76f52221704adebad83a
#   - dcbc770aeea8ad4c3f45b89535b4cb3592d6c627d6cf92ec7dfe2f8b41cda998
#   - ed8f52cdfc5f4c4be95a6b2e935661e00b50324bee5fe8974599743ccfd8daba

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zekapab outbound connection"; 
flow:to_server,established; content:"/company-device-support/values/correlate-sec.php"; fast_pattern:only; http_uri; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000430; rev:1;)

# --------------------
# Date: 2018-11-29
# Title: Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups
# Reference: Triage from:
#   - 
https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/
#   - https://www.forcepoint.com/blog/security-labs/bitter-targeted-attack-against-pakistan
# Tests: pcap
# Yara:
#   - MALWARE_Win_Trojan_BitterRAT
# ClamAV:
#   - MALWARE_Win.Trojan.BitterRAT
# Hashes:
#   - 121a0e5e66cc7bdc78387b2e67222eb0349ca038e5aced3ed0eccb167106a40e
#   - 705487b3deaf5f2ffa3240208044015e836cf4b32ef817154e23cb9f5859993f
#   - f5afe24061226630faa0f1a125e011819627cee3254060bdf2691bad65ff1d1c
# Notes:
#   - Win.Trojan.BitterRAT snort rules were submitted
#     on 2018-02-02, resubmitting with modifications.
#   - It is interesting that there are cases of
#     BitterRAT targeting Pakistan since 2016.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound 
connection"; flow:to_server,established; content:".php?TIe="; fast_pattern:only; http_uri; content:"Connection|3A 
20|close|0D 0A|"; http_header; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; 
http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000431; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound 
connection"; flow:to_server,established; content:".php?cId="; fast_pattern:only; http_uri; content:"Connection|3A 
20|close|0D 0A|"; http_header; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; 
http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000432; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant inbound 
connection"; flow:to_client,established; file_data; content:"#|0D 0A|SIZE: #"; within:30; fast_pattern; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000433; rev:1;)

# --------------------
# Date: 2018-11-29
# Title: TechyUtils at it again - APMHelper
# Reference: Research
# Tests: pcaps, live, sandbox
# Yara:
#   - MALWARE_Osx_Trojan_TechyUtils
# ClamAV:
#   - MALWARE_Osx.Trojan.TechyUtils
# Hashes:
#   - 03663482197053dafb75fb15b9b2f0e93ef3d2237d96da37ad0ce484eb8bc2e9
#   - 444d85360e6cf24b9808bab627b69cbdc82dc6d6471e1785e4046d355cee1ad2
#   - 9d5c291aae4dbe0925627484712207fc165cbe36a649cff7e3346164ad1c1406
#   - cf00d0789911e58cf1d6fcdb1da64dfe7b0b91c1737b6ad0369a9a968dab214a
# URLs:
#   - hxxp://cdn[.]advancedpasswordmanager[.]com/apm/update/APMHelper.zip

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.APMHelper outbound connection"; 
flow:to_server,established; content:"User-Agent: APMHelper/"; fast_pattern:only; http_header; metadata:ruleset 
community, service http; classtype:trojan-activity; sid:8000434; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.TechyUtils initial post-installation 
connection"; flow:to_server,established; content:"/productprice.svc/GetCountryCode"; fast_pattern:only; http_uri; 
content:"Darwin"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000435; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.TechyUtils plist retrieval 
connection"; flow:to_server,established; content:"/prefs/"; http_uri; content:".plist"; http_uri; fast_pattern; 
content:"Darwin"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000436; rev:1;)

# --------------------
# Date: 2018-11-29
# Title: Middle East Cyber-Espionage
# Reference:
#   - https://objective-see.com/blog/blog_0x3B.html
#   - 
https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf
# Tests: pcaps
# Yara:
#   - MALWARE_Osx_Trojan_WindTail
# ClamAV:
#   - MALWARE_Osx.Trojan.WindTail
# Hashes:
#   - 03663482197053dafb75fb15b9b2f0e93ef3d2237d96da37ad0ce484eb8bc2e9
#   - 444d85360e6cf24b9808bab627b69cbdc82dc6d6471e1785e4046d355cee1ad2
#   - 9d5c291aae4dbe0925627484712207fc165cbe36a649cff7e3346164ad1c1406
#   - cf00d0789911e58cf1d6fcdb1da64dfe7b0b91c1737b6ad0369a9a968dab214a

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.WindTail outbound connection 
attempt"; flow:to_server,established; content:".php?very="; fast_pattern:only; http_uri; content:"&xnvk="; http_uri; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000437; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.WindTail outbound connection 
attempt"; flow:to_server,established; content:"User-Agent: usrnode/"; fast_pattern:only; http_header; 
content:"Darwin/"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000438; 
rev:1;)

# --------------------
# Date: 2018-12-30
# Title: Bug in Malware “TSCookie” - Fails to Read Configuration
# Reference: https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html
# Tests: pcaps
# Yara:
#   - MALWARE_Win_Trojan_TSCookie_VAR1
# ClamAV:
#   - MALWARE_Win.Trojan.TSCookie_VAR1
# Hashes:
# Notes:
#   - Last URL query string appears to change.

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.TSCookie variant outbound connection 
attempt"; flow:to_server,established; content:"POST /t"; content:".aspx?m="; within:20; fast_pattern; 
content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Win32)"; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000439; rev:1;)

# --------------------
# Date: 2019-01-01
# Title: Sofacy Creates New ‘Go’ Variant of Zebrocy Tool
# Reference: https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/
# Tests: pcaps
# Yara:
#   - MALWARE_Win_Trojan_Zebrocy_GO_Tools
#   - MALWARE_Doc_IO_Suspicious
# ClamAV:
#   - MALWARE_Win.Trojan.Zebrocy_GOVAR1
#   - MALWARE_Win.Trojan.Zebrocy_GOVAR2
#   - MALWARE_Doc.Dropper.RemotTempalteH
# Hashes:
#   - 15a866c3c18046022a810aa97eaf2e20f942b8293b9cb6b4d5fb7746242c25b7
#   - f868e88eb2524d15cfcd87afdf697074e0f9785792f342044501347dce549a1f
#   - 04bd6c3d9fa30b4d9410b89ba44c9e29aab22a1345115e8eef9cddc86d1eea25
#   - 346e5dc097b8653842b5b4acfad21e223b7fca976fb82b8c10d9fa4f3747dfa0

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection 
attempt"; flow:to_server,established; content:"/advance/portable_version/service.php"; fast_pattern:only; 
content:"project="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000440; 
rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection 
attempt"; flow:to_server,established; content:"/technet-support/library/online-service-description.php"; 
fast_pattern:only; content:"id_name="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000441; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection 
attempt"; flow:to_server,established; content:"/Templates/NormalOld.dotm"; fast_pattern:only; metadata:ruleset 
community, service http; classtype:trojan-activity; sid:8000442; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection 
attempt"; flow:to_server,established; content:"POST / HTTP/1.1"; content:"User-Agent: Go-"; http_header; 
content:"project="; http_client_body; content:!"Connection"; http_header; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000443; rev:1;)

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!