Snort mailing list archives
Multiple signature 020
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 1 Jan 2019 13:30:55 +0000
Hello, Here is a new set of Snort signatures. Pcaps and Yara/ClamAV rules are also available for all cases. Thank you and happy holidays/new year. YM # -------------------- # Date: 2018-11-28 # Title: Fake flasg updates to propagating cryptocurrency mining # Reference: Research # Tests: pcaps # Yara: # - MALWARE_Win_Trojan_ExpressCMS # ClamAV: # - MALWARE_Win.Trojan.ExpressCMS # Hashes: # - 08486e2639cbd7f21416ce17db1fd0edffaa3c521dd8458123b60f9ba4bfe74f # - fdf8147843781e43ae4781e62ef65126920c3b38c4736687d5f41b8fac9f6471 # Note: # - Yara/ClamAV signatures focus less on mining functionality. # - Newly observed URL: # - 95[.]163[.]180[.]206/flashplayer_down[.]php?clickid=[a-z0-9]{16} # - 95[.]163[.]208[.]11/flashplayer_down[.]php?clickid=[a-z0-9]{16} alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Fake Flash Player download attempt"; flow:to_server,established; content:"/flashplayer_down.php?"; fast_pattern:only; http_uri; content:"clickid="; distance:0; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000425; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ExpressCMS outbound connection attempt"; flow:to_server,established; content:"/click.php?cnv_id="; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000426; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ExpressCMS outbound connection attempt"; flow:to_server,established; content:"/click.php?key="; fast_pattern:only; http_uri; content:"id="; within:15; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000427; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ExpressCMS outbound connection attempt"; flow:to_server,established; content:"User-Agent: jdlnb|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000428; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ExpressCMS outbound connection attempt"; flow:to_server,established; content:"Gkjfdshfkjjd: dsdjdsjdhv"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000429; rev:1;) # -------------------- # Date: 2018-11-29 # Title: Sofacy, APT28 # Reference: Triage from: # - http://malware.prevenity.com/2018/11/spear-phishing-attack-on-gov-in-poland.html # - https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/ # - https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf # Tests: pcaps # Yara: # - MALWARE_Win_Trojan_Zebrocy # ClamAV: # - MALWARE_Doc.Dropper.RemotTempalteH # - MALWARE_Doc.Dropper.RemotTempalteF # Hashes: # - 1851d96696d3db565c028e7fb5164d7c8428973b939b9e6185dd573e7408b194 # - 2b19497db8cb05cd3d22996efe5af8eac0f2ea51e80f606b7b8a79dfaa2f58e2 # - 34bdb5b364358a07f598da4d26b30bac37e139a7dc2b9914debb3a16311f3ded # - 77ff53211bd994293400cb3f93e3d3df6754d8d477cb76f52221704adebad83a # - dcbc770aeea8ad4c3f45b89535b4cb3592d6c627d6cf92ec7dfe2f8b41cda998 # - ed8f52cdfc5f4c4be95a6b2e935661e00b50324bee5fe8974599743ccfd8daba alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zekapab outbound connection"; flow:to_server,established; content:"/company-device-support/values/correlate-sec.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000430; rev:1;) # -------------------- # Date: 2018-11-29 # Title: Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups # Reference: Triage from: # - https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/ # - https://www.forcepoint.com/blog/security-labs/bitter-targeted-attack-against-pakistan # Tests: pcap # Yara: # - MALWARE_Win_Trojan_BitterRAT # ClamAV: # - MALWARE_Win.Trojan.BitterRAT # Hashes: # - 121a0e5e66cc7bdc78387b2e67222eb0349ca038e5aced3ed0eccb167106a40e # - 705487b3deaf5f2ffa3240208044015e836cf4b32ef817154e23cb9f5859993f # - f5afe24061226630faa0f1a125e011819627cee3254060bdf2691bad65ff1d1c # Notes: # - Win.Trojan.BitterRAT snort rules were submitted # on 2018-02-02, resubmitting with modifications. # - It is interesting that there are cases of # BitterRAT targeting Pakistan since 2016. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; content:".php?TIe="; fast_pattern:only; http_uri; content:"Connection|3A 20|close|0D 0A|"; http_header; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000431; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; content:".php?cId="; fast_pattern:only; http_uri; content:"Connection|3A 20|close|0D 0A|"; http_header; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000432; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant inbound connection"; flow:to_client,established; file_data; content:"#|0D 0A|SIZE: #"; within:30; fast_pattern; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000433; rev:1;) # -------------------- # Date: 2018-11-29 # Title: TechyUtils at it again - APMHelper # Reference: Research # Tests: pcaps, live, sandbox # Yara: # - MALWARE_Osx_Trojan_TechyUtils # ClamAV: # - MALWARE_Osx.Trojan.TechyUtils # Hashes: # - 03663482197053dafb75fb15b9b2f0e93ef3d2237d96da37ad0ce484eb8bc2e9 # - 444d85360e6cf24b9808bab627b69cbdc82dc6d6471e1785e4046d355cee1ad2 # - 9d5c291aae4dbe0925627484712207fc165cbe36a649cff7e3346164ad1c1406 # - cf00d0789911e58cf1d6fcdb1da64dfe7b0b91c1737b6ad0369a9a968dab214a # URLs: # - hxxp://cdn[.]advancedpasswordmanager[.]com/apm/update/APMHelper.zip alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.APMHelper outbound connection"; flow:to_server,established; content:"User-Agent: APMHelper/"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000434; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.TechyUtils initial post-installation connection"; flow:to_server,established; content:"/productprice.svc/GetCountryCode"; fast_pattern:only; http_uri; content:"Darwin"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000435; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.TechyUtils plist retrieval connection"; flow:to_server,established; content:"/prefs/"; http_uri; content:".plist"; http_uri; fast_pattern; content:"Darwin"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000436; rev:1;) # -------------------- # Date: 2018-11-29 # Title: Middle East Cyber-Espionage # Reference: # - https://objective-see.com/blog/blog_0x3B.html # - https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf # Tests: pcaps # Yara: # - MALWARE_Osx_Trojan_WindTail # ClamAV: # - MALWARE_Osx.Trojan.WindTail # Hashes: # - 03663482197053dafb75fb15b9b2f0e93ef3d2237d96da37ad0ce484eb8bc2e9 # - 444d85360e6cf24b9808bab627b69cbdc82dc6d6471e1785e4046d355cee1ad2 # - 9d5c291aae4dbe0925627484712207fc165cbe36a649cff7e3346164ad1c1406 # - cf00d0789911e58cf1d6fcdb1da64dfe7b0b91c1737b6ad0369a9a968dab214a alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.WindTail outbound connection attempt"; flow:to_server,established; content:".php?very="; fast_pattern:only; http_uri; content:"&xnvk="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000437; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.WindTail outbound connection attempt"; flow:to_server,established; content:"User-Agent: usrnode/"; fast_pattern:only; http_header; content:"Darwin/"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000438; rev:1;) # -------------------- # Date: 2018-12-30 # Title: Bug in Malware “TSCookie” - Fails to Read Configuration # Reference: https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html # Tests: pcaps # Yara: # - MALWARE_Win_Trojan_TSCookie_VAR1 # ClamAV: # - MALWARE_Win.Trojan.TSCookie_VAR1 # Hashes: # Notes: # - Last URL query string appears to change. alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.TSCookie variant outbound connection attempt"; flow:to_server,established; content:"POST /t"; content:".aspx?m="; within:20; fast_pattern; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Win32)"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000439; rev:1;) # -------------------- # Date: 2019-01-01 # Title: Sofacy Creates New ‘Go’ Variant of Zebrocy Tool # Reference: https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/ # Tests: pcaps # Yara: # - MALWARE_Win_Trojan_Zebrocy_GO_Tools # - MALWARE_Doc_IO_Suspicious # ClamAV: # - MALWARE_Win.Trojan.Zebrocy_GOVAR1 # - MALWARE_Win.Trojan.Zebrocy_GOVAR2 # - MALWARE_Doc.Dropper.RemotTempalteH # Hashes: # - 15a866c3c18046022a810aa97eaf2e20f942b8293b9cb6b4d5fb7746242c25b7 # - f868e88eb2524d15cfcd87afdf697074e0f9785792f342044501347dce549a1f # - 04bd6c3d9fa30b4d9410b89ba44c9e29aab22a1345115e8eef9cddc86d1eea25 # - 346e5dc097b8653842b5b4acfad21e223b7fca976fb82b8c10d9fa4f3747dfa0 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection attempt"; flow:to_server,established; content:"/advance/portable_version/service.php"; fast_pattern:only; content:"project="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000440; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection attempt"; flow:to_server,established; content:"/technet-support/library/online-service-description.php"; fast_pattern:only; content:"id_name="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000441; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection attempt"; flow:to_server,established; content:"/Templates/NormalOld.dotm"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000442; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection attempt"; flow:to_server,established; content:"POST / HTTP/1.1"; content:"User-Agent: Go-"; http_header; content:"project="; http_client_body; content:!"Connection"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000443; rev:1;)
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signature 020 Y M via Snort-sigs (Jan 01)
- Re: Multiple signature 020 Matthew Mickel (Jan 02)