Re: Multiple signature 021

[Matthew Mickel <mmickel () sourcefire com>]

Hi, Yaser-

Thanks for your submissions.  We will review the rules and get back to you when we have finished.  Any PCAPs that you 
can send along are greatly appreciated.  Best,

Matt Mickel

> On Jan 15, 2019, at 12:41 PM, Y M via Snort-sigs <snort-sigs () lists snort org> wrote:
>
> Hi,
>
> Here is a batch of signatures along which, PCAPs and Yara/ClamAV signatures are available. Also attaching two 
> screenshots for Ditnui/Siggen2/Zenpak to go along with the notes section.
>
> Thank you.
> YM
>
> # --------------------
> # Date: 2019-01-05
> # Title: Tools Trade
> # Reference: Research
> #   - hxxps://github[.]com/DarthTon/Blackbone <hxxps://github[.]com/DarthTon/Blackbone>
> #   - hxxps://github[.]com/djhohnstein/SharpWeb <hxxps://github[.]com/djhohnstein/SharpWeb>
> #   - hxxps://github[.]com/ptoomey3/Keychain-Dumper <hxxps://github[.]com/ptoomey3/Keychain-Dumper>
> #   - www[.]rootkiter[.]com/earthworm
> # Tests: pcaps (f2p)
> # Yara:
> #   - TOOL_PWS_SharpWeb
> #   - TOOL_CNC_Earthworm
> #   - TOOL_PWS_KeychainDumper
> #   - TOOL_PWS_Blackbone
> # ClamAV:
> #   - TOOL.PWS.SharpWeb
> #   - TOOL.CNC.Earthworm
> #   - TOOL.PWS.KeychainDumper
> #   - TOOL.PWS.Blackbone
> # Hashes: NA
> # Notes:
> #   - Maybe add SMB rules for host-to-host transfers
> #     during lateral movement?
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Blackbone password memory dumper download 
> attempt"; flow:to_client,established; file_data; content:"|5C 00|B|00|l|00|a|00|c|00|k|00|B|00|o|00|n|00|e|00|"; 
> fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000444; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Blackbone password memory dumper download 
> attempt"; flow:to_client,established; file_data; content:"BBHideVAD"; fast_pattern:only; metadata:ruleset community, 
> service http; classtype:trojan-activity; sid:8000445; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Earthworm CnC tool download attempt"; 
> flow:to_client,established; file_data; content:"Make_Net_CMD"; fast_pattern:only; content:"understand_and_do_it"; 
> metadata:ruleset community, service http; classtype:trojan-activity; sid:8000446; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE KeychainDumper Keychain dumper tool download 
> attempt"; flow:to_client,established; file_data; content:"dumpKeychainEntitlements"; fast_pattern:only; 
> content:"Password"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000447; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE SharpWeb browser password dumper tool 
> download attempt"; flow:to_client,established; file_data; 
> content:">k__BackingField|00|<encryptedPassword>k__BackingField"; fast_pattern:only; metadata:ruleset community, 
> service http; classtype:trojan-activity; sid:8000448; rev:1;)
>
> # --------------------
> # Date: 2019-01-08
> # Title: Osx.Trojan.LamePyre
> # Reference:
> #   - https://blog.malwarebytes.com/detections/osx-lamepyre/ <https://blog.malwarebytes.com/detections/osx-lamepyre/>
> #   - https://objective-see.com/blog/blog_0x3C.html <https://objective-see.com/blog/blog_0x3C.html>
> # Tests: pcaps
> # Yara:
> #   - MALWARE_Osx_Trojan_LamePyre
> # ClamAV:
> #   - MALWARE_Osx.Trojan.LamePyre
> # Hashes:
> #   - a899a7d33d9ba80b6f9500585fa108178753894dfd249c2ba64c9d6a601c516b > .app
> #   - 3952499a96ee1ce49b0b4a2eabaa9ea819012cf146cc95d5a0c876938bdfb65c > Application Stub
> #   - 88d5e1cfdc6bf3824cb5227827ba2f790eaaad512693de6b72d29fdb1db46081 > helper
> #   - 31935f731329487c87b96653f6c3936cca6cbed64f800ad24047e3bfa1434969 > systemkeep 
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.LamePyre initial outbound 
> connection"; flow:to_server,established; urilen:10; content:"/index.asp"; http_uri; content:"Connection: close|0D 
> 0A|"; http_header; content:"Accept-Encoding: identity|0D 0A|"; http_header; content:!"Accept:"; http_header; 
> content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000449; 
> rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.LamePyre screenshot exfiltration 
> outbound connection"; flow:to_server,established; content:"/handler.php?uid="; fast_pattern:only; http_uri; 
> content:"Expect:"; http_header; content:"Content-Type: multipart/form-data"; http_header; content:!"Connection"; 
> http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; 
> sid:8000450; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.LamePyre screenshot exfiltration 
> outbound connection"; flow:to_server,established; content:"|3B| filename=|22|alloy.png|22|"; fast_pattern:only; 
> http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000451; rev:1;)
>
> # --------------------
> # Date: 2019-01-08
> # Title: Osx.Trojan.FairyTail
> # Reference:
> #   - https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/ 
> <https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/>
> #   - https://objective-see.com/blog/blog_0x3C.html <https://objective-see.com/blog/blog_0x3C.html>
> # Tests: pcaps
> # Yara:
> #   - MALWARE_Osx_Trojan_Genieo
> #   - MALWARE_Osx_Trojan_MacSearch
> # ClamAV:
> #   - MALWARE_Osx.Trojan.Genieo
> #   - MALWARE_Osx.Trojan.MacSearch
> # Hashes:
> #   - 4eaa4caea4ac543516ffc9954a901e8b8e8c623fcce48304ea74d7a74218683b > .app
> #   - 850b4f620e874ed6117c7e1d15dd1c502d7e38cd4dd872753d502f39e3a5c8d8 > LinqurySearch
> #   - f54bb130f750f77546aebf690ba4b89f0ddb3c27a5e297383d0a30bcaa5f9cb4 > macsearch
> #   - a9a7a1c48cd1232249336749f4252c845ce68fd9e7da85b6da6ccbcdc21bcf66 > SpellingChecker
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.FairyTail initial outbound 
> connection request"; flow:to_server,established; urilen:10; content:"/hello.txt"; fast_pattern:only; http_uri; 
> content:"SpellingChecker/"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; 
> sid:8000452; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.FairyTale outbound connection 
> attempt"; flow:to_server,established; content:"/download/"; http_uri; content:"User-Agent: LinqurySearch"; 
> http_header; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000453; 
> rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.FairyTale outbound connection 
> attempt"; flow:to_server,established; content:"User-Agent: macsearch/"; fast_pattern:only; http_header; 
> content:"/MaxMind.asmx/"; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000454; 
> rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.FairyTale outbound connection 
> attempt"; flow:to_server,established; content:"User-Agent: macsearch/"; fast_pattern:only; http_header; 
> content:"StatisticsService.svc/"; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; 
> sid:8000455; rev:1;)
>
> # --------------------
> # Date: 2019-01-09
> # Title: Win.Trojan.Agent
> # Reference: Research
> # Tests: pcaps
> # Yara:
> #   - MALWARE_Win_Trojan_Agent
> # ClamAV:
> #   - MALWARE_Win.Trojan.Agent
> # Hashes:
> #   - 4fd37dc5eaa90a02a53b2c2df42c21e6017a925b65cedf62c69aa757be49e144
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent outbound connection attempt"; 
> flow:to_server,established; content:"/get.php HTTP/1.0"; fast_pattern:only; content:"=JWExJTNkaSUxOH"; within:20; 
> http_client_body; content:!"User-Agent"; http_header; content:!"Connection"; http_header; metadata:ruleset community, 
> service http; classtype:trojan-activity; sid:8000458; rev:1;)
>
> # --------------------
> # Date: 2019-01-10
> # Title: Win.Trojan.Ditniu/Siggen2/Zenpak
> # Reference: Research
> # Tests: pcaps
> # Yara:
> #   - MALWARE_Win_Trojan_Ditniu
> # ClamAV:
> #   - MALWARE_Win.Trojan.Ditniu-VAR1
> #   - MALWARE_Win.Trojan.Ditniu-VAR2
> #   - MALWARE_Win.Trojan.Ditniu-VAR3
> #   - MALWARE_Win.Trojan.Ditniu-Signed-Revoked
> #   - MALWARE_Win.Trojan.Ditniu-Signed1
> #   - MALWARE_Win.Trojan.Ditniu-Signed2
> #   - MALWARE_Win.Trojan.Ditniu-Signed3
> # Hashes:
> #   - 3a835af7d9da2a2f033ca685bac69a9c853b218f553eec742ca1e2c474f5ce78 > NSIS Archive, sample not acquired
> #   - 3969347db2908336311c9b13d3ece00fd8e28c181a5eac556036bc3d48e56dac
> #   - 3d3fc2e343a08ecd24b5b4d0a040e956f276c292786eddc46d9725d7043e669e
> #   - 4aea200d1080627722df30737dac955dc987f0ffc67cd7861a6440e94dd164e7 > Password-protected NSIS, Password: 
> X9e5UD6AN1vQCK08DM4O
> #   - 5a58e561d49ba36292bf603cf516a1cef686e17285d466e5c1979d266227f0e6
> #   - 7a6477c2e7e38becf1861fe5253641dcd789b5c523b9d788114befa21b748780
> #   - 7ceca4f5ca3ef254f7d6e2c0a217966a2d948b613b0ae476d34b0ece9704da4c > Extracted from 4aea200d10
> #   - 7cefbff477eeb8f410a5857babf933d14494df4cb74cec5482dbf8199e64a5bf
> #   - 922dd1efeb601b375bf638d1cdbb6cbd1e74d1a0aa48daf73bd59c13eacd4f45 > Extracted from b689104dfc
> #   - 94e6ba63cf9d38339146b1425ff08588359056d327e94c4f26963d705d78325c
> #   - 96f70e5272ab59e0d28007a6f730fbf8ccf186b6357cc945a7a45d60bfb18f9d
> #   - 9c2a5540b68eebe84c446a05763869ac6ba59b76151bf697639f45c7422a8ad7
> #   - 9f13dc99e0faf99e0a66e1c5cb2cc5ed950224d96f5c9c2a2cfd343d9de2ddd3 > NSIS Archive, sample not acquired
> #   - b37e7c2dc32f010682ef024f9b99e962347ad3f3be2c6f1a00a08cb7a929a3fb
> #   - b689104dfcb1974ab48556505fb9dc6e1a356c21fda59d5d954f85b16b19a1bc > Password-protected NSIS, Password: 
> X9e5UD6AN1vQCK08DM4O
> #   - c053dc67c13eddce93ae2d17d8fb1958a0ed71657e93ed540e6c0d1ea92b6129 > Extracted from efcee275d2
> #   - d60e7f5f03ffcd04c3f69add8b63763294bc59d14572fd1a3bf767accd9ff1f6
> #   - dfff04d811715510176326a190d576d66cec3a92d01829f5bbcc291182682e55
> #   - efcee275d23b6e71589452b1cb3095ff92b10ab68cd07957b2ad6be587647b74 > Password-protected NSIS, Password: 
> X9e5UD6AN1vQCK08DM4O
> #   - f52c4b49bba43c68c0a5436e8c6c2c45c7b4de19729fcedf4343b430fff31bac
> #   - f612e561ebca13ee093402526468b8638d1591fadbdfd31ec3fbc1c73b89d41c > NSIS Archive, sample not acquired
> #   - f875662a13179e215f8f92cb174d7a3988cde71495ae2c7a412c442c676f2889
> # Notes:
> #   - Variants connect to a specific set of IPs with the same packet structure.
> #   - All password-protected NSIS archives use the same password > X9e5UD6AN1vQCK08DM4O (screenshot attached).
> #   - Binaries extracted from NSIS archive has .cab extension.
> #   - Persisted binaries have similar naming conventions.
> #   - Anti-debug (screenshot attached): 
> #     boxservice.exe, vboxtray.exe, vmusrvc.exe, vmsrvc.exe, 
> #     qemu-ga.exe, xenservice.exe, python.exe, ProcessHacker.exe,
> #     tcpview.exe, autorunsc.exe, autorunsc.exe, idaq.exe, idaq64.exe,
> #     HookExplorer.exe, ImportREC.exe, PETools.exe, LordPE.exe, SysInspector.exe
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Ditniu outbound connection attempt"; 
> flow:to_server,established; dsize:14; content:"GCRG"; offset:4; depth:4; fast_pattern; content:"|00 00 02 00|"; 
> distance:1; isdataat:!1,relative; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000459; 
> rev:1;)
>
> # --------------------
> # Date: 2019-01-15
> # Title: A Zebrocy Go Downloader
> # Reference: https://securelist.com/a-zebrocy-go-downloader/89419/ 
> <https://securelist.com/a-zebrocy-go-downloader/89419/>
> # Tests: NA
> # Yara: NA
> # ClamAV: NA
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection 
> attempt"; flow:to_server,established; content:"/software-apptication/help-support-apl/getidpolapl.php"; 
> fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000460; rev:1;)
> <1.PNG><2.PNG>_______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org>
> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>
>
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette 
> <https://snort.org/faq/what-is-the-mailing-list-etiquette>
>
> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to 
> catch the most <a href=" https://snort.org/downloads/#rule-downloads 
> <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!