Snort mailing list archives
Multiple signatures 022
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 22 Jan 2019 13:35:48 +0000
Hi, Hope everybody is have a good week. PCAPs and ClamAV/Yara for all cases below are available. The only exception is the android sigs at the end where only the PCAPs are available. Thank you for reading! YM # -------------------- # Date: 2019-01-17 # Title: Win.Trojan.Nymaim/GozNym # Reference: Research # Tests: pcaps # Yara: MEM_MALWARE_Win_Trojan_GozNym_CONF # ClamAV: MEM_MALWARE_Win.Trojan.GozNym-CONF # Hashes: # - 5325a313e9462baba123761b402f2cf4cc130dc05257b34293c88bc7080a8e0d > Dropper # - c85c2fd0fe29dd12d532ffbe1805b3b51d665c9cdd2892d328751dfdadef1484 > Persisted # Notes: # - Domains: antiquith[.]pw, antiquith[.]pw, charolined[.]pw, controved[.]pw # councial[.]pw, dluow[.]pw, econofsky[.]pw, esehsilpxe[.]pw # evoluntal[.]pw, freshwallet[.]at, ipswine[.]pw, listmyfloor[.]com # outsidered[.]pw, resuminia[.]pw, ruolf[.]host, tfulf[.]host # - 91 new documents since the earlier GozNym post. All with password 1234. # - GozNym Yara/ClamAV signatures posted earlier are applicable. # - SSL (domain list) URI is in the format: /in.php?%c=%u&%c=%0.8X%0.8X%0.2X&%c=%u&%c=%u alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GozNym variant post-config websocket outbound connection"; flow:to_server,established; content:"/data2.php"; fast_pattern:only; content:"Upgrade: websocket|0D 0A|"; http_header; content:"Connection: Upgrade"; http_header; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000461; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GozNym variant certificate exchange"; flow:to_client,established; ssl_state:server_hello; content:"intimidate outpatient"; fast_pattern:only; content:"ErvIn|27|s.space"; metadata:ruleset community, service ssl; classtype:trojan-activity; sid:8000462; rev:2;) # -------------------- # Date: 2019-01-19 # Title: Documents with AMSI Bypass Attempts # Reference: Research # Tests: pcaps # Yara: # - INDICATOR_RTF_Embedding_Excel # - INDICATOR_Excel_Suspicious_Operations # - TTP_AMSI_Bypass # ClamAV: # - INDICATOR_RTF.Embedding.Excel # - INDICATOR_Excel.Suspicious.Operations # - TTP.AMSI.Bypass # Hashes: # - 03ad57bfdcd8b4ec8725044c886cd357edd0bf9e1cce08cef44bac9f65e0c552 # - 2ad30086c24898e261465698cee9efa7c9357a7462c5a967ff62cb8abd6e97eb # - 494737ffd5f65dc19ae2d1943ef961823e84187eb9200ff49a64e36096fba2d2 # - 4ce92588e9af60cf8979abd0031e4561d077e16ba07c65e6dff1e565fe9d3368 # - 6e6d1eecd7a0205cf4d8e2659212ad48e5fdf7f48e45a7790ea80c6080ef69a4 # - 6da86b5ba028ddfd9646da6467cdaca4d698b72b165045561bcf7a65449dba85 # Notes: # - PCRE from 8000465 can be expanded to include numbers or # can be removed althogether, though it helps keeping FPs, if any, down. # - The AMSI bypass line is detected as "HackTool:PowerShell/PsAttack.A", # not shown here because it might trigger AV. # - SID 8000467 below may have FPs associated with it, ex: Symantec SPOC updates. alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION RTF file with embedded Excel Workbook"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"2008020000000000c000000000000046"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000463; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION RTF file with embedded Excel Workbook"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"446f63756d656e743d54686973576f726b626f6f6b2f264"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000464; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION RTF file with embedded Excel Workbook"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"2008020000000000c000000000000046"; metadata:ruleset community, service smtp; classtype:attempted-user; sid:8000465; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION RTF file with embedded Excel Workbook"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"446f63756d656e743d54686973576f726b626f6f6b2f264"; metadata:ruleset community, service smtp; classtype:attempted-user; sid:8000466; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE outbound suspicious short User-Agent"; flow:to_server,established; content:"User-Agent: "; http_header; content:"|0D 0A|"; within:7; http_header; content:!"Accept"; http_header; content:!"Content"; http_header; content:!"Referer"; http_header; pcre:"/User-Agent: [A-Z]{4,5}\x0d\x0a/H"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000467; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE known malicious User-Agent - who-nop"; flow:to_server,established; content:"User-Agent: who-nop"; fast_pattern:only; http_header; content:!"Accept"; http_header; content:!"Content"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000468; rev:1;) # -------------------- # Date: 2019-01-20 # Title: Another Win.Trojan.Pterodo Sample # Reference: Research # Tests: pcaps # Yara: See notes. # ClamAV: See notes # Hashes: # - Dropper: acd1719eea0042e5ffc41a94bd8bd94b9702f686b0787decdfbec7156d8fddda # Notes: # - The following singatures from a previous submission are still valid: # - Yara: MALWARE_Win_Trojan_Pterodo_LNK # - Yara: MALWARE_Win_Trojan_Pterodo_CMD_CNC # - Yara: MALWARE_Win_Trojan_Pterodo_CMD_OPS # - Yara: MALWARE_Win_Trojan_Pterodo_Dropper # - Yara: MALWARE_Win_Trojan_Pterodo_CNC # - ClamAV: MALWARE_Win.Trojan.Pterodo_Dropper # - ClamAV: MALWARE_Win.Trojan.Pterodo_LNK # - ClamAV: MALWARE_Win.Trojan.Pterodo_CMD_CNC # - ClamAV: MALWARE_Win_Trojan.Pterodo_CNC # - ClamAV: MALWARE_Win.Trojan.Pterodo_Dropper # - Snort: 8000422 # - Slightly modified Yara rule MALWARE_Win_Trojan_Pterodo_Dropper alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE outbound wget request with form data"; flow:to_server,established; content:"POST / HTTP/1.0"; fast_pattern:only; content:"User-Agent: Wget/"; http_header; content:"Content-Type: application/x-www-form-urlencoded"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000469; rev:1;) # -------------------- # Date: 2019-01-15 # Title: Win.Trojan.TeamBot # Reference: Research # Tests: pcaps # Yara: # - MALWARE_Win_Trojan_TeamBot_SARCH # - MALWARE_Win_Trojan_TeamBot_DLL # - MALWARE_Win_Trojan_TeamBot_DLNDR # ClamAV: # - MALWARE_Win.Trojan.TeamBot-SARCH # - MALWARE_Win.Trojan.TeamBot-DLL # - MALWARE_Win.Trojan.TeamBot-DLNDR # Hashes: # - Self-extracting Archives: # - 3024ca140830e8eaf6634c1fd00bdfbd3968c3e96886ff9ec7d1b105c946e5c8 # - 567b89b0f8e82e2553fb1820bef965ecc77676b4065d54988da6d7c80747f7a7 # - b2ab87d5408a19b0d65d49b74c0f3d879ac55c3e57117e4117ff500394e2ad17 # - Themida-packed DLLs: # - a157856210137d7543861c574189e237c1d0ba41d2fb08c982a7db94e684a170 # - 28764e617667c9704246c56b613d1b75e489346cbb5df9a14e1ce2d996f5c167 # - 5c89b1fee36d941889eb33e777acb4462bd4a7e8ac7da7743a1b0e743b942f50 # - Downloader: # - 46c8e192bb6e37452c1b8029987a7c05f64b7766ff692731b050c402d91baa93 # Notes: # - This one drops TeamViewer and then reports TeamViewer's ID and Password # to the C&C. # - The flowbits check won't work; becuase it is a different session? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWAR-CNC Win.Trojan.TeamBot downloader outbound connection attempt"; flow:to_server,established; content:"/get.php?pid="; fast_pattern:only; http_uri; content:"User-Agent: Microsoft Internet Explorer|0D 0A|"; http_header; content:!"Connection"; http_header; content:!"Accept"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000470; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TeamBot outbound connection request"; flow:to_server,established; content:"/?gate&hwid="; fast_pattern:only; http_uri; content:"&id="; http_uri; content:"&pwd="; http_uri; content:"&info="; http_uri; content:!"User-Agent"; http_header; flowbits:set,mal.teambot; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000471; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.TeamBot inbound connection response"; flow:to_client,established; file_data; content:"<RESULT>true</RESULT>"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000472; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5938 (msg:"INDICATOR-COMPROMISE TeamViewer connection detected after TeamBot infection"; flow:to_server,established; dsize:9; content:"|17 24 10 04 00 00 00 00 00|"; metadata:ruleset community; classtype:trojan-activity; sid:8000473; rev:1;) #alert tcp $HOME_NET any -> $EXTERNAL_NET 5938 (msg:"INDICATOR-COMPROMISE TeamViewer connection detected after TeamBot infection"; flow:to_server,established; flowbits:isset,mal.teambot; dsize:9; content:"|17 24 10 04 00 00 00 00 00|"; metadata:ruleset community; classtype:trojan-activity; sid:8000471; rev:1;) # -------------------- # Date: 2019-01-20 # Title: Recent DarkHydrus stuff # Reference: # - https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/ # - https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/ # Tests: pcaps # Yara: # - MALWARE_Doc_MIRTE_T1117 # - MALWARE_OOXML_Malicious_Doc_DH # - MALWARE_Doc_Exec_Bypass_DH # - MALWARE_Win_Trojan_RogueRobin # ClamAV: # - MALWARE_OOXML_XL_MITRE_T1117-1 # - MALWARE_OOXML_XL_Exec-Bypass-DH # - MALWARE_Win_Trojan_RogueRobin # Hashes: # - Docs: # - 4e40f80114e5bd44a762f6066a3e56ccdc0d01ab2a18397ea12e0bc5508215b8 # - 513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8 # - e068c6536bf353abe249ad0464c58fb85d7de25223442dd220d64116dbf1e022 # - Binaries: # - 5cc62ad6baf572dbae925f701526310778f032bb4a54b205bada78b1eb8c479c # - eb33a96726a34dd60b053d3d1048137dffb1bba68a1ad6f56d33f5d6efb12b97 # Notes: # - Snort signatures are, well, they need more testing/scrutiny # - Performance Profiling results didn't seem encouraging for the signatures. # - The indicator rules are created for the "exotic" RR types only. alert tcp any any -> any any (msg:"MALWARE-CNC DarkHydrus variant malicious document download attempt"; flow:to_server,established; file_data; content:"|ac 92 4d 4f c3 30 0c 86 ef 48 fc 87 c8 f7 d5 dd 90 10 42 4b 77 41 48|"; content:"|55 53 68 39 69 b0 62 9e 72 3a 22 79 5f 64 6c c0 f3 44 9b bf 13 fd 7c 2d 4e 9c c8 52 22 34 12 f8 32 cf 47 c7 25 a0|"; within:200; content:"|4e c3 30 0c 86 ef 48 bc 43 e4 3b 4d 3b 10 42 68|"; within:400; content:"|22 54 54 4d 35 6c 46|"; within:315; metadata:ruleset community, service smtp; classtype:attempted-user; sid:8000474; rev:1;) alert udp any 53 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE NXDOMAIN of TXT RR type"; flow:to_client; dsize:>100; content:"|81 83|"; offset:2; depth:2; content:"|00 00 10 00 01 00 00 06 00 01|"; within:255; detection_filter:track by_src, count 2, seconds 60; metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000475; rev:1;) alert udp any 53 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE NXDOMAIN of SOA RR type"; flow:to_client; dsize:>100; content:"|81 83|"; offset:2; depth:2; content:"|00 00 06 00 01 00 00 06 00 01|"; within:255; detection_filter:track by_src, count 2, seconds 60; metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000476; rev:1;) alert udp any 53 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE NXDOMAIN of AAAA RR type"; flow:to_client; content:"|84 03|"; offset:2; depth:2; content:"|00 00 1C 00 01|"; within:255; detection_filter:track by_src, count 5, seconds 60; metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000477; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.RogueRobin outbound DNS query - .agency TLD"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|agency|00 00|"; fast_pattern; pcre:"/[\x05-\x06]a[hijklmnopq]{3,4}c.+agency/"; metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000478; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.RogueRobin outbound DNS query - .life TLD"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|life|00 00|"; fast_pattern; pcre:"/[\x05-\x06]a[hijklmnopq]{3,4}c.+life/"; metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000479; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.RogueRobin outbound DNS query - .live TLD"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|live|00 00|"; fast_pattern; pcre:"/[\x05-\x06]a[hijklmnopq]{3,4}c.+live/"; metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000480; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.RogueRobin outbound DNS query - .world TLD"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|world|00 00|"; fast_pattern; pcre:"/[\x05-\x06]a[hijklmnopq]{3,4}c.+world/"; metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000481; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.RogueRobin outbound DNS query - .today TLD"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|today|00 00|"; fast_pattern; pcre:"/[\x05-\x06]a[hijklmnopq]{3,4}c.+today/"; metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000482; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.RogueRobin outbound DNS query - .servies TLD"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|services|00 00|"; fast_pattern; pcre:"/[\x05-\x06]a[hijklmnopq]{3,4}c.+services/"; metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000483; rev:1;) # -------------------- # Date: 2019-01-21 # Title: Andr.Trojan.Xinyinhe # Reference: Research # Tests: pcaps # Yara: NA # ClamAV: NA # Hashes: 5b5043b13da32c048f7ccb19a3b200c7145d020449d8ed7d7cf3ae7ecaef6863 # Notes: # - Download URL: hxxp://cdn[.]tiedd[.]info/uploadonly/201811/107/5c6532745b100a173742fe85c7f33678.apk alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Xinyinhe outbound connection attmept"; flow:to_server,established; content:"/config?pubid="; fast_pattern:only; http_uri; content:"&new_user="; http_uri; content:"&pkg_name="; http_uri; content:"&first_time="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000475; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Xinyinhe outbound connection attmept"; flow:to_server,established; content:"/config?pubid="; fast_pattern:only; http_uri; content:"&moduleid="; http_uri; content:"&pkname="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000476; rev:1;)
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 022 Y M via Snort-sigs (Jan 22)
- Re: Multiple signatures 022 Matthew Mickel (Jan 22)