Snort mailing list archives
Multiple signatures 022
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 22 Jan 2019 13:35:48 +0000
Hi,
Hope everybody is have a good week. PCAPs and ClamAV/Yara for all cases below are available. The only exception is the
android sigs at the end where only the PCAPs are available.
Thank you for reading!
YM
# --------------------
# Date: 2019-01-17
# Title: Win.Trojan.Nymaim/GozNym
# Reference: Research
# Tests: pcaps
# Yara: MEM_MALWARE_Win_Trojan_GozNym_CONF
# ClamAV: MEM_MALWARE_Win.Trojan.GozNym-CONF
# Hashes:
# - 5325a313e9462baba123761b402f2cf4cc130dc05257b34293c88bc7080a8e0d > Dropper
# - c85c2fd0fe29dd12d532ffbe1805b3b51d665c9cdd2892d328751dfdadef1484 > Persisted
# Notes:
# - Domains: antiquith[.]pw, antiquith[.]pw, charolined[.]pw, controved[.]pw
# councial[.]pw, dluow[.]pw, econofsky[.]pw, esehsilpxe[.]pw
# evoluntal[.]pw, freshwallet[.]at, ipswine[.]pw, listmyfloor[.]com
# outsidered[.]pw, resuminia[.]pw, ruolf[.]host, tfulf[.]host
# - 91 new documents since the earlier GozNym post. All with password 1234.
# - GozNym Yara/ClamAV signatures posted earlier are applicable.
# - SSL (domain list) URI is in the format: /in.php?%c=%u&%c=%0.8X%0.8X%0.2X&%c=%u&%c=%u
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GozNym variant post-config websocket
outbound connection"; flow:to_server,established; content:"/data2.php"; fast_pattern:only; content:"Upgrade:
websocket|0D 0A|"; http_header; content:"Connection: Upgrade"; http_header; content:!"User-Agent"; http_header;
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000461; rev:1;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GozNym variant certificate exchange";
flow:to_client,established; ssl_state:server_hello; content:"intimidate outpatient"; fast_pattern:only;
content:"ErvIn|27|s.space"; metadata:ruleset community, service ssl; classtype:trojan-activity; sid:8000462; rev:2;)
# --------------------
# Date: 2019-01-19
# Title: Documents with AMSI Bypass Attempts
# Reference: Research
# Tests: pcaps
# Yara:
# - INDICATOR_RTF_Embedding_Excel
# - INDICATOR_Excel_Suspicious_Operations
# - TTP_AMSI_Bypass
# ClamAV:
# - INDICATOR_RTF.Embedding.Excel
# - INDICATOR_Excel.Suspicious.Operations
# - TTP.AMSI.Bypass
# Hashes:
# - 03ad57bfdcd8b4ec8725044c886cd357edd0bf9e1cce08cef44bac9f65e0c552
# - 2ad30086c24898e261465698cee9efa7c9357a7462c5a967ff62cb8abd6e97eb
# - 494737ffd5f65dc19ae2d1943ef961823e84187eb9200ff49a64e36096fba2d2
# - 4ce92588e9af60cf8979abd0031e4561d077e16ba07c65e6dff1e565fe9d3368
# - 6e6d1eecd7a0205cf4d8e2659212ad48e5fdf7f48e45a7790ea80c6080ef69a4
# - 6da86b5ba028ddfd9646da6467cdaca4d698b72b165045561bcf7a65449dba85
# Notes:
# - PCRE from 8000465 can be expanded to include numbers or
# can be removed althogether, though it helps keeping FPs, if any, down.
# - The AMSI bypass line is detected as "HackTool:PowerShell/PsAttack.A",
# not shown here because it might trigger AV.
# - SID 8000467 below may have FPs associated with it, ex: Symantec SPOC updates.
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION RTF file with embedded Excel
Workbook"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"2008020000000000c000000000000046";
fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3;
classtype:attempted-user; sid:8000463; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION RTF file with embedded Excel
Workbook"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"446f63756d656e743d54686973576f726b626f6f6b2f264"; fast_pattern:only; metadata:ruleset community, service
ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000464; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION RTF file with embedded Excel Workbook";
flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"2008020000000000c000000000000046";
metadata:ruleset community, service smtp; classtype:attempted-user; sid:8000465; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION RTF file with embedded Excel Workbook";
flow:to_server,established; flowbits:isset,file.rtf; file_data;
content:"446f63756d656e743d54686973576f726b626f6f6b2f264"; metadata:ruleset community, service smtp;
classtype:attempted-user; sid:8000466; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE outbound suspicious short User-Agent";
flow:to_server,established; content:"User-Agent: "; http_header; content:"|0D 0A|"; within:7; http_header;
content:!"Accept"; http_header; content:!"Content"; http_header; content:!"Referer"; http_header; pcre:"/User-Agent:
[A-Z]{4,5}\x0d\x0a/H"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000467; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE known malicious User-Agent - who-nop";
flow:to_server,established; content:"User-Agent: who-nop"; fast_pattern:only; http_header; content:!"Accept";
http_header; content:!"Content"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service
http; classtype:trojan-activity; sid:8000468; rev:1;)
# --------------------
# Date: 2019-01-20
# Title: Another Win.Trojan.Pterodo Sample
# Reference: Research
# Tests: pcaps
# Yara: See notes.
# ClamAV: See notes
# Hashes:
# - Dropper: acd1719eea0042e5ffc41a94bd8bd94b9702f686b0787decdfbec7156d8fddda
# Notes:
# - The following singatures from a previous submission are still valid:
# - Yara: MALWARE_Win_Trojan_Pterodo_LNK
# - Yara: MALWARE_Win_Trojan_Pterodo_CMD_CNC
# - Yara: MALWARE_Win_Trojan_Pterodo_CMD_OPS
# - Yara: MALWARE_Win_Trojan_Pterodo_Dropper
# - Yara: MALWARE_Win_Trojan_Pterodo_CNC
# - ClamAV: MALWARE_Win.Trojan.Pterodo_Dropper
# - ClamAV: MALWARE_Win.Trojan.Pterodo_LNK
# - ClamAV: MALWARE_Win.Trojan.Pterodo_CMD_CNC
# - ClamAV: MALWARE_Win_Trojan.Pterodo_CNC
# - ClamAV: MALWARE_Win.Trojan.Pterodo_Dropper
# - Snort: 8000422
# - Slightly modified Yara rule MALWARE_Win_Trojan_Pterodo_Dropper
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE outbound wget request with form data";
flow:to_server,established; content:"POST / HTTP/1.0"; fast_pattern:only; content:"User-Agent: Wget/"; http_header;
content:"Content-Type: application/x-www-form-urlencoded"; http_header; metadata:ruleset community, service http;
classtype:trojan-activity; sid:8000469; rev:1;)
# --------------------
# Date: 2019-01-15
# Title: Win.Trojan.TeamBot
# Reference: Research
# Tests: pcaps
# Yara:
# - MALWARE_Win_Trojan_TeamBot_SARCH
# - MALWARE_Win_Trojan_TeamBot_DLL
# - MALWARE_Win_Trojan_TeamBot_DLNDR
# ClamAV:
# - MALWARE_Win.Trojan.TeamBot-SARCH
# - MALWARE_Win.Trojan.TeamBot-DLL
# - MALWARE_Win.Trojan.TeamBot-DLNDR
# Hashes:
# - Self-extracting Archives:
# - 3024ca140830e8eaf6634c1fd00bdfbd3968c3e96886ff9ec7d1b105c946e5c8
# - 567b89b0f8e82e2553fb1820bef965ecc77676b4065d54988da6d7c80747f7a7
# - b2ab87d5408a19b0d65d49b74c0f3d879ac55c3e57117e4117ff500394e2ad17
# - Themida-packed DLLs:
# - a157856210137d7543861c574189e237c1d0ba41d2fb08c982a7db94e684a170
# - 28764e617667c9704246c56b613d1b75e489346cbb5df9a14e1ce2d996f5c167
# - 5c89b1fee36d941889eb33e777acb4462bd4a7e8ac7da7743a1b0e743b942f50
# - Downloader:
# - 46c8e192bb6e37452c1b8029987a7c05f64b7766ff692731b050c402d91baa93
# Notes:
# - This one drops TeamViewer and then reports TeamViewer's ID and Password
# to the C&C.
# - The flowbits check won't work; becuase it is a different session?
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWAR-CNC Win.Trojan.TeamBot downloader outbound connection
attempt"; flow:to_server,established; content:"/get.php?pid="; fast_pattern:only; http_uri; content:"User-Agent:
Microsoft Internet Explorer|0D 0A|"; http_header; content:!"Connection"; http_header; content:!"Accept"; http_header;
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000470; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TeamBot outbound connection request";
flow:to_server,established; content:"/?gate&hwid="; fast_pattern:only; http_uri; content:"&id="; http_uri;
content:"&pwd="; http_uri; content:"&info="; http_uri; content:!"User-Agent"; http_header; flowbits:set,mal.teambot;
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000471; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.TeamBot inbound connection response";
flow:to_client,established; file_data; content:"<RESULT>true</RESULT>"; fast_pattern:only; metadata:ruleset community,
service http; classtype:trojan-activity; sid:8000472; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5938 (msg:"INDICATOR-COMPROMISE TeamViewer connection detected after TeamBot
infection"; flow:to_server,established; dsize:9; content:"|17 24 10 04 00 00 00 00 00|"; metadata:ruleset community;
classtype:trojan-activity; sid:8000473; rev:1;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 5938 (msg:"INDICATOR-COMPROMISE TeamViewer connection detected after TeamBot
infection"; flow:to_server,established; flowbits:isset,mal.teambot; dsize:9; content:"|17 24 10 04 00 00 00 00 00|";
metadata:ruleset community; classtype:trojan-activity; sid:8000471; rev:1;)
# --------------------
# Date: 2019-01-20
# Title: Recent DarkHydrus stuff
# Reference:
# - https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/
# -
https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/
# Tests: pcaps
# Yara:
# - MALWARE_Doc_MIRTE_T1117
# - MALWARE_OOXML_Malicious_Doc_DH
# - MALWARE_Doc_Exec_Bypass_DH
# - MALWARE_Win_Trojan_RogueRobin
# ClamAV:
# - MALWARE_OOXML_XL_MITRE_T1117-1
# - MALWARE_OOXML_XL_Exec-Bypass-DH
# - MALWARE_Win_Trojan_RogueRobin
# Hashes:
# - Docs:
# - 4e40f80114e5bd44a762f6066a3e56ccdc0d01ab2a18397ea12e0bc5508215b8
# - 513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8
# - e068c6536bf353abe249ad0464c58fb85d7de25223442dd220d64116dbf1e022
# - Binaries:
# - 5cc62ad6baf572dbae925f701526310778f032bb4a54b205bada78b1eb8c479c
# - eb33a96726a34dd60b053d3d1048137dffb1bba68a1ad6f56d33f5d6efb12b97
# Notes:
# - Snort signatures are, well, they need more testing/scrutiny
# - Performance Profiling results didn't seem encouraging for the signatures.
# - The indicator rules are created for the "exotic" RR types only.
alert tcp any any -> any any (msg:"MALWARE-CNC DarkHydrus variant malicious document download attempt";
flow:to_server,established; file_data; content:"|ac 92 4d 4f c3 30 0c 86 ef 48 fc 87 c8 f7 d5 dd 90 10 42 4b 77 41
48|"; content:"|55 53 68 39 69 b0 62 9e 72 3a 22 79 5f 64 6c c0 f3 44 9b bf 13 fd 7c 2d 4e 9c c8 52 22 34 12 f8 32 cf
47 c7 25 a0|"; within:200; content:"|4e c3 30 0c 86 ef 48 bc 43 e4 3b 4d 3b 10 42 68|"; within:400; content:"|22 54 54
4d 35 6c 46|"; within:315; metadata:ruleset community, service smtp; classtype:attempted-user; sid:8000474; rev:1;)
alert udp any 53 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE NXDOMAIN of TXT RR type"; flow:to_client; dsize:>100;
content:"|81 83|"; offset:2; depth:2; content:"|00 00 10 00 01 00 00 06 00 01|"; within:255; detection_filter:track
by_src, count 2, seconds 60; metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000475; rev:1;)
alert udp any 53 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE NXDOMAIN of SOA RR type"; flow:to_client; dsize:>100;
content:"|81 83|"; offset:2; depth:2; content:"|00 00 06 00 01 00 00 06 00 01|"; within:255; detection_filter:track
by_src, count 2, seconds 60; metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000476; rev:1;)
alert udp any 53 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE NXDOMAIN of AAAA RR type"; flow:to_client; content:"|84
03|"; offset:2; depth:2; content:"|00 00 1C 00 01|"; within:255; detection_filter:track by_src, count 5, seconds 60;
metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000477; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.RogueRobin outbound DNS query - .agency TLD";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|agency|00 00|"; fast_pattern;
pcre:"/[\x05-\x06]a[hijklmnopq]{3,4}c.+agency/"; metadata:ruleset community, service dns; classtype:trojan-activity;
sid:8000478; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.RogueRobin outbound DNS query - .life TLD";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|life|00 00|"; fast_pattern;
pcre:"/[\x05-\x06]a[hijklmnopq]{3,4}c.+life/"; metadata:ruleset community, service dns; classtype:trojan-activity;
sid:8000479; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.RogueRobin outbound DNS query - .live TLD";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|live|00 00|"; fast_pattern;
pcre:"/[\x05-\x06]a[hijklmnopq]{3,4}c.+live/"; metadata:ruleset community, service dns; classtype:trojan-activity;
sid:8000480; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.RogueRobin outbound DNS query - .world TLD";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|world|00 00|"; fast_pattern;
pcre:"/[\x05-\x06]a[hijklmnopq]{3,4}c.+world/"; metadata:ruleset community, service dns; classtype:trojan-activity;
sid:8000481; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.RogueRobin outbound DNS query - .today TLD";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|today|00 00|"; fast_pattern;
pcre:"/[\x05-\x06]a[hijklmnopq]{3,4}c.+today/"; metadata:ruleset community, service dns; classtype:trojan-activity;
sid:8000482; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.RogueRobin outbound DNS query - .servies TLD";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|services|00 00|"; fast_pattern;
pcre:"/[\x05-\x06]a[hijklmnopq]{3,4}c.+services/"; metadata:ruleset community, service dns; classtype:trojan-activity;
sid:8000483; rev:1;)
# --------------------
# Date: 2019-01-21
# Title: Andr.Trojan.Xinyinhe
# Reference: Research
# Tests: pcaps
# Yara: NA
# ClamAV: NA
# Hashes: 5b5043b13da32c048f7ccb19a3b200c7145d020449d8ed7d7cf3ae7ecaef6863
# Notes:
# - Download URL: hxxp://cdn[.]tiedd[.]info/uploadonly/201811/107/5c6532745b100a173742fe85c7f33678.apk
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Xinyinhe outbound connection
attmept"; flow:to_server,established; content:"/config?pubid="; fast_pattern:only; http_uri; content:"&new_user=";
http_uri; content:"&pkg_name="; http_uri; content:"&first_time="; http_uri; metadata:ruleset community, service http;
classtype:trojan-activity; sid:8000475; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Xinyinhe outbound connection
attmept"; flow:to_server,established; content:"/config?pubid="; fast_pattern:only; http_uri; content:"&moduleid=";
http_uri; content:"&pkname="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity;
sid:8000476; rev:1;)
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Multiple signatures 022 Y M via Snort-sigs (Jan 22)
- Re: Multiple signatures 022 Matthew Mickel (Jan 22)