Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Multiple signatures 028

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 15 May 2019 18:44:48 +0000
Hello,

A short list of new signatures available below. PCAPs as well as Yara/ClamAV signatures are available.

Thank you.
YM

# --------------------
# Title: Spam campaign targets Exodus Mac Users
# Reference: https://labsblog.f-secure.com/2018/11/02/spam-campaign-targets-exodus-mac-users/
# Tests: syntax only
# Yara: MALWARE_Osx_Trojan_RealtimeSpy
# ClamAV: MALWARE_Osx.Trojan.RealtimeSpy
# Hashes:
#   - 123c0447d0a755723025344d6263856eaf3f4be790f5cda8754cdbb36ac52b98
#   - 26a2711c45674e3a3e6b14c6680809e9620bea57b6b83f40d70485aa4df8a5a6
#   - 2ec250a5ec1949e5bb7979f0f425586a2ddc81c8da93e56158126cae8db81fd1
#   - 987fd09af8096bce5bb8e662bdf2dd6a9dec32c6e6d238edfeba662dd8a998fc
#   - ae2390d8f49084ab514a5d2d8c5fd2b15a8b8dbfc65920d8362fe84fbe7ed8dd
#   - b1da51b6776857166562fa4abdf9ded23d2bdd2cf09cb34761529dfce327f2ec
# Note:
#    - Old reference but why not
#    - No package (pslist) so execution failed, and we don't
#      know of a method to reconstruct a package or have access to
#      the package, so we rely on URL strings from the binary and behavior tab from VT.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.RealtimeSpy monitor app outbound 
connection"; flow:to_server,established; urilen:12; content:"/locrts7.php"; fast_pattern:only; http_uri; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000618; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.RealtimeSpy monitor app outbound 
connection"; flow:to_server,established; content:"/addcomputer.php?username="; fast_pattern:only; http_uri; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000619; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.RealtimeSpy monitor app outbound 
connection"; flow:to_server,established; urilen:21; content:"/add_activity_log.php"; fast_pattern:only; http_uri; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000620; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.RealtimeSpy monitor app outbound 
connection"; flow:to_server,established; urilen:14; content:"/upload_ss.php"; fast_pattern:only; http_uri; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000621; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.RealtimeSpy monitor app outbound 
connection"; flow:to_server,established; content:"/stopss.php?username="; fast_pattern:only; http_uri; metadata:ruleset 
community, service http; classtype:trojan-activity; sid:8000622; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.RealtimeSpy monitor app outbound 
connection"; flow:to_server,established; content:"/get_ss_comp.php?username="; fast_pattern:only; http_uri; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000623; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.RealtimeSpy monitor app outbound 
connection"; flow:to_server,established; urilen:15; content:"/add_rt_log.php"; fast_pattern:only; http_uri; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000624; rev:1;)

# --------------------
# Title: Let’s nuke Megumin Trojan
# Reference: https://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/
# Tests: pcaps
# Yara: MALWARE_Win_Trojan_Megumin
# ClamAV: MALWARE_Win.Trojan.Megumin
# Hashes:
#   - 8777749af37a2fd290aad42eb87110d1ab7ccff4baa88bd130442f25578f3fe1
#   - 89813ebf2da34d52c1b924b408d0b46d1188b38f035d22fab26b852ad6a6fc19
#   - c70120ee9dd25640049fa2d08a76165948491e4cf236ec5ff204e927a0b14918
#   - d15e1bc9096810fb4c954e5487d5a54f8c743cfd36ed0639a0b4cb044e04339f
#   - d431e6f0d3851bbc5a956c5ca98ae43c3a99109b5832b5ac458b8def984357b8
#   - e6c447c826ae810dec6059c797aa04474dd27f84e37e61b650158449b5229469
#   - ed65610f2685f2b8c765ee2968c37dfce286ddcc31029ee6091c89505f341b97
#   Triage:
#   - 280564e498cc140d0a0e1ccb744b0130c885f4179ee68bd6c52766c3fe518c00 (unpacked/dumped)
#   - 7f65c5836da936a81e420ef4cf1c93abb094d5edb15718871ca63affbf0c753e (unpacked/dumped)
# Note:
#   - Existing Yara/ClamAV signatures hits:
#       1. INDICATOR_Binary_References_Many_Wallets                     > Ethereum, Bitcoin, LiteCoin, ByteCoin, 
ReddCoin, EmerCoin, ZCash, Dash, Monero, Electron
#       2. INDICATOR_Binary_References_Many_Builtin_Windows_Commands    > taskmgr, timeout, attrib
#       3. INDICATOR_Binary_References_Many_Builtin_Windows_Executables > cmd.exe, attrib.exe, dllhost.exe

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Megumin outbound connection"; 
flow:to_server,established; urilen:8; content:"/suicide"; fast_pattern:only; http_uri; content:"Content-Type: 
multipart/form-data"; http_header; content:"POST"; http_method; content:!"User-Agent"; http_header; content:!"referer"; 
http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000625; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Megumin outbound connection"; 
flow:to_server,established; urilen:7; content:"/config"; fast_pattern:only; http_uri; content:"Content-Type: 
multipart/form-data"; http_header; content:"POST"; http_method; content:!"User-Agent"; http_header; content:!"referer"; 
http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000626; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Megumin outbound connection"; 
flow:to_server,established; urilen:7; content:"/msgbox"; fast_pattern:only; http_uri; content:"Content-Type: 
multipart/form-data"; http_header; content:"POST"; http_method; content:!"User-Agent"; http_header; content:!"referer"; 
http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000627; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Megumin outbound connection"; 
flow:to_server,established; content:"/addbot?hwid="; fast_pattern:only; http_uri; content:"&bit="; http_uri; 
content:"&win="; http_uri; content:"&cpu="; http_uri; content:"&gpu="; http_uri; metadata:ruleset community, service 
http; classtype:trojan-activity; sid:8000628; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Megumin outbound connection"; 
flow:to_server,established; urilen:10; content:"/blacklist"; fast_pattern:only; http_uri; content:"Content-Type: 
multipart/form-data"; http_header; content:"POST"; http_method; content:!"User-Agent"; http_header; content:!"referer"; 
http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000629; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Megumin outbound connection"; 
flow:to_server,established; content:"/task?hwid="; fast_pattern:only; http_uri; content:"Content-Type: 
multipart/form-data"; http_header; content:"POST"; http_method; content:!"User-Agent"; http_header; content:!"referer"; 
http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000630; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Megumin outbound connection"; 
flow:to_server,established; content:"/completed?hwid="; fast_pattern:only; http_uri; content:"Content-Type: 
multipart/form-data"; http_header; content:"POST"; http_method; content:!"User-Agent"; http_header; content:!"referer"; 
http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000631; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Megumin outbound connection"; 
flow:to_server,established; content:"/gate?hwid="; fast_pattern:only; http_uri; content:"Content-Type: 
multipart/form-data"; http_header; content:"POST"; http_method; content:!"User-Agent"; http_header; content:!"referer"; 
http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000632; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Megumin outbound connection"; 
flow:to_server,established; content:"/newclip?hwid="; fast_pattern:only; http_uri; content:"&type="; http_uri; 
content:"&date="; http_uri; content:!"User-Agent"; http_header; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000633; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Megumin outbound connection"; 
flow:to_server,established; content:"User-Agent: Megumin/"; fast_pattern:only; http_header; metadata:ruleset community, 
service http; classtype:trojan-activity; sid:8000634; rev:1;)

# --------------------
# Title: Win.Ransomware.MegaCortex / Win.Trojan.Rietspoof
# Reference:
#   - https://blog.avast.com/rietspoof-malware-increases-activity
#   - https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/
#   - https://github.com/sophoslabs/IoCs/blob/master/Ransomware-MegaCortex
# Tests: pcaps (f2p)
# Yara:
#   - MALWARE_Win_Trojan_Rietspoof
#   - MALWARE_Win_Ransomware_MegaCortex
# ClamAV:
#   - MALWARE_Win_Trojan_Rietspoof
#   - Win.Ransomware.MegaCortex
# Hashes:
#   - MegaCortex:
#       - 0858bc69e02c730a55f760f01374bdc378aaff806478d1c18f9e587d7121b56a
#       - 11f7bb37dd425150e6b095a8d1f3a347ee83e604302a4d9bb201900e74a81d73
#       - 598ee9ee6ad4467ddf4b4d325cb15928fd692da8d6e1c8980d2d86d97ea2f4f9
#       - b17ff8c0d83d07fca854d669d1389e8e24718ca54ed1543fdb09e9b9b39456ef
#       - b4a65070354d2a89e84b5ddae81a954a868a714a248a48b72c832c759d85558a
#       - f5d39e20d406c846041343fe8fbd30069fd50886d7d3d0cce07c44008925d434
#   - Rietspoof:
#       - 25d7718dc30eccd1a9a2bc037a49b98c503f8064a55a009b1818ba448bcad27b
#       - 523fcda29655bec72d941311e70e7e810cc5a040d527fb5739120e36fee2e5df
#       - 9097f3cbedc79d1c1b91a0c3e776c19d07cb233d79e4af6f325e8d5d537348c2
#       - acf46be54c303002d74df6c975083c706b3e1cb8a92e75516579cd0fe65ce918
#       - f5d739b5b15530be8acafc0f4f358ec48efbe3b1a5d7debbf94bed17b2a3b940
# Note:
#   - Robbinhood ransomware is surperisingly similar to MegaCortex in terms
#     of the Windows services being targeted.

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Rietspoof malicious executable 
download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; 
content:"M9h5an8f8zTjnyTwQVh6hYBdYsMqHiAz"; fast_pattern:only; metadata:ruleset community, service ftp-data, service 
http, service imap, service pop3; classtype:trojan-activity; sid:8000635; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Rietspoof malicious executable download 
attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"M9h5an8f8zTjnyTwQVh6hYBdYsMqHiAz"; 
fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000636; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Rietspoof malicious executable 
download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Content-MD5:%s|0D 0A 00 00 
00 00|User-agent:Mozilla/5.0 (Windows|3B| U|3B|"; fast_pattern:only; metadata:ruleset community, service ftp-data, 
service http, service imap, service pop3; classtype:trojan-activity; sid:8000637; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Rietspoof malicious executable download 
attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Content-MD5:%s|0D 0A 00 00 00 
00|User-agent:Mozilla/5.0 (Windows|3B| U|3B|"; fast_pattern:only; metadata:ruleset community, service smtp; 
classtype:trojan-activity; sid:8000638; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.MegaCortex malicious 
executable download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|46 6c 75 73 68 
46 69 6c 65 42 75 66 66 65 72 73|"; content:"|46 69 6e 64 43 6c 6f 73 65|"; distance:3; content:"|46 69 6e 64 46 69 72 
73 74 46 69 6c 65 45 78 41|"; distance:3; content:"|46 69 6e 64 4e 65 78 74 46 69 6c 65 41|"; distance:3; content:"|53 
65 74 53 74 64 48 61 6e 64 6c 65|"; distance:95; content:"|43 72 65 61 74 65 46 69 6c 65 57|"; distance:3; content:"|57 
72 69 74 65 43 6f 6e 73 6f 6c 65 57|"; distance:3; content:"|48 65 61 70 53 69 7a 65|"; distance:3; metadata:ruleset 
community, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:8000639; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.MegaCortex malicious executable 
download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|46 6c 75 73 68 46 69 6c 65 
42 75 66 66 65 72 73|"; content:"|46 69 6e 64 43 6c 6f 73 65|"; distance:3; content:"|46 69 6e 64 46 69 72 73 74 46 69 
6c 65 45 78 41|"; distance:3; content:"|46 69 6e 64 4e 65 78 74 46 69 6c 65 41|"; distance:3; content:"|53 65 74 53 74 
64 48 61 6e 64 6c 65|"; distance:95; content:"|43 72 65 61 74 65 46 69 6c 65 57|"; distance:3; content:"|57 72 69 74 65 
43 6f 6e 73 6f 6c 65 57|"; distance:3; content:"|48 65 61 70 53 69 7a 65|"; distance:3; metadata:ruleset community, 
service smtp; classtype:trojan-activity; sid:8000640; rev:1;)

# --------------------
# Title: Win.Ransomware.Robbinhood
# Reference: Research
# Reference: https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/
# Reference: https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/
# Tests: pcaps (f2p)
# Yara:
#   - MALWARE_Win_Ransomware_Robbinhood
# ClamAV:
#   - MALWARE_Win.Ransomware.Robbinhood
# Hashes:
#   - 21cb84fc7b33e8e31364ff0e58b078db8f47494a239dc3ccbea8017ff60807e3
#   - 3bc78141ff3f742c5e942993adfbef39c2127f9682a303b5e786ed7f9a8d184b
#   - 9977ba861016edef0c3fb38517a8a68dbf7d3c17de07266cfa515b750b0d249e
#   - bfc39ca9a223a731fb6d9ffb29923844904cb842435cde0c640ba79818b5e728
#   - e128d5aa0b5a9c6851e69cbf9d2c983eefd305a10cba7e0c8240c8e2f79a544f
# Note:
#   - Hist on exisitng Yara/ClamAV signatures:
#       1. INDICATOR_Binary_References_Many_Builtin_Windows_Commands    > taskkill, tasklist, WMIC
#       2. INDICATOR_Binary_References_Many_Builtin_Windows_Executables > cmd.exe, bcdedit.exe, wevtutil.exe, 
vssadmin.exe, WMIC.exe, sc.exe
#   - Robbinhood ransomware is surperisingly similar to MegaCortex in terms
#     of the Windows services being targeted.

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE golang binary download attempt detect"; 
flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Go build ID: "; fast_pattern:only; 
flowbits:set,file.golang; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, 
service pop3; classtype:trojan-activity; sid:8000641; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE golang binary download attempt detect"; 
flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Go build ID: "; fast_pattern:only; 
flowbits:set,file.golang; flowbits:noalert; metadata:ruleset community, service smtp; classtype:trojan-activity; 
sid:8000642; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Robinhood malicious 
executable download attempt"; flow:to_client,established; flowbits:isset,file.golang; file_data; 
content:".taskkilltasklistunknown("; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, 
service imap, service pop3; classtype:trojan-activity; sid:8000643; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Robinhood malicious 
executable download attempt"; flow:to_client,established; flowbits:isset,file.golang; file_data; 
content:".sysvssadmin.exewevtutil.exe MB released"; fast_pattern:only; metadata:ruleset community, service ftp-data, 
service http, service imap, service pop3; classtype:trojan-activity; sid:8000644; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Robinhood malicious 
executable download attempt"; flow:to_client,established; flowbits:isset,file.golang; file_data; 
content:".enc_robbinhood"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, 
service pop3; classtype:trojan-activity; sid:8000645; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Robinhood malicious executable 
download attempt"; flow:to_server,established; flowbits:isset,file.golang; file_data; 
content:".taskkilltasklistunknown("; fast_pattern:only; metadata:ruleset community, service smtp; 
classtype:trojan-activity; sid:8000646; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Robinhood malicious executable 
download attempt"; flow:to_server,established; flowbits:isset,file.golang; file_data; 
content:".sysvssadmin.exewevtutil.exe MB released"; fast_pattern:only; metadata:ruleset community, service smtp; 
classtype:trojan-activity; sid:8000647; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Robinhood malicious executable 
download attempt"; flow:to_server,established; flowbits:isset,file.golang; file_data; content:".enc_robbinhood"; 
fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000648; rev:1;)

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: