Snort mailing list archives
Re: Win.Malware.Disttrack
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Mon, 20 Feb 2017 02:49:27 +0000
Hi, Please go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: "ILLG, FREDERICK C" <fi763c () att com<mailto:fi763c () att com>> Date: Sunday, February 19, 2017 at 8:38 PM To: 'Y M' <snort () outlook com<mailto:snort () outlook com>>, "snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>" <snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>> Subject: Re: [Snort-sigs] Win.Malware.Disttrack Please remove me from the email distro. Thank you! Frederick Illg Senior Specialist, Technology Security Global Emerging Services - Security & Advanced Applications AT&T Services, Inc. From: Y M [mailto:snort () outlook com] Sent: Sunday, February 19, 2017 12:52 AM To: snort-sigs <snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>> Subject: [Snort-sigs] Win.Malware.Disttrack Hello, The below signatures address the following hashes and the observed C&C traffic. Pcaps and samples should be publicly available. If not, please let me know. - f4d18316e367a80e1005f38445421b1f - 45b0e5a457222455384713905f886bd4 - ce25f1597836c28cf415394fb350ae93 - 1b5e33e5a244d2d67d7a09c4ccf16e56 - 03ea9457bf71d51d8109e737158be888 - 19cea065aa033f5bcfa94a583ae59c08 - ecfc0275c7a73a9c7775130ebca45b74 - 43fad2d62bc23ffdc6d301571135222c These were part of the analysis covered here: https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Malware.Disttrack second stage payload download response"; flow:to_client,established; content:"Content-type|3A 20|text/html|0D 0A 0D 0A|"; file_data; content:"powershell.exe"; nocase; content:"hidden"; nocase; within:50; content:!"Content-Length"; nocase; content:!"Connection"; nocase; content:!"Location"; nocase; metadata:ruleset community, service http; classtype:trojan-activity; sid:1000849; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Malware.Disttrack third stage payload download response"; flow:to_client,established; content:"Content-type|3A 20|application/octet-stream|0D 0A 0D 0A|"; file_data; content:"function Invoke-ReflectivePEInjection"; nocase; content:!"Content-Length"; nocase; content:!"Connection"; nocase; content:!"Location"; nocase; metadata:ruleset community, service http; classtype:trojan-activity; sid:1000850; rev:1;) The below rules were simulated in the lab to detect the first stage payload documents in transit. Notes: 1. The first two rules are replicas of sid:26083 and sid:26084 respectively, with the modifications to look for .xlsm instead of .xlsx. 2. sid: 36611 triggered nicely on the suspected traffic. alert tcp $HOME_NET any -> $EXTERNAL $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office Excel macro-enabled file download request"; flow:to_server,established; content:".xlsm"; fast_pattern:only; http_uri; pcre:"/\x2exlsm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xlsm; metadata:service http; classtype:misc-activity; sid:1000851; rev:1;) alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Excel macro-enabled file attachment detected"; flow:to_client,established; content:".xlsm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exlsm/i"; flowbits:set,file.xlsm; metadata:service imap, service pop3; classtype:misc-activity; sid:1000852; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IDENTITY Microsoft Office Excel macro-enabled file download response"; flow:to_client,established; content:"Content-Type|3A 20|application/vnd.ms-excel.sheet.macroEnabled"; fast_pattern:only; http_header; file_data; content:"|50 4B 03 04|"; depth:4; flowbits:set,file.xlsm; metadata:service http; classtype:misc-activity; sid:1000853; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IDENTITY Microsoft Office OLE CF file download response"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; fast_pattern; flowbits:set,file.olecf; metadata:service http; classtype:misc-activity; sid:1000854; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Microsoft Office OLE CF file with PowerShell content download"; flow:to_client,established; flowbits:isset,file.olecf; file_data; content:"-window"; content:"hidden"; within:15; content:"powershell.exe"; metadata:service http; classtype:misc-activity; sid:1000855; rev:1;) Thank you. YM
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Win.Malware.Disttrack Y M (Feb 10)
- Re: Win.Malware.Disttrack Tyler Montier (Feb 10)
- Re: Win.Malware.Disttrack Y M (Feb 10)
- <Possible follow-ups>
- Win.Malware.Disttrack Y M (Feb 18)
- Re: Win.Malware.Disttrack ILLG, FREDERICK C (Feb 19)
- Re: Win.Malware.Disttrack Al Lewis (allewi) (Feb 19)
- Re: Win.Malware.Disttrack Tyler Montier (Feb 10)