Snort mailing list archives

Re: Backdoor OSCelestial RAT

From: Tyler Montier <tmontier () sourcefire com>
Date: Mon, 6 Mar 2017 15:17:21 -0500

Yaser,

Thanks for your submission. We will review the rules and get back to you
when they're finished.

Since you have pcaps available, can you send them my way?

Sincerely,

Tyler Montier
Cisco Talos

On Mon, Mar 6, 2017 at 6:06 AM, Y M <snort () outlook com> wrote:

Hello,


The below rules are for the OSCelestial RAT. I left the OS (Win, Osx,
etc.) at the beginning of the rules' messages since the sample in
question seems to be targeting multiple OSes. The sample was successfully
tested on Windows, OS X, and Linux (Ubuntu). Other OSes were not tested.


The last rule may be an overkill but the pattern was obvious to be missed
out. Pcap is available.


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Backdoor.OSCelestial variant outbound connection";
flow:to_server,established; content:"|70 73 72 00|"; content:"|17|com.net.LoginDataPacket";
distance:0; within:24; metadata:ruleset community; reference:url,
www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aaf
d4296592a2985a480575810f4f64442742/analysis/; classtype:trojan-activity;
sid:1000867; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Backdoor.OSCelestial variant outbound connection";
flow:to_server,established; content:"|70 73 72 00|"; content:"|11|com.net.LoginData";
distance:0; within:18; content:"|0E|identification";
content:"|08|maccaddr"; distance:7; within:9;
content:"|0F|operatingsystem"; distance:7; within:16; content:"|06|pcname";
distance:7; within:7; content:"|08|username"; distance:7; within:9;
content:"|07|version"; distance:7; within:8; metadata:ruleset community;
reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aaf
d4296592a2985a480575810f4f64442742/analysis/; classtype:trojan-activity;
sid:1000868; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC
Backdoor.OSCelestial variant inbound connection";
flow:to_client,established; dsize:>800; content:"|1B|com.net.DynamicPluginPacket";
fast_pattern:only; content:"|00 14|com.oscp.client.HRDP"; content:"|00
26|net.oscp.client.networking.OpenWebsite"; content:"|00 28|";
distance:1; content:".UploadExecute"; distance:25; within:15; content:"|00
27|"; distance:1; content:".ReverseProxy"; distance:25; within:14;
content:"|00 2A|"; distance:1; content:".DownloadExecute"; distance:25;
within:17; content:"|00 29|"; distance:1; content:".KeystrokeLogger";
distance:24; within:17; content:"|00 27|"; distance:1;
content:".JarInjector"; distance:26; within:13; content:"|00 2B|";
distance:1; content:".JarInjectUpload"; distance:26; within:17;
content:"|00 21|"; distance:1; content:".Explorer"; distance:24; within:10;
content:"|00 25|"; distance:1; content:".RemoteChat"; distance:25;
within:12; content:"|00 25|"; distance:1; content:".MessageBox";
distance:25; within:12; content:"|00 23|"; distance:1;
content:".DesktopView"; distance:22; within:13; content:"|00 29|";
distance:1; content:".PasswordRecovery"; distance:23; within:18;
content:"|00 21|"; distance:1; content:".WebcamView"; distance:21;
within:12; content:"|00 27|"; content:".Terminal"; distance:23; within:10;
metadata:ruleset community; reference:url,www.virustotal.com/en/file/
9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/;
classtype:trojan-activity; sid:1000869; rev:1;)

Thank you.

YM

------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Backdoor OSCelestial RAT Y M (Mar 06)
- Re: Backdoor OSCelestial RAT Tyler Montier (Mar 06)