Snort mailing list archives

Re: Win.Trojan.NetSupport RAT sig(s)

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 26 Oct 2017 15:17:10 +0000

Looking at the HTTP payload, which is in plaintext, sure enough it did not seem legit to me. Additionally, this was an 
attempted download from an .edu domain, similar to what have been reported out there. It just has bad written all over 
it.

Good to know anyway. Perhaps the message can be changed to POLICY-OTHER.

Thanks.
YM

_____________________________
From: jack () malwarefor me<mailto:jack () malwarefor me>
Sent: Thursday, October 26, 2017 5:08 PM
Subject: Re: [Snort-sigs] Win.Trojan.NetSupport RAT sig(s)
To: Y M <snort () outlook com<mailto:snort () outlook com>>, Y M via Snort-sigs <snort-sigs () lists snort 
org<mailto:snort-sigs () lists snort org>>



For what it's worth, I would be careful classifying this as TROJAN/MALWARE as it is a legitimate tool being abused 
(sort of like TeamViewer).


Best,


Jack

On October 26, 2017 at 5:09 AM Y M via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>> 
wrote:


Hello,


The below rule is for detecting the NetSupport RAT. PCAP is available.


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetSupport RAT outbound connection attempt"; 
flow:to_server,established; content:"POST"; content:"User-Agent|3A 20|NetSupport Manager/"; nocase; fast_pattern:only; 
content:".htm HTTP"; content:"|0A 0A|CMD="; metadata:ruleset community, service http; reference:url,alert tcp $HOME_NET 
any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetSupport RAT outbound connection attempt"; 
flow:to_server,established; content:"POST"; content:"User-Agent|3A 20|NetSupport Manager/"; nocase; fast_pattern:only; 
content:".htm HTTP"; content:"|0A 0A|CMD="; metadata:ruleset community, service http; 
reference:url,www.virustotal.com/#/file/b87ef28981defd135496e25233cc7a47a376a75ddea97fcd4c0927995dd22e47/detection; 
reference:url,twitter.com/thlnk3r/status/923291439336890368; 
reference:url,https://www.hybrid-analysis.com/sample/b87ef28981defd135496e25233cc7a47a376a75ddea97fcd4c0927995dd22e47; 
classtype:trojan-activity; sid:9000001; rev:1;)


Thank you.

YM





_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Win.Trojan.NetSupport RAT sig(s) Y M via Snort-sigs (Oct 26)
- Re: Win.Trojan.NetSupport RAT sig(s) jack (Oct 26)
  - Re: Win.Trojan.NetSupport RAT sig(s) Y M via Snort-sigs (Oct 26)
- Re: Win.Trojan.NetSupport RAT sig(s) Tyler Montier (Oct 26)