Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Win.Trojan.RedLeaves variant

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 1 May 2018 18:17:31 +0000
Hi,

Below signature attempts to detect a variant of RedLeaves. Pcap is available. There are subtle differences between the 
HTTP request in the pcap and its details in the research. The signature attempts to accommodate both. The HTTP body can 
be expressedin pcre, but either would lose detection of almost half the requests, or the pcre becomes unnecessary, I 
guess.

# Title: Hogfish RedLeaves Campaign
# Tests: pcaps
# Reference: 
https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf, 
https://www.virustotal.com/#/file/f6449e255bc1a9d4a02391be35d0dd37def19b7e20cfcc274427a0b39cb21b7b/detection

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.RedLeaves variant outbound 
connection"; flow:to_server,established; urilen:<20; content:"POST"; http_method; content:"Connection: Keep-Alive|0D 
0A|Accept: */*|0D 0A|"; http_header; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 6.1|3B| 
WOW64|3B| Trident/4.0|3B| SLCC2|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.5.30729|3B| .NET CLR 3.0.30729|3B| .NET4.0C|3B| 
.NET4.0E)|0D 0A|Content-Length"; http_header; content:"/index.php"; http_uri; content:!"Content-Type"; http_header; 
content:!"Referer"; http_header; content:!"Accept-"; http_header; metadata:ruleset community, service http; 
reference:url,www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf; 
reference:url,www.virustotal.com/#/file/f6449e255bc1a9d4a02391be35d0dd37def19b7e20cfcc274427a0b39cb21b7b/detection; 
classtype:trojan-activity; sid:8000038; rev:1;)

Thanks.
YM


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: