Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Win.Trojan.PLEAD & Win.Trojan.TSCookie

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 11 Jun 2018 18:54:35 +0000
Hi,

I am not sure if the communication is over HTTP or HTTPS, and I don't have pcaps to verify. I am putting these together 
since they originate from the same source and are interrelated.

# --------------------
# Date: 2018-06-08
# Title: PLEAD Downloader Used by BlackTech
# Tests: syntax only
# Reference:
#     - https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html
#     - https://www.lac.co.jp/lacwatch/people/20180425_001625.html
#     - https://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PLEAD downloader outbound 
connection"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent: Mozilla/4.0 (compatible|3B| 
MSIE 8.0)"; fast_pattern:only; http_header; content:".png"; http_uri; content:!"Connection"; http_header; 
content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; 
reference:url,blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html; classtype:trojan-activity; 
sid:8000105; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PLEAD downloader outbound 
connection"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?id="; fast_pattern:only; 
http_uri; content:"Accept: */*|0D 0A|"; http_header; content:!"="; http_cookie; content:!"|3B|"; http_cookie; 
content:!"Accept-"; http_header; content:!"Referer"; http_header; pcre:"/\/index\.php\x3fid\x3d[0-9]{10}$/U"; 
metadata:ruleset community, service http; 
reference:url,blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html; classtype:trojan-activity; 
sid:8000106; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PLEAD downloader outbound 
connection"; flow:to_server,established; content:"POST"; http_method; content:"/index.php?id="; fast_pattern:only; 
http_uri; content:"Accept: */*|0D 0A|"; http_header; content:"Content-Type: application/x-www-form-urlencoded"; 
http_header; content:!"Accept-"; http_header; content:!"Referer"; http_header; content:!"Cookie"; http_header; 
pcre:"/\/index\.php\x3fid\x3d[0-9]{10}$/U"; metadata:ruleset community, service http; 
reference:url,blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html; classtype:trojan-activity; 
sid:8000107; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TSCookie outbound connection 
attempt"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 
8.0|3B| Win32)"; fast_pattern:only; http_header; content:"/Default.aspx"; http_uri; content:"Accept: */*|0D 0A|"; 
http_header; content:!"="; http_cookie; content:!"|3B|"; http_cookie; content:!"Accept-"; http_header; 
content:!"Referer"; metadata:ruleset community, service http; 
reference:url,blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html; classtype:trojan-activity; sid:8000108; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TSCookie outbound connection 
attempt"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent: Mozilla/4.0 (compatible|3B| 
MSIE 8.0|3B| Win32)"; fast_pattern:only; http_header; content:"/Default.aspx"; http_uri; content:"Accept: */*|0D 0A|"; 
http_header; content:"Content-Type: application/x-www-form-urlencoded"; http_header; content:!"Accept-"; http_header; 
content:!"Referer"; http_header; content:!"Cookie"; http_header; metadata:ruleset community, service http; 
reference:url,blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html; classtype:trojan-activity; sid:8000109; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: