Multiple signatures 008

[Y M via Snort-sigs <snort-sigs () lists snort org>]

Hi,

Pcaps for FormBook and (what appears to be) the Google sinkhole sigs are available.

# --------------------
# Date: 2018-07-30
# Title: Win.Trojan.FormBook
# Reference: Research
#     Dropper:
#     - https://www.virustotal.com/#/file/9cab0520f4d7c3ecbc310e55282861ca20d53959eaf6e93d8d6aa717347819da/detection
#     - https://app.any.run/tasks/16de6eff-d745-43d0-b463-a542e27ed4e5
#    FormBook:
#    - 6d9a03a5300e820e1cdadee50d0c35d26f4651e57ecaf730c918588433cfc207
#    - 5039b1f1fe51ae793991dd75a4af247d7f3d1aee1ef7c5355f7fd3e949650c26
#    - a0ce7c1ea60d04434ff18e9e2595d195b9aaaccbdabc7b7005b457e67885b095
#    - 092e4c73963f4885ea3017de96fbb8746dd3b8bb8b67b098a1ffa5a9b89963fe
#    - be87149f2ebdf39660a1b5a546daae5112fff80830233c430ba693279059696e
#    - 5d99b940b9fd8bf6f97c5dd6ae12ae5fc9fc596678cb056f1cf7c1704904d7d5
#    - 2238b58701332233865671be4304c789948b5480ca3f0512a18d2402c73db5e0
#    - 310120dbead95d404212997aa0393b99173ba659c3a10f76ac6a96636fa8d283
#    - 2d2fb898ab24ffe60db248ab6884f1c66a47d7b57dcbdecfefdf9cdf9334128b
# Tests: pcap
# Confidence: medium+
# Note:
#    1. Flow: Adwind JAR in attachment > Drops FormBook binary from remote source (opendir) > FormBook C&C.
#    2. Opendir contained two differernt samples of FormBook (signed.exe and raypal.exe).
#    3. The first URI query parameter in the GET request is the form item in client body of the POST request.
#    4. SID 38134 may require updates, perhaps $EXTERNAL_NET 1024: instead of hardcoding the port?
#    5. There are multiple GET requests, some of which will always end with "&sql=1".

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FormBook variant outbound 
connection"; flow:to_server,established; urilen:100<>120; content:"&sql=1"; fast_pattern:only; http_uri; content:"/?"; 
http_uri; content:"Connection: close|0D 0A|"; http_header; content:!"User-Agent"; http_header; content:!"Accept"; 
http_header; content:!"Content"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000224; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FormBook variant outbound 
connection"; flow:to_server,established; urilen:<6; content:"POST"; http_method; content:"Origin: "; http_header; 
content:"Referer: "; http_header; content:"Connection: close|0D 0A|"; fast_pattern; http_header; content:"Content-Type: 
application/x-www-form-urlencoded|0D 0A|"; http_header; content:"="; depth:10; http_client_body; 
pcre:"/\/[a-z0-9]{2,3}\//U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000225; rev:1;)

# --------------------
# Date: 2018-08-01
# Title: Andr.Dropper.Agent
# Reference:
#     - https://www.virustotal.com/#/file/9e5e9add2d75cef55afea99e406cda857734c1297af1695f17e96d251edfe004/detection
# Tests: syntax only
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Dropper.Agent outbound connection"; 
flow:to_server,established; content:"?platform="; http_uri; content:"&package_name="; fast_pattern:only; http_uri; 
content:"&screen_size="; http_uri; content:"&network_type="; http_uri; content:"&gaid="; http_uri; metadata:ruleset 
community, service http; 
reference:url,www.virustotal.com/#/file/9e5e9add2d75cef55afea99e406cda857734c1297af1695f17e96d251edfe004/detection; 
classtype:trojan-activity; sid:8000226; rev:1;)

# --------------------
# Date: 2018-08-01
# Title: Win.Backdoor.Sarhust/Hussarini
# Reference:
#     - https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html
#     - https://www.virustotal.com/#/file/05dcc7856661244d082daa88a074d2f266c70623789a7bb5a919282b178d8f98/detection
# Tests: syntax only
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known malicious user-agent - 
Win.Backdoor.Sarhust"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 5.5|3B| 
Windows NT 5.0)"; fast_pattern:only; http_header; content:!"Connection"; http_header; metadata:ruleset community, 
service http; 
reference:url,www.virustotal.com/#/file/05dcc7856661244d082daa88a074d2f266c70623789a7bb5a919282b178d8f98/detection; 
classtype:trojan-activity; sid:8000227; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:""MALWARE-CNC Win.Backdoor.Sarhust inbound connection"; 
flow:to_client,established; file_data; content:"<CHECK>"; fast_pattern:only; content:"</CHECK>"; within:200; 
metadata:ruleset community, service http; 
reference:url,www.virustotal.com/#/file/05dcc7856661244d082daa88a074d2f266c70623789a7bb5a919282b178d8f98/detection; 
classtype:trojan-activity; sid:8000228; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:""MALWARE-CNC Win.Backdoor.Sarhust inbound connection"; 
flow:to_client,established; file_data; content:"</CHECK><COMMAND>"; fast_pattern:only; metadata:ruleset community, 
service http; 
reference:url,www.virustotal.com/#/file/05dcc7856661244d082daa88a074d2f266c70623789a7bb5a919282b178d8f98/detection; 
classtype:trojan-activity; sid:8000229; rev:1;)

# --------------------
# Date: 2018-08-01
# Title: PowerShell Inside a Certificate? – Part 1
# Reference:
#    - https://blog.nviso.be/2018/07/31/powershell-inside-a-certificate-part-1/
#    - https://attack.mitre.org/wiki/Technique/T1036
#    - https://www.virustotal.com/#/file/eed598fa60ad25cd43f33e4d64cede06b45a5140df3d8e8e92d64c4a83fd4898/detection
# Tests: syntax only
# Confidence: low

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE file masquerading as a certificate 
download attempt"; flow:to_client,established; file_data; content:"-----BEGIN CERTIFICATE-----|0D 0A|"; 
fast_pattern:only; content:!"M"; distance:0; metadata:ruleset community, service ftp-data, service http, service imap, 
service pop3; reference:url,blog.nviso.be/2018/07/31/powershell-inside-a-certificate-part-1/; 
reference:url,attack.mitre.org/wiki/Technique/T1036; classtype:trojan-activity; sid:8000230; rev:1;)

# --------------------
# Date: 2018-08-01
# Title: Google Sinkhole Page/Redirection
# Reference: Research
# Tests: pcap
# Confidence: low
# Notes: Additional research is required.

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Google Sinkhole page redirction"; 
flow:to_client,established; content:"302"; http_stat_code; content:"Location: 
http://domain-registrar.storage.googleapis.com/expired.html?";; fast_pattern:only; http_header; metadata:ruleset 
community, service http; classtype:trojan-activity; sid:8000231; rev:1;)

# --------------------
# Date: 2018-08-01
# Title: Win.Backdoor.Bisonal
# Reference: https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/
# Tests: syntax only
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Backdoor.Bisonal variant outbound connection"; 
flow:to_server,established; urilen:<30; content:"/ks8d"; fast_pattern:only; http_uri; content:"akspbu.txt"; http_uri; 
content:"POST"; http_method; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000232; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Bisonal variant outbound connection"; 
flow:to_server,established; content:"|81 B2 A8 97 7E A3 1B 91|"; fast_pattern:only; http_client_body; 
isdataat:!1,relative; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000233; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!