Snort mailing list archives

Multiple signatures 011

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 22 Aug 2018 13:13:49 +0000

Hi,

Pcaps for the majority of the rules below are available.

# --------------------
# Date: 2018-08-21
# Title: Russian Army Exhibition Decoy Leads to New BISKVIT Malware
# Tests: syntax only
# Reference: 
https://www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Biskvit access token request outbound 
connection"; flow:to_server,established; content:"POST"; http_method; content:"/api/auth/token"; fast_pattern:only; 
http_uri; content:"Authorization"; http_header; content:"Expect"; http_header; content:"|7B 22|ApiKey|22|"; depth:9; 
http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; 
reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; 
classtype:trojan-activity; sid:8000267; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Biskvit access token response inbound 
connection"; flow:to_server,established; file_data; content:"|7B 22|access_token|22|"; content:"|22|expires_in|22|"; 
content:"|22|refresh_token|22|"; metadata:ruleset community, service http; 
reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; 
classtype:trojan-activity; sid:8000268; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Biskvit get job request outbound 
connection"; flow:to_server,established; content:"/api/job"; fast_pattern:only; http_uri; content:"Authorization"; 
http_header; content:!"User-Agent"; http_header; metadata:ruleset community, service http; 
reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; 
classtype:trojan-activity; sid:8000269; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Biskvit get job response inbound 
connection"; flow:to_server,established; file_data; content:"|7B 22|id|22|"; content:"|22|resultUri|22|"; 
content:"|22|tasks|22|"; content:"|22|executeOptions|22|"; metadata:ruleset community, service http; 
reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; 
classtype:trojan-activity; sid:8000270; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Biskvit download package request 
outbound connection"; flow:to_server,established; content:"/api/package/"; fast_pattern:only; http_uri; 
content:"Authorization"; http_header; content:!"User-Agent"; http_header; pcre:"/\/api\/package\/[a-f0-9]{24,32}/U"; 
metadata:ruleset community, service http; 
reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; 
classtype:trojan-activity; sid:8000271; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Biskvit download package request 
outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/api/job/"; fast_pattern:only; 
http_uri; content:"Authorization"; http_header; content:"|7B 22|State|22|"; http_client_body; content:"|22|Data|22|"; 
http_client_body; content:!"User-Agent"; http_header; pcre:"/\/api\/job\/[a-f0-9]{24,32}/U"; metadata:ruleset 
community, service http; 
reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; 
classtype:trojan-activity; sid:8000272; rev:1;)

# --------------------
# Date: 2018-08-21
# Title: Fake Plugins with Popuplink.js Redirect to Scam Sites
# Tests: syntax only
# Reference: https://blog.sucuri.net/2018/08/fake-plugins-with-popuplink-js-redirect-to-scam-sites.html
# Confidence: low+
# Notes:
#    1. JS file name could be anything. Maybe remove http_uri content match and set a flowbit on SID 8000275?
#    2. Some websites/requests maybe within SSL.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER potentially infected website with Popuplink.js 
Redirector"; flow:to_server,established; content:"/popuplink.js?ver="; fast_pattern:only; http_uri; content:"Referer"; 
http_header; content:"index_is_shown"; http_cookie; metadata:ruleset community, service http; 
reference:url,blog.sucuri.net/2018/08/fake-plugins-with-popuplink-js-redirect-to-scam-sites.html; 
classtype:trojan-activity; sid:8000273; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER potentially infected website with Popuplink.js 
Redirector"; flow:to_server,established; content:"/popuplink.js?ver="; fast_pattern:only; http_uri; content:"Referer"; 
http_header; content:"update_is_shown"; http_cookie; metadata:ruleset community, service http; 
reference:url,blog.sucuri.net/2018/08/fake-plugins-with-popuplink-js-redirect-to-scam-sites.html; 
classtype:trojan-activity; sid:8000274; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER potentially infected website with Popuplink.js 
Redirector"; flow:to_client,established; file_data; content:"/popuplink.js?ver="; content:"|22|wp_cfg_"; 
content:"|22|url|22|"; metadata:ruleset community, service http; 
reference:url,blog.sucuri.net/2018/08/fake-plugins-with-popuplink-js-redirect-to-scam-sites.html; 
classtype:trojan-activity; sid:8000275; rev:1;)

# --------------------
# Date: 2018-08-21
# Title: A Quick Look Into the Oracle WebLogic Attacks
# Tests: syntax only
# Reference:
#    - http://www.kahusecurity.com/2018/05/a-quick-look-into-the-oracle-weblogic-attacks/
#    - https://blog.khairulazam.net/2018/06/07/analyzing-oracle-weblogic-attack/
# Hashes:
#    - 250b334bd70c7a800906b6da7e8fc3d6238f1f426c89fc4b020bb52e48e479eb
#    - 1aa8f0e14fe092d85a37d4d7b5ac2ca7d92ee82f28d02cbee71f6b5f22a0e7dc
# Confidence: low+

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known malicious User-Agent - Oracle WebLogic 
post-compromise outbound connection"; flow:to_server,established; content:"User-Agent: PowerShell/"; fast_pattern:only; 
http_header; content:"Microsoft Windows"; distance:0; http_header; pcre:"/User-Agent\x3a\x20PowerShell\/(PMA|WL)/H"; 
metadata:ruleset community, service http; 
reference:url,www.kahusecurity.com/2018/05/a-quick-look-into-the-oracle-weblogic-attacks/; classtype:trojan-activity; 
sid:8000276; rev:1;)

# --------------------
# Date: 2018-08-22
# Title: AZORult -> BabylonRAT
# Tests: pcaps
# Reference: https://traffic.moe/2018/08/22/index.html
# Hashes:
#    - AZORult    : 9ee000a5f6ddfe1fe58991690b95a99b2797343386203fddd64a5e9e0892d404
#    - Babylob RAT: 416cb01b767ebf97e71e62965555871ad47672fc843bf2c93a4559c14e794462

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AZORult variant outbound connection"; 
flow:to_server,established; urilen:10; content:"POST /index.php HTTP/1.0"; fast_pattern:only; content:"Connection: 
close|0D 0A|"; http_header; content:"Content-Type: application/octet-stream|0D 0A|"; http_header; 
content:!"User-Agent"; http_header; content:!"Accept:"; http_header; content:!"Referer"; http_header; metadata:ruleset 
community, service http; classtype:trojan-activity; sid:8000277; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Babylon RAT outbound connection"; 
flow:to_server,established; dsize:4; content:"|FF|"; offset:1; content:"|FF|"; distance:1; isdataat:!1,relative; 
metadata:ruleset community; classtype:trojan-activity; sid:8000278; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Babylon RAT inbound connection"; 
flow:to_client,established; dsize:8; content:"|FF|"; offset:1; content:"|FF|"; distance:5; isdataat:!1,relative; 
metadata:ruleset community; classtype:trojan-activity; sid:8000279; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Multiple signatures 011 Y M via Snort-sigs (Aug 22)
- Re: Multiple signatures 011 Marcos Rodriguez via Snort-sigs (Aug 22)