Snort mailing list archives
Multiple signatures 011
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 22 Aug 2018 13:13:49 +0000
Hi, Pcaps for the majority of the rules below are available. # -------------------- # Date: 2018-08-21 # Title: Russian Army Exhibition Decoy Leads to New BISKVIT Malware # Tests: syntax only # Reference: https://www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html # Confidence: low alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Biskvit access token request outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/api/auth/token"; fast_pattern:only; http_uri; content:"Authorization"; http_header; content:"Expect"; http_header; content:"|7B 22|ApiKey|22|"; depth:9; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:8000267; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Biskvit access token response inbound connection"; flow:to_server,established; file_data; content:"|7B 22|access_token|22|"; content:"|22|expires_in|22|"; content:"|22|refresh_token|22|"; metadata:ruleset community, service http; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:8000268; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Biskvit get job request outbound connection"; flow:to_server,established; content:"/api/job"; fast_pattern:only; http_uri; content:"Authorization"; http_header; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:8000269; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Biskvit get job response inbound connection"; flow:to_server,established; file_data; content:"|7B 22|id|22|"; content:"|22|resultUri|22|"; content:"|22|tasks|22|"; content:"|22|executeOptions|22|"; metadata:ruleset community, service http; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:8000270; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Biskvit download package request outbound connection"; flow:to_server,established; content:"/api/package/"; fast_pattern:only; http_uri; content:"Authorization"; http_header; content:!"User-Agent"; http_header; pcre:"/\/api\/package\/[a-f0-9]{24,32}/U"; metadata:ruleset community, service http; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:8000271; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Biskvit download package request outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/api/job/"; fast_pattern:only; http_uri; content:"Authorization"; http_header; content:"|7B 22|State|22|"; http_client_body; content:"|22|Data|22|"; http_client_body; content:!"User-Agent"; http_header; pcre:"/\/api\/job\/[a-f0-9]{24,32}/U"; metadata:ruleset community, service http; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:8000272; rev:1;) # -------------------- # Date: 2018-08-21 # Title: Fake Plugins with Popuplink.js Redirect to Scam Sites # Tests: syntax only # Reference: https://blog.sucuri.net/2018/08/fake-plugins-with-popuplink-js-redirect-to-scam-sites.html # Confidence: low+ # Notes: # 1. JS file name could be anything. Maybe remove http_uri content match and set a flowbit on SID 8000275? # 2. Some websites/requests maybe within SSL. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER potentially infected website with Popuplink.js Redirector"; flow:to_server,established; content:"/popuplink.js?ver="; fast_pattern:only; http_uri; content:"Referer"; http_header; content:"index_is_shown"; http_cookie; metadata:ruleset community, service http; reference:url,blog.sucuri.net/2018/08/fake-plugins-with-popuplink-js-redirect-to-scam-sites.html; classtype:trojan-activity; sid:8000273; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER potentially infected website with Popuplink.js Redirector"; flow:to_server,established; content:"/popuplink.js?ver="; fast_pattern:only; http_uri; content:"Referer"; http_header; content:"update_is_shown"; http_cookie; metadata:ruleset community, service http; reference:url,blog.sucuri.net/2018/08/fake-plugins-with-popuplink-js-redirect-to-scam-sites.html; classtype:trojan-activity; sid:8000274; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER potentially infected website with Popuplink.js Redirector"; flow:to_client,established; file_data; content:"/popuplink.js?ver="; content:"|22|wp_cfg_"; content:"|22|url|22|"; metadata:ruleset community, service http; reference:url,blog.sucuri.net/2018/08/fake-plugins-with-popuplink-js-redirect-to-scam-sites.html; classtype:trojan-activity; sid:8000275; rev:1;) # -------------------- # Date: 2018-08-21 # Title: A Quick Look Into the Oracle WebLogic Attacks # Tests: syntax only # Reference: # - http://www.kahusecurity.com/2018/05/a-quick-look-into-the-oracle-weblogic-attacks/ # - https://blog.khairulazam.net/2018/06/07/analyzing-oracle-weblogic-attack/ # Hashes: # - 250b334bd70c7a800906b6da7e8fc3d6238f1f426c89fc4b020bb52e48e479eb # - 1aa8f0e14fe092d85a37d4d7b5ac2ca7d92ee82f28d02cbee71f6b5f22a0e7dc # Confidence: low+ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known malicious User-Agent - Oracle WebLogic post-compromise outbound connection"; flow:to_server,established; content:"User-Agent: PowerShell/"; fast_pattern:only; http_header; content:"Microsoft Windows"; distance:0; http_header; pcre:"/User-Agent\x3a\x20PowerShell\/(PMA|WL)/H"; metadata:ruleset community, service http; reference:url,www.kahusecurity.com/2018/05/a-quick-look-into-the-oracle-weblogic-attacks/; classtype:trojan-activity; sid:8000276; rev:1;) # -------------------- # Date: 2018-08-22 # Title: AZORult -> BabylonRAT # Tests: pcaps # Reference: https://traffic.moe/2018/08/22/index.html # Hashes: # - AZORult : 9ee000a5f6ddfe1fe58991690b95a99b2797343386203fddd64a5e9e0892d404 # - Babylob RAT: 416cb01b767ebf97e71e62965555871ad47672fc843bf2c93a4559c14e794462 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AZORult variant outbound connection"; flow:to_server,established; urilen:10; content:"POST /index.php HTTP/1.0"; fast_pattern:only; content:"Connection: close|0D 0A|"; http_header; content:"Content-Type: application/octet-stream|0D 0A|"; http_header; content:!"User-Agent"; http_header; content:!"Accept:"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000277; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Babylon RAT outbound connection"; flow:to_server,established; dsize:4; content:"|FF|"; offset:1; content:"|FF|"; distance:1; isdataat:!1,relative; metadata:ruleset community; classtype:trojan-activity; sid:8000278; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Babylon RAT inbound connection"; flow:to_client,established; dsize:8; content:"|FF|"; offset:1; content:"|FF|"; distance:5; isdataat:!1,relative; metadata:ruleset community; classtype:trojan-activity; sid:8000279; rev:1;) Thanks. YM
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 011 Y M via Snort-sigs (Aug 22)
- Re: Multiple signatures 011 Marcos Rodriguez via Snort-sigs (Aug 22)