Snort mailing list archives
Re: Multiple signatures 011
From: Marcos Rodriguez via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 22 Aug 2018 10:13:56 -0400
On Wed, Aug 22, 2018 at 9:13 AM, Y M via Snort-sigs < snort-sigs () lists snort org> wrote:
Hi, Pcaps for the majority of the rules below are available. # -------------------- # Date: 2018-08-21 # Title: Russian Army Exhibition Decoy Leads to New BISKVIT Malware # Tests: syntax only # Reference: https://www.fortinet.com/blog/threat-research/russian-army- exhibition-decoy-leads-to-new-biskvit-malware.html # Confidence: low alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Biskvit access token request outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/api/auth/token"; fast_pattern:only; http_uri; content:"Authorization"; http_header; content:"Expect"; http_header; content:"|7B 22|ApiKey|22|"; depth:9; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.fortinet.com/blog/threat-research/ russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:8000267; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Biskvit access token response inbound connection"; flow:to_server,established; file_data; content:"|7B 22|access_token|22|"; content:"|22|expires_in|22|"; content:"|22|refresh_token|22|"; metadata:ruleset community, service http; reference:url,www.fortinet. com/blog/threat-research/russian-army-exhibition-decoy- leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:8000268; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Biskvit get job request outbound connection"; flow:to_server,established; content:"/api/job"; fast_pattern:only; http_uri; content:"Authorization"; http_header; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url, www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy- leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:8000269; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Biskvit get job response inbound connection"; flow:to_server,established; file_data; content:"|7B 22|id|22|"; content:"|22|resultUri|22|"; content:"|22|tasks|22|"; content:"|22|executeOptions|22|"; metadata:ruleset community, service http; reference:url,www.fortinet.com/blog/threat-research/ russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:8000270; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Biskvit download package request outbound connection"; flow:to_server,established; content:"/api/package/"; fast_pattern:only; http_uri; content:"Authorization"; http_header; content:!"User-Agent"; http_header; pcre:"/\/api\/package\/[a-f0-9]{24,32}/U"; metadata:ruleset community, service http; reference:url,www.fortinet. com/blog/threat-research/russian-army-exhibition-decoy- leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:8000271; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Biskvit download package request outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/api/job/"; fast_pattern:only; http_uri; content:"Authorization"; http_header; content:"|7B 22|State|22|"; http_client_body; content:"|22|Data|22|"; http_client_body; content:!"User-Agent"; http_header; pcre:"/\/api\/job\/[a-f0-9]{24,32}/U"; metadata:ruleset community, service http; reference:url,www.fortinet. com/blog/threat-research/russian-army-exhibition-decoy- leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:8000272; rev:1;) # -------------------- # Date: 2018-08-21 # Title: Fake Plugins with Popuplink.js Redirect to Scam Sites # Tests: syntax only # Reference: https://blog.sucuri.net/2018/08/fake-plugins-with- popuplink-js-redirect-to-scam-sites.html # Confidence: low+ # Notes: # 1. JS file name could be anything. Maybe remove http_uri content match and set a flowbit on SID 8000275? # 2. Some websites/requests maybe within SSL. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER potentially infected website with Popuplink.js Redirector"; flow:to_server,established; content:"/popuplink.js?ver="; fast_pattern:only; http_uri; content:"Referer"; http_header; content:"index_is_shown"; http_cookie; metadata:ruleset community, service http; reference:url,blog.sucuri.net/2018/08/fake-plugins-with- popuplink-js-redirect-to-scam-sites.html; classtype:trojan-activity; sid:8000273; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER potentially infected website with Popuplink.js Redirector"; flow:to_server,established; content:"/popuplink.js?ver="; fast_pattern:only; http_uri; content:"Referer"; http_header; content:"update_is_shown"; http_cookie; metadata:ruleset community, service http; reference:url,blog.sucuri.net/2018/08/fake-plugins-with- popuplink-js-redirect-to-scam-sites.html; classtype:trojan-activity; sid:8000274; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER potentially infected website with Popuplink.js Redirector"; flow:to_client,established; file_data; content:"/popuplink.js?ver="; content:"|22|wp_cfg_"; content:"|22|url|22|"; metadata:ruleset community, service http; reference:url,blog.sucuri.net/2018/08/fake-plugins-with- popuplink-js-redirect-to-scam-sites.html; classtype:trojan-activity; sid:8000275; rev:1;) # -------------------- # Date: 2018-08-21 # Title: A Quick Look Into the Oracle WebLogic Attacks # Tests: syntax only # Reference: # - http://www.kahusecurity.com/2018/05/a-quick-look-into-the- oracle-weblogic-attacks/ # - https://blog.khairulazam.net/2018/06/07/analyzing-oracle- weblogic-attack/ # Hashes: # - 250b334bd70c7a800906b6da7e8fc3d6238f1f426c89fc4b020bb52e48e479eb # - 1aa8f0e14fe092d85a37d4d7b5ac2ca7d92ee82f28d02cbee71f6b5f22a0e7dc # Confidence: low+ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known malicious User-Agent - Oracle WebLogic post-compromise outbound connection"; flow:to_server,established; content:"User-Agent: PowerShell/"; fast_pattern:only; http_header; content:"Microsoft Windows"; distance:0; http_header; pcre:"/User-Agent\x3a\x20PowerShell\/(PMA|WL)/H"; metadata:ruleset community, service http; reference:url,www. kahusecurity.com/2018/05/a-quick-look-into-the-oracle-weblogic-attacks/; classtype:trojan-activity; sid:8000276; rev:1;) # -------------------- # Date: 2018-08-22 # Title: AZORult -> BabylonRAT # Tests: pcaps # Reference: https://traffic.moe/2018/08/22/index.html # Hashes: # - AZORult : 9ee000a5f6ddfe1fe58991690b95a9 9b2797343386203fddd64a5e9e0892d404 # - Babylob RAT: 416cb01b767ebf97e71e6296555587 1ad47672fc843bf2c93a4559c14e794462 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AZORult variant outbound connection"; flow:to_server,established; urilen:10; content:"POST /index.php HTTP/1.0"; fast_pattern:only; content:"Connection: close|0D 0A|"; http_header; content:"Content-Type: application/octet-stream|0D 0A|"; http_header; content:!"User-Agent"; http_header; content:!"Accept:"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000277; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Babylon RAT outbound connection"; flow:to_server,established; dsize:4; content:"|FF|"; offset:1; content:"|FF|"; distance:1; isdataat:!1,relative; metadata:ruleset community; classtype:trojan-activity; sid:8000278; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Babylon RAT inbound connection"; flow:to_client,established; dsize:8; content:"|FF|"; offset:1; content:"|FF|"; distance:5; isdataat:!1,relative; metadata:ruleset community; classtype:trojan-activity; sid:8000279; rev:1;) Thanks. YM
Hiya Yaser, Thanks again for your many contributions! We'll get these into our testing process and get back to you as soon as possible. We'd appreciate any pcaps you'd be willing to share. Thanks again! --
Marcos Rodriguez
Cisco Talos
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 011 Y M via Snort-sigs (Aug 22)
- Re: Multiple signatures 011 Marcos Rodriguez via Snort-sigs (Aug 22)