Snort mailing list archives

Multiple signatures - 003

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 3 Jul 2018 13:23:36 +0000

Hi,

Happy soon-to-be 4th of July to you all. Pcaps for the first two sets of signatures are available.

# --------------------
# Date: 2018-07-03
# Title: Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems
# Tests: pcap (partial)
# Reference: 
https://researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/
# Hashes:
#    - 3227d1e39fc3bc842245ccdb16eeaadad3bcd298e811573b2e68ef2a7077f6f6
#    - 92e0d0346774127024c672cc7239dd269824a79e85b84c532128fd9663a0ce78
#    - 33665d93ab2a0262551c61ec9a3adca2c2b8dfea34e6f3f723274d88890f6ceb
#    - 019874898284935719dc74a6699fb822e20cdb8e3a96a7dc8ec4f625e3f1116e
#    - f817c9826089b49d251b8a09a0e9bf9b4b468c6e2586af60e50afe48602f0bec
# Confidence: low
# Note: The trojanized loader binaries, the standalone bianries, and the C&C domain (plus an additional domain)
#       succeffully correlates to the observed HTTP URI and Header.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HomamDownloader outbound connection"; 
flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Win32)|3B|51|3B|"; 
fast_pattern:only; http_header; content:"/index.htm"; http_uri; content:!"Connection: "; http_header; 
content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; 
reference:url,researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/;
 classtype:trojan-activity; sid:8000172; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HomamDownloader outbound connection"; 
flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Win32)|3B|61|3B|"; 
fast_pattern:only; http_header; content:"/index.htm"; http_uri; content:!"Connection: "; http_header; 
content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; 
reference:url,researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/;
 classtype:trojan-activity; sid:8000173; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HomamDownloader outbound connection - 
PCRE"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE "; http_header; content:"|3B| 
Win32)|3B|"; within:12; http_header; fast_pattern; content:"/index.htm"; http_uri; content:!"Connection: "; 
http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; 
pcre:"/User-Agent\x3a\sMozilla\/4\.0\s\x28compatible\x3b\sMSIE\s\d\.0\x3b\sWin32\x29\x3b[0-9]{2}\x3b\w+/H"; 
metadata:ruleset community, service http; 
reference:url,researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/;
 classtype:trojan-activity; sid:8000174; rev:1;)

# --------------------
# Date: 2018-07-03
# Title: PUA FileTour/MediaDrug
# Tests: pcap, live traffic
# Reference: Research
# Confidence: medium+

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.MediaDrug/FileTour outbound 
connection"; flow:to_server,established; content:"/client.config/?"; fast_pattern:only; http_uri; content:"app="; 
http_uri; content:"&format="; http_uri; content:"&uid="; http_uri; metadata:ruleset community, service http; 
reference:url,www.virustotal.com/#/file/c25cb815710871b5e984a0b002f6f57088e43c5e3f19da9e889f4b962cd4da56/detection; 
classtype:trojan-activity; sid:8000175; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-ADWARE Win.Adware.MediaDrug/FileTour inbound 
connection"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type: text/xml"; http_header; 
file_data; content:"<LogUrl>"; fast_pattern; nocase; content:"<csrtmm>"; nocase; content:"<advertid>"; nocase; 
metadata:ruleset community, service http; 
reference:url,www.virustotal.com/#/file/c25cb815710871b5e984a0b002f6f57088e43c5e3f19da9e889f4b962cd4da56/detection; 
classtype:trojan-activity; sid:8000176; rev:1;)

# --------------------
# Date: 2018-07-03
# Title: MirageFox: APT15 Resurfaces With New Tools Based On Old Ones
# Tests: syntax only
# Reference: https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/
# Confidence: low-- (use for threat hunting? You assume way too much...)
# Notes: All content matches were extracted from the binaries strings. Most of the remaining samples
#        , specifically, Mirage share the same URI patterns.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.RoyalAPT outbound connection"; 
flow:to_server,established; content:"/image_download.php?"; fast_pattern:only; http_uri; content:"uid="; http_uri; 
content:"part="; http_cookie; metadata:ruleset community, service http; 
reference:url,www.virustotal.com/#/file/016948ec7743b09e41b6968b42dfade5480774df3baf915e4c8753f5f90d1734/detection; 
reference:url,www.malwares.com/report/file?hash=016948EC7743B09E41B6968B42DFADE5480774DF3BAF915E4C8753F5F90D1734; 
classtype:trojan-activity; sid:8000177; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.MirageFox outbound connection"; 
flow:to_server,established; content:"/search?gid="; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0"; 
http_header; content:"Accept: */*"; http_header; content:"POST"; http_method; content:!"Referer"; http_header; 
reference:url,www.virustotal.com/#/file/28d6a9a709b9ead84aece250889a1687c07e19f6993325ba5295410a478da30a/detection; 
reference:url,www.virustotal.com/#/file/97813e76564aa829a359c2d12c9c6b824c532de0fc15f43765cf6b106a32b9a5/detection; 
classtype:trojan-activity; sid:8000178; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Mirage variant outbound 
connection"; flow:to_server,established; content:"/net/server.asp?"; fast_pattern:only; http_uri; nocase; 
content:"cmd="; http_uri; nocase; content:"&adminid="; http_uri; nocase; content:"&adminkey="; http_uri; nocase; 
metadata:ruleset community, service http; 
reference:url,www.virustotal.com/#/file/1534432fafb21c0479343bc2d9f3991e56c75baa41c54b3470d41055bb578f8f/detection; 
reference:url,www.malwares.com/report/file?hash=1534432FAFB21C0479343BC2D9F3991E56C75BAA41C54B3470D41055BB578F8F; 
classtype:trojan-activity; sid:8000179; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Mirage variant outbound 
connection"; flow:to_server,established; content:"/users/login.asp?"; fast_pattern:only; http_uri; nocase; 
content:"type="; http_uri; nocase; content:"&server_ver="; http_uri; nocase; metadata:ruleset community, service http; 
reference:url,www.virustotal.com/#/file/1534432fafb21c0479343bc2d9f3991e56c75baa41c54b3470d41055bb578f8f/detection; 
reference:url,www.malwares.com/report/file?hash=1534432FAFB21C0479343BC2D9F3991E56C75BAA41C54B3470D41055BB578F8F; 
classtype:trojan-activity; sid:8000180; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Multiple signatures - 003 Y M via Snort-sigs (Jul 03)
- Re: Multiple signatures - 003 Marcos Rodriguez (Jul 03)