Snort mailing list archives
Multiple signatures 023
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 12 Feb 2019 12:07:27 +0000
Hi, Hope all is well. This post is a bit long, thanks for reading! One of the samples below is signed with a fake certificate that is issued by and has the CN of "ClamAV". Detection content for the majority of the cases below is available. Thanks. YM # -------------------- # Title: Kuwait Oil Themed Malware Targeting Industry # Reference: http://www.malcrawler.com/kuwait-oil-themed-malware-targeting-industry/ # Tests: pcaps # Yara: # - MALWARE_Win_Trojan_Gh0st_Plugx_1 # - MALWARE_Win_Trojan_Gh0st_Plugx_2 # - MALWARE_Win_Trojan_Gh0st_Plugx_DotNET # - MALWARE_Win_Trojan_Agent # ClamAV: # - Xls.Exploit.DDEXML # - Ppt.Exploit.DDEXML # - Doc.Exploit.DDEXML # - MALWARE_Win.Trojan.Gh0st_Plugx_1 # - MALWARE_Win.Trojan.Gh0st_Plugx_2 # - MALWARE_Win.Trojan.Gh0st_Plugx_DotNET # - MALWARE_Win.Trojan.Agent # Hashes: # - DDEXML Documents: # - 1f9acfa49397291351d2e7344f239fa263908a75d2f4c0e558f752ef0e10be3e # - b3e260db478ed2512ee7012054da262bc50df68f96f0e8156826bb87c354c12b # - Binary: # - a0aec4ee482600bbadf2aed728c21efba96902f4c02f6f0952c7e0593d081dab (.NET) # - Triage: # - 2c080f5ece0f86e1554c27d96de325b3e66fdaf3b3c50e1f21e89be330027d2b # - 3dc2dfb927491848080cb53a2ff7c632eb1d7b0e61765ac1679ab921cac758cc # - 43c6377dfff5a4eace81f84987b6da4d9e4918d0108fba32cd5a98903e80aad2 # - 50840fbc820980940c82d5e35cf8d92ab97776dcee48db94266f10b97c0b2a1c # - 81043261988c8d85ca005f23c14cf098552960ae4899fc95f54bcae6c5cb35f1 # - 8f3fc71499cb9248352f714b7341d8034039933e297188d71359d9409c284517 # - 97c95ee7b65ea755de9d876d6b89fead7754e0d54ebf397354cd1d2656441aa4 (PlugX) # - 97ea837b05cfc44d7eaf7044130f5287f9811f0e9ef6114114dbbbb6a2f8d2af # - 9bcb326e62d58efa1432748fae230e127a2ad7af2f39711f34062c4023e41ec9 # - cd6ccdb98213db3c84cc458adaf1fd52a23c7eaea8b2578b1efeea1be8cf8416 # Notes: # - Memory artifacts of .NET sample are almost the same as the artifacts found # in triaged samples. # - One sample uses a fake certificate referencing ClamAV. alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Gh0st_PlugX user-profile in outbound ephemeral port"; flow:to_server,established; content:"|5C 00 55 00 73 00 65 00 72 00 73 00 5C 00|"; fast_pattern:only; content:"|5C 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5C 00|"; within:150; metadata:ruleset community; classtype:trojan-activity; sid:8000486; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Gh0st_PlugX known host infection artificat on network traffic"; flow:to_server,established; content:"|5C 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 56 00 69 00 73 00 69 00 6F 00 6E 00 5C|"; fast_pattern:only; metadata:ruleset community; classtype:trojan-activity; sid:8000487; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Gh0st_PlugX directory listing inbound command"; flow:to_client,established; dsize:<30; content:"|43 00 3A 00 5C 00 2A 00 2E 00 2A 00|"; fast_pattern:only; metadata:ruleset community; classtype:trojan-activity; sid:8000488; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Gh0st_PlugX start inbound command"; flow:to_client,established; dsize:<30; content:"|29 BB 66 E4|"; fast_pattern:only; content:"|73 00 74 00 61 00 72 00 74 00|"; distance:12; isdataat:!1,relative; metadata:ruleset community; classtype:trojan-activity; sid:8000489; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Gh0st_PlugX exit listing inbound command"; flow:to_client,established; dsize:<25; content:"|29 BB 66 E4|"; fast_pattern:only; content:"|65 00 78 00 69 00 74 00|"; distance:12; isdataat:!1,relative; metadata:ruleset community; classtype:trojan-activity; sid:8000590; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Gh0st_PlugX server inbound heartbeat connection"; flow:to_client,established; dsize:12; content:"|29 BB 66 E4 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:ruleset community; classtype:trojan-activity; sid:8000491; rev:1;) # -------------------- # Title: The Double Life of SectorA05 Nesting in Agora (Operation Kitty Phishing) # Reference: https://threatrecon.nshc.net/2019/01/30/operation-kitty-phishing/ # Tests: pcaps (partial) # Yara: # - MALWARE_JS_SectorA05 # - MALWARE_Win_Trojan_SectorA05 # ClamAV: # - MALWARE_JS.SectorA05 # - MALWARE_Win.Trojan.SectorA05 # Hashes: # - 74d6b81565aeb95ee9df37ef7738d10baa9866261fb894d9ee9d67fc7c66badc (Binary) # - 84edc9b828de54d4bd00959fabf583a1392cb4c3eab3498c52818c96dc554b90 (Binary) # - c6c332ae1ccb580ac621d3cf667ce9c017be41f8ad04a94c0c0ea37c4789dd14 (Binary) # - d62bf83fb5a7b148f326908051b149b77663149d47426ce749e944f7abf5d304 (Binary) # - ea1d4ce3f4a9a70670e67d69a36e5e65b314207d4d882a7e4bc26ddfbe6177b9 (Binary) # - 38368ada36a1d98bbc55408e26a2219ec60e0e53c8d34d67fd010af574f84e5a (JS) # - 95f1a84103f789d1ae749a3f8a384a29b39d6766e8a13d450b6553c39aba4fd7 (JS) # - d992c84902992867a6dfc9caf4d80f211d4d7a7d3e9e043691768bb6d73b4987 (JS) # Notes: # - The "serverurl" is extracted from dropped DLL. # - SID 8000477 addresses "2.wsf". # - SID 8000478 addresses "3.wsf". # - Remaining SIDs address the DLL. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; urilen:<50; content:"/board.php?v="; fast_pattern:only; http_uri; pcre:"/\/board\.php\x3fv=[abcef]/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000492; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; content:"/board.php?m="; fast_pattern:only; http_uri; content:"v="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000493; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; content:"/ping.php"; nocase; fast_pattern:only; http_uri; content:"word="; nocase; http_uri; content:"note="; nocase; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000494; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; content:".php?file=Cobra_"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000495; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.SectorA05 inbound directory search command"; flow:to_server,established; content:"200"; http_stat_code; file_data; content:"cmd|7C|dir "; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000496; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; urilen:<50; content:"/indox.php?v="; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000497; rev:1;) # -------------------- # Title: # - Threats posed by using RATs in ICS # - Attacks on industrial enterprises using RMS and TeamViewer # Reference: # - https://ics-cert.kaspersky.com/media/KL_RAT_ICS_ENG.pdf # - https://ics-cert.kaspersky.com/media/TV_RMS_PHISHING_EN.pdf # Tests: pcaps (partial) # Yara: # - MALWARE_Win_Trojan_Delph_Keylogger # ClamAV: # - MALWARE_Win.Trojan.Delph-Keylogger # Hashes: # - Delph Keylogger # - 4b2860f6f66c3d0aaa9c907bffe9ccf9103c31d23bfc022f2ed6ce6c13a49a41 # - e93cc654eb2b17bbd4b760e27d45fc0078c0a8f9b7be6b7a2c11cc78114f31aa # Notes: # - Destination port for the delph keylogger has been consistent # across samples, but may not be a good idea to hardcode it. alert tcp $EXTERNAL_NET 33033 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Delph Keylogger variant inbound connection attempt"; flow:to_client,established; dsize:<16; content:"SETDELAY "; fast_pattern:only; content:"|0D 0A|"; distance:0; isdataat:!1,relative; metadata:ruleset community; classtype:trojan-activity; sid:8000498; rev:1;) alert tcp $EXTERNAL_NET 33033 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Delph Keylogger variant inbound connection attempt"; flow:to_client,established; dsize:<30; content:"0808"; depth:4; content:"3F|0D 0A|"; within:24; isdataat:!1,relative; pcre:"/[0-9A-Z]{26}\x0d\x0a/"; metadata:ruleset community; classtype:trojan-activity; sid:8000499; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5000: (msg:"MALWARE-CNC Win.Trojan.Babylon RAT variant outbound connection"; flow:to_server,established; dsize:4; content:"|FF|"; offset:1; depth:1; content:"|FF|"; distance:1; isdataat:!1,relative; detection_filter:track by_src, count 10, seconds 60; metadata:ruleset community; classtype:trojan-activity; sid:8000500; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - RemoteUtilities"; flow:to_server,established; content:"<rman_message version="; fast_pattern:only; content:"<code>1</code>"; metadata:ruleset community; classtype:policy-violation; sid:8000501; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - RemoteUtilities"; flow:to_client,established; content:"<rman_message version="; fast_pattern:only; content:"<code>3</code>"; content:"</rman_message>"; distance:0; metadata:ruleset community; classtype:policy-violation; sid:8000502; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - Imminent"; flow:to_server,established; dsize:10; content:"|06 00 00 00 81 13 14 6E 5B 69|"; fast_pattern:only; metadata:ruleset community; classtype:policy-violation; sid:8000503; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - Imminent"; flow:to_client,established; dsize:48; content:"|2C 00 00 00 02 00 00 00 01|"; fast_pattern:only; content:"$"; distance:2; metadata:ruleset community; classtype:policy-violation; sid:8000504; rev:1;) # -------------------- # Title: Analyzing a new stealer written in Golang # Reference: https://blog.malwarebytes.com/threat-analysis/2019/01/analyzing-new-stealer-written-golang/ # Tests: pcaps # Yara: # - MALWARE_Win_CryptoStealer_Go # - INDICATOR_Binary_Many_Browser_Paths # - INDICATOR_Binary_Many_Wallet_Paths # ClamAV: # - MALWARE_Win.CryptoStealer.Go # - INDICATOR_Win_Binary_Many_Browser_Paths # - INDICATOR_Win_Binary_Many_Wallet_Paths # - INDICATOR_Osx_Binary_Many_Browser_Paths # - INDICATOR_Osx_Binary_Many_Wallet_Paths # Hashes: # - 0bf24e0bc69f310c0119fc199c8938773cdede9d1ca6ba7ac7fea5c863e0f099 # - 165d016d764e1bdfe74acfe5c5f8aa5980e4ac0497a4b9794fbb35822c059749 # - 76049221cfe4beb74f12655bad6cbc42a607bc3d5977a5b8bd76df0de4286614 # - c2044e4246a58410dd96300bd2072a8d22c588beb4ad093018c0d33f240dbabd alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoStealer variant outbound connection"; flow:to_server,established; urilen:12; content:"/landing.php"; fast_pattern:only; http_uri; content:"Content-Type: multipart/form-data|3B|"; http_header; content:"User-Agent: G"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000505; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoStealer variant outbound connection"; flow:to_server,established; urilen:15; content:"/uploadfpeg.php"; fast_pattern:only; http_uri; content:"Content-Type: multipart/form-data|3B|"; http_header; content:"User-Agent: G"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000506; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE user profile path in filename upload detected"; flow:to_server,established; content:"|3B| filename=|22|C:|5C 5C|Users|5C 5C|"; nocase; fast_pattern:only; http_client_body; content:"POST"; http_method; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000507; rev:1;) # -------------------- # Title: Win.Trojan.Fsysna/Fakewmi # Reference: Research # Tests: pcaps # Yara: # - MALWARE_Win_Trojan_Fakewmi # - INDICATOR_Win_Binary_Many_Builtin_Commands # - INDICATOR_Win_Binary_Many_Builtin_Executables # - INDICATOR_Win_Binary_Process_Name_Manipulation # - INDICATOR_Win_Binary_HTTP_Query_Strings # ClamAV: # - MALWARE_Win.Trojan.Fakewmi # - INDICATOR_Win_Binary_Many_Builtin_Commands # - INDICATOR_Win_Binary_Many_Builtin_Executables # - INDICATOR_Win_Binary_Process_Name_Manipulation # - INDICATOR_Win_Binary_HTTP_Query_Strings # Hashes: # - bdbfa96d17c2f06f68b3bcc84568cf445915e194f130b0dc2411805cf889b6cc alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt"; flow:to_server,established; content:".png?ID="; fast_pattern:only; http_uri; content:"&MAC="; http_uri; content:"&OS="; http_uri; content:"&BIT="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000508; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt"; flow:to_server,established; content:".exez?ID="; fast_pattern:only; http_uri; content:"&GUID="; http_uri; content:"&_T="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000509; rev:1;) # -------------------- # Title: Win.Trojan.FormBook # Reference: Research # Tests: pcaps # Yara: # - MALWARE_Doc_OOXML_Dropper_Ole_RemoteTemplate # - MALWARE_RTF_Equation_BITSAdmin_Downloader # - MALWARE_RTF_Equation_PowerShell_Downloader # - MALWARE_RTF_Excel_URLDownloadToFile # ClamAV: # - MALWARE_Doc.OOXML.Dropper.Ole-RemoteTemplate # - MALWARE_RTF_Equation_BITSAdmin_Downloader # - MALWARE_RTF_Equation_PowerShell_Downloader # - MALWARE_RTF_Excel_URLDownloadToFile # Hashes: # - Stage 1 - Infection Vector | OOXML OLE Remote Template: # - 8f0ecc502cfdfb9837454780c84c655afba8fda2c7958ccd692d7ea26ee77614 # - Stage 2 - Dropper | RTF Equation + BITSAdmin # - 055d5b1fb482131511eff925ac9d02cd1e6c8a0cd700fcbcb61b31d9cd55e7f0 # - 2da9452c712af4ba9a05520b5794677e2c23ccebbc494695dfde00434b345f48 # - 9a81cac30204b0282822cc2cacb104af0124b12356e0dccf012ed591ba46a11c # - Stage 3 - Binary: # - 1af2cca9a11ed769d8f8dbcec9781ae51b09ba8913ab39435b0cd181471dca8e # - 265e1f8116d36db0ff1e3fe9b4c02fec24c6214a64200742de5b1cf00edf80c9 # - 2c63b771b02ed30125c322c7d3ce20814427f59901f676d2da5b0ab337ad7fcc # - 61927b53f39c5e64a47b18b2a9b46d7b7b91d718f28e1a62cad76bbe7cf48374 # - 81de431987304676134138705fc1c21188ad7f27edf6b77a6551aa693194485e # - e071ef17536726ce1f71b8b31e850ae13e25f822ecb0f3af55b17bca0a02d207 # - fa8acd9d8beb7e4e91665be1879a2e4e018f6e79e42f4299d4c4273c4b8bfc82 # Note: # - Infection vector dropped 1 file, but server is opendir (screenshots attached): # - Second Stage > hxxps://amigosforever[.]net/d/ # - Third Stage > hxxps://amigosforever[.]net/j/ # - Persistence: # HKCU\Software\Microsoft\Windows\CurrentVersion\Run\9REX1NGPHZ > C:\Program Files (x86)\e_0qlbpy\zhqlg470gralan.exe # - FormBook C&C Domains: # www[.]agitatrice-de-bien-etre[.]com, www[.]bwijbb[.]info, www[.]clanografica[.]com # www[.]dentalexcellencelosaltos[.]com, www[.]fazchin[.]com, www[.]franksautossales[.]com # www[.]hopirates[.]com, www[.]mygermancars[.]net, www[.]northcapital-holding[.]com # www[.]npmxwj[.]com, www[.]oorrq[.]com, www[.]rootbet99[.]com, www[.]runningmanual[.]site # www[.]talariviera[.]com, www[.]virgycanta[.]com, www[.]witchyaudrey[.]com # - SID below is a modified revision of SID 8000225 submited in "Multiple signatures 008". alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FormBook variant outbound connection"; flow:to_server,established; urilen:<6; content:"Connection: close|0D 0A|Content-Length:"; http_header; content:"Cache-Control: no-cache|0D 0A|Origin:"; http_header; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|Accept: */*|0D 0A|Referer:"; http_header; content:"POST"; http_method; content:"="; depth:10; http_client_body; pcre:"/\/[a-z0-9]{2,3}\//U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000225; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATE-COMPROMISE RTF document with Equation and BITSAdmin download attempt"; flow:to_client,established; flowbits:isset,filt.rtf|file.doc; file_data; content:"0200000002CE020000000000C000000000000046"; nocase; content:"6269747361646d696e"; nocase; metadata:ruleset community, service http, service imap, service pop3, service ftp-data; classtype:trojan-activity; sid:8000510; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATE-COMPROMISE RTF document with Equation and BITSAdmin download attempt"; flow:to_server,established; flowbits:isset,filt.rtf|file.doc; file_data; content:"0200000002CE020000000000C000000000000046"; nocase; content:"6269747361646d696e"; nocase; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000511; rev:1;) # -------------------- # Title: Actor with Multiple Simulatnious Open Directories Serving Various Stealers (HawkEye, LokiBot, AgentTesla, Azorult) # Reference: Research # Tests: pcaps (partial) # Yara: # - MALWARE_Multi_Stealer_MultiDelph_Packed # - MALWARE_Win_Trojan_MSIL_Noon # ClamAV: # - MALWARE_Win.Trojan.Stealer_MultiDelph_Packed # - MALWARE_Win.Trojan.MSIL.Noon # - MALWARE_Win.Trojan.AutoIt # - MALWARE_Doc.Trojan.Downloader # - MALWARE_Ppt.Trojan.Downloader # - MALWARE_Xls.Trojan.Downloader # Hashes: # - 014e48b69c3003c7188390f75b3fcd79169e6d5d54c89b4cb83af53869613f27 # - 096630ca2c67980b2c5d817ba56580182a4c2bceff0eb3970910958ff7d4fec8 # - 0a1073036b3d35f6d5cca0010d3843cdbf38fe1dda19a63c4ec7d9a17922386d # - 0bc9f1ef7d24816470ebbf7aec56722bc66e5405b70832b4673f3bc45cff698f # - 0ccf76c40e714e71250d7e5b052f1d8d1d1e38ee0623bf842331298d29b05cb1 # - 0f6cd00d5306c35b440e1e847ffce603006ad75982e689a6d6d228691b497254 # - 15d92ddc442d27fc72d05cccbaa0084b9eb3582d373f8386699a3389724589ec # - 1d071c8d02c8c1adab197410ec609b49b836e60692c455bc660427943fa312fb # - 1fd0474ceb61363dd8b94f299cf87893767836ac8d4c82044c9b8197e28ff043 # - 20846330e8957182600f7219540c7f668e8239f3d86112bb13737ecc8198731b # - 23e6b656eb1e813398eec29af7a76d5715240b82704d1f96bc1406d6db0ffcd0 # - 2827535996a28b5005cf7f13ef81003871e1814609f7b498582707dc389ea527 # - 29a3be38886cbc28db3e08943a3759362fdaec9ecb7a7c8b2fc71dd29189737e # - 2cc89e26fa8fdbd6af7773f8cea5b50bdf0f7e2422e5ed5008906e0e45145ab4 # - 2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd # - 31c035334fcd276781c9bbd088c9fcae99d391b5cb423c32aa4d65c70a4a5d88 # - 3c76fa16ca5a191ac27a710e92003cd125cb3639f1999e8ee2de5e3cf75712d5 # - 42a281359126f49201d73851df765a84cf21d8c965f14fd26326803e42a30070 # - 4466e54073701ed691015a5f8b6dc0c951c2442db9d9663fa16ded2edd5256cc # - 495a0283ee5183198e4e9d6769bf885d4696121d361ab63046b7cfcfa63a4bdc # - 49a59b2d47bc1b7fb0da264206d8367ee11ad044b3a58cb3df06e5a4a1557ece # - 567efd7abb99428737d22bf3f8cee9d23a540b4e1565938b557eec54078b8a31 # - 5691a24d176090bc059f91f3d05d2e9e39ee071652b4c41dd85ffb8961cb8b03 # - 56ac3350eb5e17ea5fb0a3018db0b6cfd3ae40dba2b12c1c8e70ca7ef407b38d # - 56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203 # - 5abc3ec7dce72f410acab0ee1d328e7ef331249aff10a848a0365ee3ea405718 # - 5c678b4b224d55e579639d5cfe5562372f0cfe79b881a42b4cadbb9645efa59e # - 636ddf46c3ef949817040a66397c9053a79dede5d2946ffdd44e7590ae18f5da # - 6548f22803cdce01bc4bbce12f43c5b4efd5a9f1691d34da619bff9b511dde8a # - 81c4fd4b1c1dd0bf1f5216be3c751ae2c849e66f30b7c3b574d9e1487f8fba69 # - 82bdf3f3845311435073e4d00934b3baff8757e4e5743d329e2a73384183ebcf # - 8450a4627ee9ba1802f6924ba4ee7d29db054cbb9eb7c384712a58eb1841194f # - 85b903fbdf214c3e94e0ac050576c5841c3531e5f19cab82395a33ed3238c086 # - 86778ce7fe952303bd64770616e46c029597d7a3c86b40621abbed42fe3be6c5 # - 89ce88527a2c2b0cca668c7f9ea280af84a88b2143e21bda16c294ab4fa87d8c # - 8b615b5d41f1a73203775c8d6f5895c199e3998ddeb7ec2a2870fb32e90cf8c9 # - 9708e849f02eaee5ba860592eaa12f00337e21ef9f41b266ef928c689a0ab127 # - 990b2a5d79fdf25c7fee7092d8ee3959e2d93a9a598074672c8e67b59ddf24a3 # - 9f9e74241d59eccfe7040bfdcbbceacb374eda397cc53a4197b59e4f6f380a91 # - a3d665070c66cd0a5121c90f79f070c382de620a3e1f600dceccfee7481e3dee # - b3b71d13579f638175176e19fd2f0527c2eaa7d1a0ee690b028a9bdc5e871066 # - b9de0b5c0f9b8504746ae1507a279848dcaaf3bcbde18d6ae3452e9921efed9c # - be01445f952809da6b3bac391dd8809a2ec07f21dd878067f6bb959de6a86351 # - bf8fe5e29fb3c0fef227cb42ce00d38fc209bed8fa690f1cb14de7db21a8ce8b # - c03a388ea39b55c24ff667e89ef272fcab08a54b6a5999aa2a4a3998bd2b0470 # - c31ef80d97b91a6f75401ce75661e58514b1bb5204542fd8154d25b92d29f37d # - c35974b9d587111b1bbe91d32d8b13e438079cba1385d25bb3f6ffbe3e978360 # - c4f9b7e53ba61e6f310eaae7a6fe9a700701ee9b8fec7e895b652204ec1b2a7f # - c9a740dd8cf801c28528e7e6287200a58ec221b4b463a321664af2669f0ac2a7 # - cf250c3b48f7699f6e00912aa406f51aaa454046dc5543935b44db4118d6b708 # - dd640176aadf95178a51134dfb4469d0549532655c0ad2411c70d669673fb8bb # - e0da13bfc4510bffd4d1aab08ae82b0ab0b479d99825f7f3ba6218728f4ffdc0 # - ea42a3218faaa1e429836175b1576b5e0e7a6f3e07196e9e3f484c886767f4d1 # - eb0ee0b7fadf4412722cfb13a5117fc058ae51c97b75def4b2410d04fd97ed73 # - f03ec0d5c808f49fcef8f1434ddc841baadef05439a8d3822c76724eb55ec15a # - f22336463d8824d0e375ba096ce7de6f91a832ccec81515cc92b1b6c57d445bc # - f4e731753d975ff1ba7b0e569342dd3afe45c0bc6ae5051d6dd49b53dcb5bdff # - f65593ab488145bea5a46756b85168e7b51e38463863a44e34030b8901d95e4d # Notes: # - All open directories are hosted on: 23[.]94[.]188[.]246 # - "Panel.rar" appears to be the "HawkEye Keylogger - Reborn v9" panel. # - Current active open directories (screenshots attached): # - jessecloudserver[.]xyz/q # - jesseworld[.]eu # - kings[.]jesseworld[.]eu # - interbizservices[.]eu/images # - modcloudserver[.]eu # - modexcommunications[.]eu # - sylvaclouds[.]eu alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE IP address check to bot.whatismyipaddress.com"; flow:to_server,established; content:"Host: bot.whatismyipaddress.com"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:misc-activity; sid:8000512; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC Win.Keylogger.AgentTesla variant outbound SMTP connection"; flow:to_server,established; content:"|0D 0A|Subject: "; content:" Recovered Accounts"; within:150; fast_pattern; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000513; rev:1;) # -------------------- # Title: Triout Android Spyware Framework Makes a Comeback, Abusing App with 50 Million Downloads # Reference: # - https://labs.bitdefender.com/2019/02/triout-android-spyware-framework-makes-a-comeback-abusing-app-with-50-million-downloads/ # - https://labs.bitdefender.com/wp-content/uploads/downloads/triout-the-malware-framework-for-android-that-packs-potent-spyware-capabilities/ # Tests: pcaps # Yara: NA # ClamAV: NA # Hashes: # - 3a3640b6d395f6b48239e38d874bfcf3d31f1d4886edec974c20c01448a96fa3 # Notes: These were sent before but we did not have a hash or pcaps. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout/ViceLeaker outbound connection - Call Records"; flow:to_server,established; content:"call3.php"; fast_pattern:only; http_uri; content:"pid="; http_client_body; content:"&callid="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000282; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout/ViceLeaker outbound connection - SMS Records"; flow:to_server,established; content:"/script3.php"; fast_pattern:only; http_uri; content:"pid="; http_client_body; content:"&smsbody="; http_client_body; content:"&smssender="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000283; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout/ViceLeaker outbound connection - Call Log"; flow:to_server,established; content:"/calllog.php"; fast_pattern:only; http_uri; content:"pid="; http_client_body; content:"&callname="; http_client_body; content:"&callnum="; http_client_body; content:"&calldate="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000284; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout/ViceLeaker outbound connection - Camera Capture"; flow:to_server,established; content:"/uppc.php"; fast_pattern:only; http_uri; content:"form-data|3B| name=|22|uploaded_file|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000285; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout/ViceLeaker outbound connection - Call Logs"; flow:to_server,established; content:"/upcal.php"; fast_pattern:only; http_uri; content:"form-data|3B| name=|22|uploaded_file|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000286; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Triout/ViceLeaker outbound connection - GPS"; flow:to_server,established; content:"/gps3.php"; fast_pattern:only; http_uri; content:"pid="; http_client_body; content:"&lat="; http_client_body; content:"&long="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000287; rev:2;) # -------------------- # Title: Threat Actor "Magecart": Coming to an eCommerce Store Near You # Reference: https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/ # Tests: NA # Yara: NA # ClamAV: NA # Hashes: NA # Notes: Not sure if this is "good" detection, too many assumptions. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/rewards/customer_notifications/unsubscribe/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000514; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/appointment/index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000515; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/AvisVerifies/dialog/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000516; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/pdffree/Product/pdfsave/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000517; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/ajax/Showroom/submit/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000518; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/netgocust/Gwishlist/updategwishlist/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000519; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/CustomGrid/index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000520; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/simplebundle/Cart/add/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000521; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/layaway/view/add/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000522; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/multidealpro/index/edit/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000523; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/vendors/credit/withdraw/review/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:800024; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/customgrid/Blcg_Column_Renderer_index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000525; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/tabshome/index/ajax/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000526; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/customgrid/Blcg/Column/Renderer/index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000527; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/customgrid/index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000528; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/aheadmetrics/auth/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000529; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/gwishlist/Gwishlist/updategwishlist/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000530; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/vendors/credit_withdraw/review/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000531; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/vendors/withdraw/review/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000532; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/emaildirect/abandoned/restore/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000533; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/rewards/notifications/unsubscribe/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000534; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/bssreorderproduct/list/add/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000535; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/advancedreports/chart/tunnel/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000536; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/minifilterproducts/index/ajax/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000537; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/ajaxproducts/index/index/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000538; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/qquoteadv/download/downloadCustomOption/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000539; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/freegift/cart/gurlgift/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000540; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/madecache/varnish/esi/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000541; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/rewards/customer/notifications/unsubscribe/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000542; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-SERVER inbound Scan for potential vulnerable plugin"; flow:to_server,established; content:"/prescription/Prescription/amendQuoteItemQty/"; fast_pattern:only; http_uri; content:"dl="; http_uri; content:"POST"; http_method; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000543; rev:1;)
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 023 Y M via Snort-sigs (Feb 12)
- Re: Multiple signatures 023 Matthew Mickel (Feb 12)