Snort mailing list archives
Re: Multiple signature 020
From: Matthew Mickel <mmickel () sourcefire com>
Date: Wed, 2 Jan 2019 08:11:33 -0500
Hi, Yaser- Thanks for your submissions. We will review/test the rules and get back to you when they’re finished. Any PCAPs that you can send along are greatly appreciated. Happy New Year! Best, Matt Mickel
On Jan 1, 2019, at 8:30 AM, Y M via Snort-sigs <snort-sigs () lists snort org> wrote:
Hello,
Here is a new set of Snort signatures. Pcaps and Yara/ClamAV rules are also available for all cases.
Thank you and happy holidays/new year.
YM
# --------------------
# Date: 2018-11-28
# Title: Fake flasg updates to propagating cryptocurrency mining
# Reference: Research
# Tests: pcaps
# Yara:
# - MALWARE_Win_Trojan_ExpressCMS
# ClamAV:
# - MALWARE_Win.Trojan.ExpressCMS
# Hashes:
# - 08486e2639cbd7f21416ce17db1fd0edffaa3c521dd8458123b60f9ba4bfe74f
# - fdf8147843781e43ae4781e62ef65126920c3b38c4736687d5f41b8fac9f6471
# Note:
# - Yara/ClamAV signatures focus less on mining functionality.
# - Newly observed URL:
# - 95[.]163[.]180[.]206/flashplayer_down[.]php?clickid=[a-z0-9]{16}
# - 95[.]163[.]208[.]11/flashplayer_down[.]php?clickid=[a-z0-9]{16}
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Fake Flash Player download attempt";
flow:to_server,established; content:"/flashplayer_down.php?"; fast_pattern:only; http_uri; content:"clickid=";
distance:0; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000425; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ExpressCMS outbound connection
attempt"; flow:to_server,established; content:"/click.php?cnv_id="; fast_pattern:only; http_uri; metadata:ruleset
community, service http; classtype:trojan-activity; sid:8000426; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ExpressCMS outbound connection
attempt"; flow:to_server,established; content:"/click.php?key="; fast_pattern:only; http_uri; content:"id=";
within:15; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000427; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ExpressCMS outbound connection
attempt"; flow:to_server,established; content:"User-Agent: jdlnb|0D 0A|"; fast_pattern:only; http_header;
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000428; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ExpressCMS outbound connection
attempt"; flow:to_server,established; content:"Gkjfdshfkjjd: dsdjdsjdhv"; fast_pattern:only; http_header;
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000429; rev:1;)
# --------------------
# Date: 2018-11-29
# Title: Sofacy, APT28
# Reference: Triage from:
# - http://malware.prevenity.com/2018/11/spear-phishing-attack-on-gov-in-poland.html
<http://malware.prevenity.com/2018/11/spear-phishing-attack-on-gov-in-poland.html>
# - https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/
<https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/>
# -
https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf
<https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf>
# Tests: pcaps
# Yara:
# - MALWARE_Win_Trojan_Zebrocy
# ClamAV:
# - MALWARE_Doc.Dropper.RemotTempalteH
# - MALWARE_Doc.Dropper.RemotTempalteF
# Hashes:
# - 1851d96696d3db565c028e7fb5164d7c8428973b939b9e6185dd573e7408b194
# - 2b19497db8cb05cd3d22996efe5af8eac0f2ea51e80f606b7b8a79dfaa2f58e2
# - 34bdb5b364358a07f598da4d26b30bac37e139a7dc2b9914debb3a16311f3ded
# - 77ff53211bd994293400cb3f93e3d3df6754d8d477cb76f52221704adebad83a
# - dcbc770aeea8ad4c3f45b89535b4cb3592d6c627d6cf92ec7dfe2f8b41cda998
# - ed8f52cdfc5f4c4be95a6b2e935661e00b50324bee5fe8974599743ccfd8daba
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zekapab outbound connection";
flow:to_server,established; content:"/company-device-support/values/correlate-sec.php"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000430; rev:1;)
# --------------------
# Date: 2018-11-29
# Title: Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups
# Reference: Triage from:
# -
https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/
<https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/>
# - https://www.forcepoint.com/blog/security-labs/bitter-targeted-attack-against-pakistan
<https://www.forcepoint.com/blog/security-labs/bitter-targeted-attack-against-pakistan>
# Tests: pcap
# Yara:
# - MALWARE_Win_Trojan_BitterRAT
# ClamAV:
# - MALWARE_Win.Trojan.BitterRAT
# Hashes:
# - 121a0e5e66cc7bdc78387b2e67222eb0349ca038e5aced3ed0eccb167106a40e
# - 705487b3deaf5f2ffa3240208044015e836cf4b32ef817154e23cb9f5859993f
# - f5afe24061226630faa0f1a125e011819627cee3254060bdf2691bad65ff1d1c
# Notes:
# - Win.Trojan.BitterRAT snort rules were submitted
# on 2018-02-02, resubmitting with modifications.
# - It is interesting that there are cases of
# BitterRAT targeting Pakistan since 2016.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound
connection"; flow:to_server,established; content:".php?TIe="; fast_pattern:only; http_uri; content:"Connection|3A
20|close|0D 0A|"; http_header; content:!"User-Agent"; http_header; content:!"Accept"; http_header;
content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000431;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound
connection"; flow:to_server,established; content:".php?cId="; fast_pattern:only; http_uri; content:"Connection|3A
20|close|0D 0A|"; http_header; content:!"User-Agent"; http_header; content:!"Accept"; http_header;
content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000432;
rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant inbound
connection"; flow:to_client,established; file_data; content:"#|0D 0A|SIZE: #"; within:30; fast_pattern;
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000433; rev:1;)
# --------------------
# Date: 2018-11-29
# Title: TechyUtils at it again - APMHelper
# Reference: Research
# Tests: pcaps, live, sandbox
# Yara:
# - MALWARE_Osx_Trojan_TechyUtils
# ClamAV:
# - MALWARE_Osx.Trojan.TechyUtils
# Hashes:
# - 03663482197053dafb75fb15b9b2f0e93ef3d2237d96da37ad0ce484eb8bc2e9
# - 444d85360e6cf24b9808bab627b69cbdc82dc6d6471e1785e4046d355cee1ad2
# - 9d5c291aae4dbe0925627484712207fc165cbe36a649cff7e3346164ad1c1406
# - cf00d0789911e58cf1d6fcdb1da64dfe7b0b91c1737b6ad0369a9a968dab214a
# URLs:
# - hxxp://cdn[.]advancedpasswordmanager[.]com/apm/update/APMHelper.zip
<hxxp://cdn[.]advancedpasswordmanager[.]com/apm/update/APMHelper.zip>
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.APMHelper outbound connection";
flow:to_server,established; content:"User-Agent: APMHelper/"; fast_pattern:only; http_header; metadata:ruleset
community, service http; classtype:trojan-activity; sid:8000434; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.TechyUtils initial
post-installation connection"; flow:to_server,established; content:"/productprice.svc/GetCountryCode";
fast_pattern:only; http_uri; content:"Darwin"; http_header; metadata:ruleset community, service http;
classtype:trojan-activity; sid:8000435; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.TechyUtils plist retrieval
connection"; flow:to_server,established; content:"/prefs/"; http_uri; content:".plist"; http_uri; fast_pattern;
content:"Darwin"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000436;
rev:1;)
# --------------------
# Date: 2018-11-29
# Title: Middle East Cyber-Espionage
# Reference:
# - https://objective-see.com/blog/blog_0x3B.html <https://objective-see.com/blog/blog_0x3B.html>
# -
https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf
<https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf>
# Tests: pcaps
# Yara:
# - MALWARE_Osx_Trojan_WindTail
# ClamAV:
# - MALWARE_Osx.Trojan.WindTail
# Hashes:
# - 03663482197053dafb75fb15b9b2f0e93ef3d2237d96da37ad0ce484eb8bc2e9
# - 444d85360e6cf24b9808bab627b69cbdc82dc6d6471e1785e4046d355cee1ad2
# - 9d5c291aae4dbe0925627484712207fc165cbe36a649cff7e3346164ad1c1406
# - cf00d0789911e58cf1d6fcdb1da64dfe7b0b91c1737b6ad0369a9a968dab214a
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.WindTail outbound connection
attempt"; flow:to_server,established; content:".php?very="; fast_pattern:only; http_uri; content:"&xnvk="; http_uri;
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000437; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.WindTail outbound connection
attempt"; flow:to_server,established; content:"User-Agent: usrnode/"; fast_pattern:only; http_header;
content:"Darwin/"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000438;
rev:1;)
# --------------------
# Date: 2018-12-30
# Title: Bug in Malware “TSCookie” - Fails to Read Configuration
# Reference: https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html
<https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html>
# Tests: pcaps
# Yara:
# - MALWARE_Win_Trojan_TSCookie_VAR1
# ClamAV:
# - MALWARE_Win.Trojan.TSCookie_VAR1
# Hashes:
# Notes:
# - Last URL query string appears to change.
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.TSCookie variant outbound connection
attempt"; flow:to_server,established; content:"POST /t"; content:".aspx?m="; within:20; fast_pattern;
content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Win32)"; metadata:ruleset community, service http;
classtype:trojan-activity; sid:8000439; rev:1;)
# --------------------
# Date: 2019-01-01
# Title: Sofacy Creates New ‘Go’ Variant of Zebrocy Tool
# Reference: https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/
<https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/>
# Tests: pcaps
# Yara:
# - MALWARE_Win_Trojan_Zebrocy_GO_Tools
# - MALWARE_Doc_IO_Suspicious
# ClamAV:
# - MALWARE_Win.Trojan.Zebrocy_GOVAR1
# - MALWARE_Win.Trojan.Zebrocy_GOVAR2
# - MALWARE_Doc.Dropper.RemotTempalteH
# Hashes:
# - 15a866c3c18046022a810aa97eaf2e20f942b8293b9cb6b4d5fb7746242c25b7
# - f868e88eb2524d15cfcd87afdf697074e0f9785792f342044501347dce549a1f
# - 04bd6c3d9fa30b4d9410b89ba44c9e29aab22a1345115e8eef9cddc86d1eea25
# - 346e5dc097b8653842b5b4acfad21e223b7fca976fb82b8c10d9fa4f3747dfa0
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection
attempt"; flow:to_server,established; content:"/advance/portable_version/service.php"; fast_pattern:only;
content:"project="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity;
sid:8000440; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection
attempt"; flow:to_server,established; content:"/technet-support/library/online-service-description.php";
fast_pattern:only; content:"id_name="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity;
sid:8000441; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection
attempt"; flow:to_server,established; content:"/Templates/NormalOld.dotm"; fast_pattern:only; metadata:ruleset
community, service http; classtype:trojan-activity; sid:8000442; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection
attempt"; flow:to_server,established; content:"POST / HTTP/1.1"; content:"User-Agent: Go-"; http_header;
content:"project="; http_client_body; content:!"Connection"; http_header; metadata:ruleset community, service http;
classtype:trojan-activity; sid:8000443; rev:1;)
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>
Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
<https://snort.org/faq/what-is-the-mailing-list-etiquette>
Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to
catch the most <a href=" https://snort.org/downloads/#rule-downloads
<https://snort.org/downloads/#rule-downloads>">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Multiple signature 020 Y M via Snort-sigs (Jan 01)
- Re: Multiple signature 020 Matthew Mickel (Jan 02)