Snort mailing list archives
Re: Multiple signatures 027
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 7 May 2019 17:00:02 +0000
We now have the full URL for the Osx.Adware.MACAgent from a positive hit of SID 8000600: GET /c/ci?ct=clpy&tm=1&id=<IOPlatformUUID>&mvr=10.14.4 HTTP/1.1..Accept-Encoding: identity..Host: www[.]orolk[.]space..Connection: close..User-Agent: Python-urllib/2.7.... This updates the signature to (pcre maybe removed?): alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.MACAgent variant outbound connection"; flow:to_server,established; content:"&tm="; http_uri; content:"&id="; http_uri; content:"&mvr="; http_uri; content:"User-Agent: Python-urllib/"; fast_pattern:only; http_header; pcre:"/\x26mvr=[0-9]{2}\.[0-9]{2}(\.[0-9]{1,2})?/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000600; rev:2;) Thank you. YM ________________________________ From: Matthew Mickel <mmickel () sourcefire com> Sent: Friday, May 3, 2019 3:42 PM To: Y M Cc: snort-sigs () lists snort org Subject: Re: [Snort-sigs] Multiple signatures 027 Hi, Yaser- Thanks for your submissions. We will test these and get back to you with the results. Any PCAPs or Yara/ClamAV signatures you can provide are greatly appreciated. Best, Matt Mickel On May 2, 2019, at 1:23 PM, Y M via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>> wrote: Hello, Please find the below Snort rules for multiple cases. PCAPs and Yara/ClamAV signatures are available for the majority of them. Thank you. YM # -------------------- # Title: CVE-2018-20062 = Win.Trojan.Zegost + Mimikatz + Cryptocurrency Mining + Network Scanner + Packet Capture # Reference: Research # Tests: pcaps # Yara: # - INDICATOR_Binary_References_WebLogic_Exploit_Artifacts # - INDICATOR_Binary_References_EternalBlue_Exploit_Artifacts # - INDICATOR_Binary_References_ApacheStrusts_Exploit_Artifacts # ClamAV: # Hashes: # - 51e880f62a34cf8c49b343eff2f94f75fb8060edea4f3b29e2230dc120d4d38f (nmbsawer) # - 9ac977087c08face38d8993db5cc26048f68d412243216887a61130d95150988 (wercplshost > upx-packed) # - be0b599cc457131920ed53571856061407c9065a8f79143ed2369805c1a732c3 (download > upx-unpacked) # - d233335ee3810e1df0bcc768c283a122b2fbf7c322205098ccef1627be9b4e5d (download > upx-packed) # - da0d877e369a565fee04ae241a94e5d826f614821d9a6fb8320272f7a82ecfe9 (wercplshost > upx-unpacked # Note: # - The initial binariy was attempted via CVE-2018-20062. # - Full execution fails since the directory "miagration" does not exist, so we manually create it. # - Exisitng Yara/ClamAV signature hits: # 1. TOOL_PWS_Mimikatz # 2. INDICATOR_Excutable_Packed_Armadillo # 3. INDICATOR_Binary_References_Sandbox_Hooking_DLL # 4. INDICATOR_Binary_Process_Name_Manipulation # 5. INDICATOR_Binary_References_Many_Builtin_Windows_Executables (Updated) # - Triaged samples: # - a16243c45805e2b249babf3115915730c7b91b378f6a6795fac08436c0e75943 # - 85d219b921107ebdbb02d677bf2c61143aa9d6b6978dbbcc2c35d33351c05f19 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Zegost variant outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.0)|0D 0A|Accept: */*|0D 0A|"; content:"Cache-Control: no-cache|0D 0A|"; content:!"Content"; content:!"Referer"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000582; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Zegost variant cryptocurrency miner configuration retrieval response"; flow:to_client,established; file_data; content:"[UpdateNode]"; content:"[MainUpdate]"; content:"[Download]"; content:"[mining]"; nocase; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000583; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Zegost variant outbound connection"; flow:to_server,established; urilen:8; content:"/cfg.ini"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000584; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zegost variant outbound connection"; flow:to_server,established; urilen:7; content:"/ic.asp"; fast_pattern:only; http_uri; content:"Accept: */*|0D 0A|"; http_header; content:"Cache-Control: no-cache|0D 0A|"; http_header; content:!"Referer"; http_header; content:!"Accept-"; http_header; content:!"Connection"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000585; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE binary file download attmept from HFS server"; flow:to_client,established; content:"Server: HFS "; content:"Set-Cookie: HFS_SID_="; content:"Content-Disposition: attachment|3B|"; file_data; content:"MZ"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000586; rev:1;) # -------------------- # Title: PS2EXE # Reference: https://threatrecon.nshc.net/2019/03/07/sectord02-powershell-backdoor-analysis/ # Tests: pcaps (file2pcap) # Yara: # - INDICATOR_Executable_Packed_PS2EXE # ClamAV: # - INDICATOR_Executable_Packed_PS2EXE # Hashes: # - 4cdf04c09d144c0c1b5ec7ac91009548db1546e1d1ed4d6fbfb64942a0bd0394 (PS2EXE) # - d95fada028969497d732771c4220e956a94a372e3fd543ba4d53b9a927cabe1c (PS2EXE) # Note: Interesting detection results with a larger data set. alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE_EXECUTABLE PS2EXE packed binary download attempt detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"PS2EXE"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000587; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE_EXECUTABLE PS2EXE packed binary download attempt detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"PS2EXE"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000588; rev:1;) # -------------------- # Title: More packers/builders: ASPack and Titan # Reference: Research # Tests: pcaps (file2pcap) # Yara: # - INDICATOR_Excutable_Packed_ASPack # - INDICATOR_Excutable_Packed_Titan # ClamAV: # - INDICATOR_Excutable_Packed_ASPack # - INDICATOR_Excutable_Packed_Titan # Hashes: # - 07a46c76115b073952617ede7d99192c61f83eb955e814c276de250035ac3e62 (ASPack) # - 3229e5c6348a06bd974a0bd201cfcfc72178717c4890c96fc6d6d75879832444 (ASPack) # - 4d8bf483900c76c61ab1651917e6154af2c0fe0b635858adc4c6a39bef5d4a55 (ASPack) # - 60764591e6222762810c15ac6dcbef3ee155c25e388d1b540da894e584714c92 (ASPack) # - 6391452ba76bb2e3f11a720fe75db1cff07e07a7e7ee570ae571aa46d8e906dd (ASPack) # - e254af3b563b9179b89ad6891e99f0c479de5763dba171bb8b46b96c856e9c62 (ASPack) # - ef3ff88f8ee7487b5c4de03b68f8cf8cdf63099d518ffb1955bfebbed59453a9 (ASPack) # Note: NA alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE_EXECUTABLE ASPack packed binary download attempt detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|2E 61 73 70 61 63 6B 00 00|"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000589; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE_EXECUTABLE ASPack packed binary download attempt detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|2E 61 73 70 61 63 6B 00 00|"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000590; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE_EXECUTABLE Titan packed binary download attempt detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|2E 74 69 74 61 6E 00 00|"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000591; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE_EXECUTABLE Titan packed binary download attempt detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|2E 74 69 74 61 6E 00 00|"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000592; rev:1;) # -------------------- # Title: Win.Trojan.PowerShell_Keylogger # Reference: Research # Tests: pcaps # Yara: # - INDICATOR_MSI_References_Free_EXE2MSI_Converter # - INDICATOR_MSI_References_AutoIt_Artifacts # ClamAV: # - INDICATOR_MSI_References_Free_EXE2MSI_Converter # - INDICATOR_MSI_References_AutoIt_Artifacts # Hashes: # - 4b16f75feb826bc076697bfccc5fe5280da2a4255dee4c4441cb6750a24d5f98 # Note: # - C&C traffic have hits on existing Snort signatures # sent in "Multiple Signatures 009". # They are added here with slight modifications. alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE_EXECUTABLE EXE2MSI binary download attempt detected"; flow:to_client,established; flowbits:isset,file.msi|file.ole; file_data; content:"Exe to msi converter free"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000593; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE_EXECUTABLE EXE2MSI binary download attempt detected"; flow:to_server,established; flowbits:isset,file.msi|file.ole; file_data; content:"Exe to msi converter free"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000594; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.DelfAgent outbound connection"; flow:to_server,established; content:"|7C|SYSTEM|7C|WIN_"; fast_pattern; content:"|7C|X64|7C|"; within:10; metadata:ruleset community; classtype:trojan-activity; sid:8000256; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.DelfAgent outbound connection"; flow:to_server,established; content:"|7C|SYSTEM|7C|WIN_"; fast_pattern; content:"|7C|X86|7C|"; within:10; metadata:ruleset community; classtype:trojan-activity; sid:8000257; rev:2;) # -------------------- # Title: Win.Trojan.NetWire # Reference: Research # Tests: pcaps # Yara: # - MALWARE_Win_Trojan_NetWire # - MALWARE_Win_Trojan_NetWire_Packed # - MALWARE_Win_Trojan_NetWire_Packed_AU3 # - MALWARE_Win_Trojan_NetWire_Packed_Bonsai # - MALWARE_Html_SinonX_Shell # - INDICATOR_Pwsh_References_Concatenated_Base64_File_Execution # ClamAV: # - MALWARE_Win.Trojan.NetWire # - MALWARE_Win.Trojan.NetWire_Packed # - MALWARE_Win.Trojan.NetWire_Packed-AU3 # - MALWARE_Win.Trojan.NetWire_Packed-Bonsai # - MALWARE_Html.SinonX_Shell # - MALWARE_Html.SinonX_Shell-Mini # - MALWARE_MEM_Binary_References_Html.SinonX_Shell # - INDICATOR_Pwsh_References_Concatenated_Base64_File_Execution # Hashes: # - NetWire Entry Point LNKs: # - NetWire Droppers # - PowerShell # - 02dbe6b55c15e9d2025f7d3d7ce06bb9c82734717e59246bacab041f60293a54 # - 03a8ce78bd5c08f958e744901056e05b348012322d317f9781a280cbb85b5c0a # - 38b3d1597473379d5f15191ccba31b69efbf4fbc81ff978c658dd30fccb43e1d # - 414312dc60acb5bd9be5c63dcd401c34367a792877ab60d15f2253c36a6d58a1 # - 792d9300de3010812d6d5597b2fac206a4ce4bc55ec02dd50a0c3b84debbd8de # - 80dc6eda5134ef78ceddae35d5ce07c6a53249d2a2561529b6bd1e204ce8f8ce # - 977f9cfc23ff3a26baee23ef304b49b1102b4925e5bb67546b5f929b81677333 # - 9e7e1f74fb1ca8a450a4f8f48728215cbf002a26af50e7a355e5ee453f620944 # - adb6433b32908b0a8a8257469ec9809bd563b5ae1ef5e181b2229385c5a57ad1 # - a535cfbe686771a48d66489245532b1b73656e75ccc4520fa67af0c890f8b168 # - b4bc8392c7ba1db5824303ce17cc7a61a1ef93d0821d645821aa2e15355c33d3 # - d2f34fe458e969be1ab9c5a0c64bb832a9d1f33e9e314b8c7a827f09eee02484 # - e300f93c88101fcfcb97a31d4a03c9e0edf42d9b969d64e5246b6c6083e2b4a9 # - eb561ff247486a95764f2b56090b60ee1f6439dc266a5ddc53275ffb30e75157 # - eb57e29d4c94449d156a22fe8f13c2a4b1b242198ea3b3a3658ae2e44a9649f1 # - fc1f6681ee333f6803dca61644c164b87ad3cedf11535291993bbbd2b3ca347f # - VBScript HTA # - 02e3c79dfa0bbd7d560d268a0251735f128d9839d007623f1b5eac2cd3421be6 # - 8ad555c2eadd6d2b6538a5692632972f529aab7f7c9bf811f467872b7c843e48 # - a19b61d138196533cccd07f91da5d20dc5c62c31d7978ceee641f8a61cf77325 # - a53529d1f2c16f7578dc853a86dbdc8ef5610edce4b923ed6ee2c1b0ea6646a5 # - af7503464adf2a74abbc1f63d6bfab7a32a27f2774400814944ebc4ea67aa0d6 # - NetWire Exploit Documents # - abb153a1338df8c2639fc6a5d9ea9a6391f302add3719b50ad96718347263756 # - NetWire Samples # - Packed # - 1449e88bab1a03d3c745f78a0225ed4d2d4a662d2222a6a7865ef1c326de4508 # - 323ca2e672375f96484e1a8ce701d45f08a0133f5235e3ed90811b9a23c13ead # - 613f39016a98f2886828e4302592b355805a7a6c895341caa495853cbd0750b4 # - 6471370f1726473738aa3658202599be0e31e136fd9ac4a6ea260fc1a202daa7 # - a9edef77da13e53ffb9389e1542abeabc931ca199411bb582234a76f914bbbb3 # - c94c2fc170f185e6183864eba8cab837860054d0c9c3e760a607a2b2e1c0fe6a # - e98253395308a5859a8eca299a53e63d8f768e738dc4a52f4d1670d890b8d436 # - AutoIt # - 0fa4237d49a9b749ac4eae290000d6a8ed6c52f053cfee9ef8edf0e99997c288 # - 1c06638d202c3bd5f36cedca7f199e94e108a0221209f3c509d9f1a7ab970cf4 # - 13c46e212caa5df33dc4ae6a215180d99a6b0982be9ec709864a50128a01e0a1 # - 25e2a40f68b7ee59549f78b0acd07b36125b73854857001b029eb0b25cb514e4 # - 2dea3910f4fc91156cc7d77c8c33562949e784775e416b97345bb263f78e5f76 # - 3afdca4d4b83024d466c6b90fd5a30ed81a0e5070ac36507ce2d77a7c4a2be6a # - 47527265e4f761495b33fc45b0f1aa19f0bc7243b01d30f37e94424315b72041 # - 610f6349038194fced36ae3c9f14301881c74fbcf858632f251b43882d787ffa # - 613f39016a98f2886828e4302592b355805a7a6c895341caa495853cbd0750b4 # - 8c6ebd67ef03d4287c5ca99314e79660a0ddb623b02c6777b4b082d3df2153f2 # - 91e1165066bd8dd9625f3fa7256b54d2c5ac9cdb26116f8754c9a0b30155316e # - 9467acde15888fe8061bb7e03d306a40e1946941a82cddfc8492952b6b289138 # - 99733fcaa7e13ff6b19aa9bb575eae1305adeb64299714d9c9952f3993b054b6 # - a08c2d35a6258f31eb7ec5f545d0c524e60440c8453d17aa04611fbf4e6a28aa # - a7cba187b011c82932bb2962e464a4d04488e0fbb48556e3f930f1687259ee26 # - bf15ab4e9b4e80793dab6d7a5efecf227012fe4e73aebbe0703912ed50a0344e # - cc27a95e1ad93653304bcedc69041a121586f7b1fcbc341257c5080ca6d6222e # - db1802c62adc8b36b3a1c71772af80aa43424e5e530e8cdc7f72cf4dd316a446 # - ASPack # - 39221998e53f482f1de878698f4afc749fca7ecb0a27df70d0cf07106a760702 # - c3def6ef22e8db403a0aa0297669d15e0e25a876f22953a0c608b652d22af010 # - Bonsai (.NET) # - 5dd3649a0f4add8b55504a070404100b3049b7f972d83fff51a6af833ef79004 # - c76caf67b1d38a6b189c9f435f5f246b7e404fccd7998918aa02808da84ed295 # Note: # - Existing Yara/ClamAV/Snort rules hits: # 1. INDICATOR_LNK_References_Download_Execution_Artifacts # 2. INDICATOR_Internet_Shortcut_References_Local_Executable # 3. MALWARE_RTF_Excel_URLDownloadToFile # 4. INDICATOR_Excutable_Packed_ASPack # 5. SID: 8000503-8000504 (Imminent) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWire variant outbound connection"; flow:to_server,established; dsize:5; content:"|01 00 00 00|"; depth:4; byte_test:1, >, 95, 0, relative; metadata:ruleset community; classtype:trojan-activity; sid:8000595; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.NetWire variant outbound connection"; flow:to_client,established; dsize:5; content:"|01 00 00 00|"; depth:4; byte_test:1, >, 95, 0, relative; metadata:ruleset community; classtype:trojan-activity; sid:8000596; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWire variant outbound connection"; flow:to_server,established; dsize:<80; content:"|41 00 00 00|"; depth:4; byte_test:1, >, 95, 0, relative; metadata:ruleset community; classtype:trojan-activity; sid:8000597; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - Imminent"; flow:to_server,established; dsize:10; content:"|06 00 00 00 81 13 14 6E 5B 69|"; fast_pattern:only; metadata:ruleset community; classtype:policy-violation; sid:8000503; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - Imminent"; flow:to_client,established; dsize:48; content:"|2C 00 00 00 02 00 00 00 01|"; fast_pattern:only; content:"$"; distance:2; metadata:ruleset community; classtype:policy-violation; sid:8000504; rev:1;) # -------------------- # Title: Osx.Adware.AMC-PCVARK-TechyUtils # Reference: Research # Tests: pcaps # Yara: MALWARE_Osx_Adware_AMC_PCVARK_TechyUtils # ClamAV: MALWARE_Osx.Adware.AMC-PCVARK-TechyUtils # Hashes: 1b6990a0acb465b30bead4a193ea22a1d5b52bba29afe4a00bd747cd98bd0e88 # Note: # 1. The MACH-O binary is developed by someone who works for PCVARK. # 2. The same MACH-O binary references TechyUtils reported before. # 3. This lead to the Malwarebytes reference: https://blog.malwarebytes.com/threat-analysis/2016/08/pcvark-plays-dirty/ # 4. The app deletes itself after execution: # {"eventType":"Process Execution","process":"sh","pid":841,"user":"N/A","message":"Process Exec: /bin/sh -c sleep 3; rm -rf \"/Users/user/Desktop/findApp.app\"","extra":"{\"parent process\":\"findApp\",\"ppid\":779,\"uid\":20}"} # {"eventType":"Process Execution","process":"rm","pid":853,"user":"N/A","message":"Process Exec: rm -rf /Users/user/Desktop/findApp.app","extra":"{\"parent process\":\"sh\",\"ppid\":841,\"uid\":20}"} alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.AMC-PCVARK-TechyUtils fake app outbound connection"; flow:to_server,established; content:"/trackerwcfsrv/tracker.svc/trackOffersAccepted/?"; fast_pattern:only; http_uri; content:"Mac OS"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000598; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.AMC-PCVARK-TechyUtils fake app outbound connection"; flow:to_server,established; content:"x-count="; http_uri; content:"offerpxl="; http_uri; content:"x-fetch="; http_uri; content:"affiliateid="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000599; rev:1;) # -------------------- # Title: Osx.Adware.MACAgent # Reference: https://objective-see.com/blog/blog_0x3F.html # Tests: pcaps # Yara: # - INDICATOR_Executable_Python_Byte_Compiled_Suspicious # ClamAV: # - INDICATOR_Executable_Python_Byte_Compiled_Suspicious # Hashes: # - 20385ff73d68dd39ea81191ff92940d97e0c1567f28431862d8ba1dbbe66d41f # - 475de611a1062a55f2a12fb9731caab9326bad2d2ff5505c93106cebf3abe4c2 # Note: # - The "dat.db" did not contain "up", so we defer to the built-in file mode (ur) # at the same directory where the "dat.db" lives. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.MACAgent variant outbound connection"; flow:to_server,established; content:"&mvr="; http_uri; content:"User-Agent: Python-urllib/"; fast_pattern:only; http_header; pcre:"/\x26mvr=[0-9]{2}\.[0-9]{2}(\.[0-9]{1,2})?/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000600; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.MACAgent variant outbound connection"; flow:to_server,established; content:"?dom="; http_uri; content:"&mid="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000601; rev:1;) # -------------------- # Title: Win.Trojan.Amadey downloader # Reference: Research # Tests: pcaps # Yara: MALWARE_Win_Amadey_Downloader # ClamAV: MALWARE_Win.Amadey.Downloader # Hashes: # - 3fb8ab8a4d1ee6c651b4731b93db2f5aa22dec5400fb73d3c1702fb6128e6bc7 # - 5576371e9f23a6507898c257523c80a47b9408e54f78ba5a5ce038cc13cf4236 (upx-unpacked) # - 76c7f4ebcb84a1418e5ae49889558ec00f5b49e66501f6c915e33396fc3bec92 (upx-packed) # - 9753ff52a40c83d08f4db6bfc989292eef5b246ce49882bda1375795efd73f39 # - ab3cac7d9c1cb2d78e1be8c4749cbc7332fdc926ea85a92000e2c7f52fab51b5 # - ec6097c4fdbe0736e416b58be0a4dd042c46a9cf7eef997b3eb72384609cbca9 # Note: # - One case involved dropping GandCrab ransomware, hitting # exisitng rules SIDs 8000551 and 8000552 from "Multiple signatures 024". # - One case dropped a binary hitting SID 48940. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Amadey downloader outbound connection attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"id="; http_client_body; content:"vs="; http_client_body; content:"os="; http_client_body; content:"av="; http_client_body; content:"pc="; http_client_body; content:"un="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000602; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Amadey downloader outbound connection attempt post-download"; flow:to_server,established; content:"/index.php"; http_uri; content:"Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Content-Length: 14|0D 0A|"; http_header; content:"POST"; http_method; content:!"User-Agent"; http_header; content:!"Connection"; http_header; pcre:"/[a-z0-9]{2}=[0-9]{10}\x26$/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000603; rev:1;) # -------------------- # Title: MSIL Stealer # Reference: Research # Tests: pcaps # Yara: MALWARE_MSIL_Stealer # ClamAV: MALWARE_MSIL.Stealer # Hashes: # - 06c7609239d733d28fbb871b0c9459b6fe1e72df18dc0d4850ade5081b77ab80 # - 841c6cc82cc2c1fd38531953ffa4559798c082dbeb1852d73a24180fe889e3b4 # - c31757bd0ff0850199dd28d6db0bc174cd7dff38126979bfef5d8a21b361d22c # Note: # - Existing Yara/ClamAV signatures hits: # 1. INDICATOR_Binary_References_Many_Browsers # 2. INDICATOR_Binary_Referenfces_Many_Messaging_Clients # 3. INDICATOR_Binary_References_Many_Builtin_Windows_Commands (shutdown, attrib, timeout) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL Stealer outbound connection"; flow:to_server,established; urilen:13; content:"/gate/log.php"; fast_pattern:only; http_uri; content:"params="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000604; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL Stealer outbound connection"; flow:to_server,established; content:"/file.php?"; http_uri; content:"hash="; fast_pattern:only; http_uri; content:"&callback="; http_uri; content:"&js="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000605; rev:1;) # -------------------- # Title: Win.Trojan.Vidar/Arkei # Reference: Research # Tests: pcaps # Yara: MALWARE_Win_Trojan_Nocturnal (Updated) # ClamAV: MALWARE_Win.Trojan.Nocturnal (Updated) # Hashes: # - b26324c3eddb7cd723b079275bbcd0a722297dd00acdcd428702a48a5dc9ed2f # - c8007a84153ed91db6b39038c06f452b2462d6a82d156e7989669eaf96f45e39 # Note: # - SID 46895 does not tirggre since the URLs appear to have # changed or became more dynamic alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Arkei/Vidar variant outbound connection ip address check"; flow:to_server,established; content:"/line/"; http_uri; content:"Content-Type: multipart/form-data|3B|"; http_header; content:"Content-Length: "; http_header; content:"|0D 0A|"; distance:2; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000606; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Arkei/Vidar variant outbound connection"; flow:to_server,established; content:"Content-Type: multipart/form-data|3B|"; http_header; content:"|3B 20|name=|22|hwid|22|"; http_client_body; content:"|3B 20|name=|22|os|22|"; http_client_body; content:"|3B 20|name=|22|platform|22|"; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000607; rev:1;) # -------------------- # Title: Win.Trojan.HawkEye HTTP / FTP variants # Reference: Research # Tests: pcaps # Yara: NA # ClamAV: NA # Hashes: # - 3be631a20243c923f5d50de878d78f91acda664d3f924c03ef152f76de04c0ba (http) # - 96fc6a7c48bd453a7c01f5d521107d94ca18136bcbf90e2c482bbd2a8c0981ac (http) # - a20f321a50e849820b6683807f77a2c2507aefc0cc5becf9936a34faf4d18e90 (http) # - d1bc1b3c8b84b0ad04adf73fac0542c4a434ca1993db8493e9ef129f409949e2 (http) # - a48f9c07a61d328c4364bb9da0f7c673260fdfa5ec7ea8b4380e8e38ae888718 (ftp) # - 148ba1a13890f909ecad49e304d6969521729f79aaf17cd52fdb8e133dc0fa36 (ftp) # - 542d0c9b0bb3277f44b0267a471049e831a9db0c66a69834f562b38712663fcd (ftp) # - 3b2850cd8a54bfdb4c52c45f541c4d97047a28b19d034bbec609389b19019094 (ftp) # Note: NA. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HawkEye http variant outbound connection"; flow:to_server,established; content:"Secret="; http_client_body; content:"HWID="; nocase; fast_pattern:only; http_client_body; content:"Name="; nocase; content:"OS="; nocase; http_client_body; content:"Type="; http_client_body; content:!"User-Agent"; http_header; content:!"Accept"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000608; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.HawkEye ftp variant outbound connection"; flow:to_server,established; content:"STOR HawkEyeKeylogger"; depth:21; fast_pattern; metadata:ruleset community, service ftp; classtype:trojan-activity; sid:8000609; rev:1;) # -------------------- # Title: Win.Trojan.RevengeRAT variant # Reference: Research # Tests: pcaps # Yara: # - MALWARE_Win_Trojan_RevengeRAT # - INDICATOR_JS_References_Local_Script_Executable # - INDICATOR_JS_Referencing_Embedded_Hex_Base64_Encoded_Binary # ClamAV: # - MALWARE_Win.Trojan.RevengeRAT # - INDICATOR_JS_References_Local_Script_Executable # - INDICATOR_JS_References_Embedded_Hex_Base64_Encoded_Binary # Hashes: # - 45f81641791809e1fe09d1b6c3200c39e6fd0eb26713efe410591d17983dbf0d (zipped-js) # - 8341231e5dfd89f379c732101097312fbdd55a1f4a4171f56e68c584b355c028 (zipped-js) # - c3c3d825a58b7d9e4832e5edade2a0fbbd8664d46dbe53f848fd2537fb4893bf (zipped-js) # - cdfb86da0aadb442640137d1b0bd0126317a0bda895284d5b056b8030b0d4604 (decompressed-js) # Note: # - SIDs 45961 and 45962 submitted on Febraury 20, 2018 are still valid. # Didn't submit with Yara/ClamAV that time. Review community-ruleset. # - Below rule is a genetic one, just in case. # - Existing hits: # - INDICATOR_Internet_Shortcut_References_Local_Script_Executable (persistence) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.RevengeRAT outbound message pattern detected"; flow:to_server,established; dsize:<100; content:"|2A 2D 5D|NK|5B 2D 2A|"; isdataat:!1,relative; metadata:ruleset community; classtype:trojan-activity; sid:8000610; rev:1;) # -------------------- # Title: Win.Trojan.AutoHotKey # Reference: Research # Tests: pcaps # Yara: MALWARE_Win_Trojan_AutoHotKey_AHK # ClamAV: MALWARE_Win.Trojan.AutoHotKey-AHK # Hashes: # - Droppers (OOXML XLS): # - 22fefdee6b5f04b8ef4b4cc0127b00a9568365c6a1c6be7a709c6a5aa5fc5490 # - efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12 # - AHK Script: # - acb3181d0408c908b2a434fc004bf24fb766d4cf68bf2978bc5653022f9f20be # Note: NA # - AutoHotKey script (.ahk) abused with the legitimate AutoHotKey executable. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AutoHotKey-ahk outbound connection"; flow:to_server,established; urilen:<30; content:".php"; http_uri; content:"&string="; http_client_body; content:"|3B| Charset=UTF-8|0D 0A|"; http_header; content:"POST"; http_method; content:!"Accept-"; http_header; pcre:"/^\x26string=[0-9A-Z]{30}$/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000611; rev:1;) # -------------------- # Title: Win.Trojan.Baldr Stealer # Reference: https://www.youtube.com/watch?v=E2V4kB_gtcQ # Reference: https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/ # Tests: pcaps # Yara: MALWARE_Win_Trojan_Baldr # ClamAV: MALWARE_Win.Trojan.Baldr # Hashes: # - a0d4500b9aad2c96f5a1775eee1541e78fc504f017b4daaa51f48907b1a49191 (unpacked) # - 06a7215e3083038c6a0c58b5752245c20323d8568d614ce448a36a4132fa147e # - 12d95ffc99c9225a8a9f8bed6a0390fa7d2f4df4c5db16938584cc9bd28801b6 # - 2096f782cb91482647ef668b209fa2f098dcb2028aa923aafcb2903a8b91d3aa # - 435bb8b28282448aa811dd74b0a4f058729e68aeeb8217dcabaa1208ca4e1cc5 # - 5fa915ad3471a9f0f7532ae034c93c8c5faaf8c73f7c99e7bbdd221c59b78217 # - 852eca75ebd886b964d8e9cbeb62bf829f9b3b9e26f50be8415ec8fd0a777321 # - a0d4500b9aad2c96f5a1775eee1541e78fc504f017b4daaa51f48907b1a49191 # - b843ef19e3ae2b2dc2b0dc52f26dbee413ff05e7465abce049504cfe12af6a8c # - fc3bba2ddf6bc25ef7ff1ad69fa99785206250cdee4cd51fed11aa5510e86690 # Note: NA alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Baldr variant outbound connection"; flow:to_server,established; content:"/gate.php"; http_uri; content:"|3B| filename=|22|Encrypted.zip|22|"; http_client_body; content:"Expect: "; http_header; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Connection"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000612; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Baldr variant outbound connection"; flow:to_server,established; content:"/gate.php HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Host: "; content:"Expect: 100-continue|0D 0A 0D 0A|"; content:"POST"; http_method; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Connection"; http_header; content:!"Referer"; http_header; content:!"Content-Dispositon"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000613; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Baldr variant outbound connection"; flow:to_server,established; content:"hwid="; http_uri; content:"&os=Windows"; fast_pattern:only; http_uri; content:"&file="; http_uri; content:"&cookie="; http_uri; content:"Expect: 100-continue|0D 0A|"; content:"PK"; depth:2; http_client_body; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000614; rev:1;) # -------------------- # Title: Cryptocurrency Mining (JCEMiner?) # Reference: Research # Tests: pcaps # Yara: NA # ClamAV: NA # Hashes: NA # Note: # - The patterns are similar to exisitng signatures but they are # still different, causing FNs. # - Source binary was not acquired. alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-OTHER Cryptocurrency Miner outbound connection attempt"; flow:established,to_server; content:"|7B 22|method|22 3A 22|login|22|"; content:"|22|jsonrpc|22 3A|"; content:"|22 2C 22|params|22 3A 7B 22|login|22 3A|"; content:"|22|pass|22 3A|"; content:"|22|agent|22 3A|"; metadata:ruleset community; classtype:policy-violation; sid:8000615; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-OTHER Cryptocurrency Miner outbound connection attempt"; flow:established,to_server; content:"|7B 22|method|22 3A 22|submit|22|"; content:"|22 2C 22|params|22 3A 7B 22|id|22 3A|"; content:"|22|job_id|22 3A|"; metadata:ruleset community; classtype:policy-violation; sid:8000616; rev:1;) # -------------------- # Title: Luminati - Residential IP and Proxy Service for Businesses # Reference: Research # Reference: https://documents.trendmicro.com/assets/white_papers/wp-illuminating-holaVPN-and-the-danger-it-poses.pdf # Tests: pcaps # Yara: NA # ClamAV: NA # Hashes: f0a7e492cf4d74ee0cc7e9dc148cba409eeed23971a907d8cbff83a650738b0d # Note: # - Has been observed to be downloaded by other malicious binaries, example: # - eb7fc232d8f1fdeb1d34a5951bccb16c2026807239e5e8c3f23230cd7ec383c5 # - Sample URLs: # 1. hxxp://51[.]255[.]87[.]66/admin/rmt/luminati.io/static/net_svc-x64-1.129.929.zip # 2. http://198[.]16[.]72[.]154/admin/rmt/luminati.io/static/net_updater32-1.129.29.exe # 3. http://217[.]182[.]139[.]96/admin/rmt/luminati.io/static/lum_sdk32-1.129.29.dll alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Iluminati proxy/anonymizer download attempt detected"; flow:to_server,established; content:"/admin/rmt/luminati.io/<http://luminati.io/>"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000617; rev:1;) _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org<http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 027 Y M via Snort-sigs (May 02)
- Re: Multiple signatures 027 Matthew Mickel (May 03)
- Re: Multiple signatures 027 Y M via Snort-sigs (May 07)
- Re: Multiple signatures 027 Matthew Mickel (May 03)