Snort mailing list archives
Multiple signatures 029
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 3 Jun 2019 18:17:12 +0000
Hi, Below is a set of new Snort rules. Accompanying PCAP and Yara/ClamAV signatures are also available. Have a great week. YM # -------------------- # Title: Win.Ransomware.CryptoMix Clop # Reference: Research # Tests: pcaps (f2p) # Yara: # - MALWARE_Win_Ransomware_CryptoMixClop # ClamAV: # - MALWARE_Win.Ransomware.CryptoMixClop-1 # - MALWARE_Win.Ransomware.CryptoMixClop-2 # Hashes: # - 1281d6c387210fe426a399750d2135595a6c12587a9630e75934269987a0a034 # - 7c8eb1d0c7a374223a366a8135c36cca5e1e9d7b48b74ce4415f051849a73ed9 # - 96bdd3b4538a21f79c664641e48bd821007260977de028ba8bd761dbc0acb975 # - cf3e3ee221ba2c3d863b97d7f138e741199d16fa833b996d3d8e01d2f1bfae76 # Note: Snort rule below is weak, additional testing is required. alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.CryptoMix Clop malicious executable download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|53 79 73 74 65 6d 46 75 6e 63 74 69 6f 6e 30 33 36 00 00 00 41 44 56 41 50 49 33 32 2e 44 4c 4c 00 00 00 00|"; content:"|47 65 74 50 72 6f 63 65 73 73 57 69 6e 64 6f 77 53 74 61 74 69 6f 6e 00 47 65 74 55 73 65 72 4f 62 6a 65 63 74 49 6e 66 6f 72 6d 61 74 69 6f 6e 41 00 00 00 47 65 74 4c 61 73 74 41 63 74 69 76 65 50 6f 70 75 70 00 00 47 65 74 41 63 74 69 76 65 57 69 6e 64 6f 77 00 4d 65 73 73 61 67 65 42 6f 78 41 00 55 53 45 52 33 32 2e 44 4c 4c 00 00|"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:8000649; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.CryptoMix Clop malicious executable download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|53 79 73 74 65 6d 46 75 6e 63 74 69 6f 6e 30 33 36 00 00 00 41 44 56 41 50 49 33 32 2e 44 4c 4c 00 00 00 00|"; content:"|47 65 74 50 72 6f 63 65 73 73 57 69 6e 64 6f 77 53 74 61 74 69 6f 6e 00 47 65 74 55 73 65 72 4f 62 6a 65 63 74 49 6e 66 6f 72 6d 61 74 69 6f 6e 41 00 00 00 47 65 74 4c 61 73 74 41 63 74 69 76 65 50 6f 70 75 70 00 00 47 65 74 41 63 74 69 76 65 57 69 6e 64 6f 77 00 4d 65 73 73 61 67 65 42 6f 78 41 00 55 53 45 52 33 32 2e 44 4c 4c 00 00|"; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000650; rev:1;) # -------------------- # Title: Win.Trojan.DarkCrystal RAT / Rasftuby # Reference: Research # Tests: pcaps # Yara: # - MALWARE_Win_DarkCrystal_RAT_Rasftuby # ClamAV: # - MALWARE_Win_DarkCrystal_RAT_Rasftuby # Hashes: # - 09d5979cffd2d6bca8c602f8a345d4296115d1c779ae461ecede3d76f9cea4e4 # - 2bb86a42cd30565d1dc70fefc499d3dd4d7ec4411de9761b14dd9cbad37d6d5a # - 8469b4b09cd36112bcbdd388012afd1579a951b79f6252d6a3c19e154d7129cb # Note: # - Running Yara INDICATOR_Binary_References_Many_Builtin_Windows_Executables # against PCAPs could be an indicator of exfiltrated process listing. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DarkCrystal RAT outbound connection"; flow:to_server,established; content:"/main.php?data=active"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000651; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DarkCrystal RAT outbound connection"; flow:to_server,established; content:"/DCRS/dsock/"; fast_pattern:only; http_uri; urilen:<100; content:"HEAD"; http_method; content:!"User-Agent"; http_header; content:!"Connection"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000652; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DarkCrystal RAT outbound connection"; flow:to_server,established; content:"/socket.php?type="; fast_pattern:only; http_uri; content:"ds_setdata_"; http_uri; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000653; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE IP address check to ipinfo.io"; flow:to_server,established; urilen:3; content:"Host: ipinfo.io|0D 0A|"; fast_pattern:only; http_header; content:"/ip"; http_uri; content:!"User-Agent"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000654; rev:1;) # -------------------- # Title: Win.Trojan.QulabZ / MASAD Stealer # Reference: Research # Tests: syntax only # Yara: # - MALWARE_Win_Trojan_QulabZ_Stealer # ClamAV: # - MALWARE_Win.Trojan.QulabZ-Stealer # Hashes: # - 0383a9607db623b7305988b39dc8ab9fa0a4fc353de853a6cce59645ddf63081 # - 060d8cadca9146bf0503172f8299763f0101efb757ac71ca3ce365e63e49a008 # - 139d07df2150213b78a95fcf3e9b760ba130d8b7f694b208bc094eb3d0a0ecb4 # - 1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0 # - 32b5d0d28b48a802c1d24ee990485cda4d25756e51585c29e014d68dd9458e74 # - 358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020 # - 6bf8aca158b7f1aeaf96f1b369b189e32537a62d9e3b059eba047f10387b1d5d # - 6faf5ff76303fdc31acbcc8ec9145761a0535b4a4ef75b31fa01311957b56a4c # - 7cbd433fcb043cb950489cecd175ee0d2846920a05a3ad4968e32d4ad74a1294 # - 8afde4f6f28fb3dc26ce86e7158b974e946875f96c674e3863449384102e3bd6 # - 9f1e8bf3bd9d937cec87fcee7d981d6919b1c11436c3a73cf3caa18adf855cda # - a8378d35eb92c8427a1f9505e9b12de0059a3e0463a7a465ae1665301dbf0c7c # - ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867 # - bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375 # - d291b19ec26742ea2edfb622d321cad3d75771186b88bf5222da2c714619cc2d # - e96450d29ab037abad0cb12b0785c3c2b9383f9472a444f276027bed5738f84a # Note: # - Requires SSL decryption since exfiltration (7z) is via Telegram # - Different installers/packers mostly AutoIt, NullSoft, and UPX. alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.QulabZ stealer outbound connection"; flow:to_server,established; content:"/bot"; depth:4; http_uri; content:":"; distance:8; http_uri; content:"/getMe?"; within:50; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000657; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.QulabZ stealer outbound connection"; flow:to_server,established; content:"/bot"; depth:4; http_uri; content:":"; distance:8; http_uri; content:"/sendDocument"; within:50; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000658; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.QulabZ stealer inbound connection"; flow:to_client,established; file_data; content:"|5C 22|id|22|"; content:"|22|is_bot|22|:true"; content:"|22|first_name|22|:"; content:"|22|username|22|"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000659; rev:1;) # -------------------- # Title: Win.Trojan.ASync RAT # Reference: Research # Tests: pcaps # Yara: # - MALWARE_Win_Trojan_AsyncRAT # ClamAV: # - MALWARE_Win.Trojan.AsyncRAT # Hashes: # - 818fa711c47af91faede1311d5a0ef60410899358cce18ce98aa22e412d1626d # Note: # - AsyncRAT Version: 0.4.9B # - ssl_state:server_hello may not work, so it is removed from the Snort rule. # - Packed with AutoIt. # - Snort signature does not cover non-SSL variants. # - Exisitng Yara/ClamAV signature hits: # 1. INDICATOR_Binary_References_Sandbox_Hooking_DLL # 2. INDICATOR_Binary_References_Many_Builtin_Windows_Executables # 3. INDICATOR_Binary_References_Disabling_Windows_Defender_PWSH_Aritfacts alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Async RAT variant SSL certificate exchange"; flow:to_client,established; content:"|55 04 03 0C 12|AsyncRAT Server CA"; fast_pattern:only; metadata:ruleset community, service ssl; classtype:trojan-activity; sid:8000660; rev:1;) # -------------------- # Title: Win.Trojan.ProtonBot # Reference: https://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/ # Tests: pcaps # Yara: # - MALWARE_Win_Trojan_ProtonBot # ClamAV: # - MALWARE_Win.Trojan.ProtonBot # Hashes: # - 9af4eaa0142de8951b232b790f6b8a824103ec68de703b3616c3789d70a5616f alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ProtonBot outbound connection"; flow:to_server,established; content:"/page.php?id="; fast_pattern:only; http_uri; content:"&clip=get"; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000661; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ProtonBot outbound connection"; flow:to_server,established; content:"/page.php?id="; fast_pattern:only; http_uri; content:"&os="; http_uri; content:"&pv="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000662; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ProtonBot outbound connection"; flow:to_server,established; content:") Proton Browser|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000663; rev:1;) # -------------------- # Title: Win.Ransomware.GetCrypt # Reference: Research # Tests: pcaps # Yara: # - MALWARE_Win_Ransomware_GetCrypt # ClamAV: # - MALWARE_Win.Ransomware.GetCrypt-1 # - MALWARE_Win.Ransomware.GetCrypt-2 # Hashes: # - 3ee4607ed06c270fdf9ddfde65da676d2547607bad420a8114767309b17adfeb # - 8d833937f4da8ab0269850f961e8a9f963c23e6bef04a31af925a152f01a1169 # - f94814acaa06d4c006bf5f5f5c2f18ccc02e6859a927b6f4250f4c5b0985df0c # - bcbf98fe5c81dfb45a5c15344457a7c047440c9a92c11c469bc020d0e35eb480 # Note: alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.GetCrypt malicious executable download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|43 72 79 70 74 49 6d 70 6f 72 74 4b 65 79 00 00 cb 00 43 72 79 70 74 45 6e 63 72 79 70 74 00 00 c1 00 43 72 79 70 74 41 63 71 75 69 72 65 43 6f 6e 74 65 78 74 41 00 00 c8 00 43 72 79 70 74 44 65 73 74 72 6f 79 4b 65 79 00 d2 00 43 72 79 70 74 47 65 6e 52 61 6e 64 6f 6d 00 00 c2 00 43 72 79 70 74 41 63 71 75 69 72 65 43 6f 6e 74 65 78 74 57 00 00 41 44 56 41 50 49 33 32 2e 64 6c 6c 00 00 b5 01 53 68 65 6c 6c 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4c 4c 33 32 2e 64 6c 6c 00|"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:8000664; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.GetCrypt malicious executable download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|43 72 79 70 74 49 6d 70 6f 72 74 4b 65 79 00 00 cb 00 43 72 79 70 74 45 6e 63 72 79 70 74 00 00 c1 00 43 72 79 70 74 41 63 71 75 69 72 65 43 6f 6e 74 65 78 74 41 00 00 c8 00 43 72 79 70 74 44 65 73 74 72 6f 79 4b 65 79 00 d2 00 43 72 79 70 74 47 65 6e 52 61 6e 64 6f 6d 00 00 c2 00 43 72 79 70 74 41 63 71 75 69 72 65 43 6f 6e 74 65 78 74 57 00 00 41 44 56 41 50 49 33 32 2e 64 6c 6c 00 00 b5 01 53 68 65 6c 6c 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4c 4c 33 32 2e 64 6c 6c 00|"; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000665; rev:1;) # -------------------- # Title: Win.Trojan.AZorult using the AVIator AV Bypass utility # Reference: Research # Tests: pcaps # Yara: # - Tool_AVBypass_AVIator # - INDICATOR_Binary_References_Remote_Download_Execution_Artifacts # ClamAV: # - Tool.AVBypass.AVIator # - INDICATOR_Binary_References_Remote_Download_Execution_Artifacts # Hashes: # - Downloader: # - 32163dc4db5ca091126647902c80876057eee3f324f75303b363bd7e27971fbf (setup.exe) # - Downloaded/Dropped: # - e28d88f49d86ab60f182844e068a26615b9fce00e9e30f2f7f5961a32683d8a5 (plain.exe or plainupdate.exe) # - 9451abbc1dcc95616e227543db788c590d2cf6abc7397c6935cb5be1f073324a (plain.exe) # Note: # - Binary is stored as a resource "get_PUAvvhsBiTTEdBbGnUZjOwAgSV" # - Azorult compiled on May 27, 2019. # - The downloader was observed to download different binaries during # separate executions. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Azorult variant outbound connection"; flow:to_server,established; urilen:10; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 5.1)"; http_header; fast_pattern:only; content:"/index.php"; http_uri; content:"|00 00 00 26|"; depth:4; http_client_body; content:"POST"; http_method; content:!"Connection"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:!"Content-Type"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000666; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE IP address check to iplogger.co"; flow:to_server,established; urilen:6; content:"Host: iplogger.co|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000667; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE malicious executable AV bypass download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"A|00|V|00|/|00 5C 00|t|00|o|00|r"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:8000668; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE malicious executable AV bypass download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"A|00|V|00|/|00 5C 00|t|00|o|00|r"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000669; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE malicious executable AV bypass download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00|APCInjection"; fast_pattern:only; content:"|00|threadHijackin_"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:8000670; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE malicious executable AV bypass download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00|APCInjection"; fast_pattern:only; content:"|00|threadHijackin"; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000671; rev:1;) # -------------------- # Title: HiddenWasp Malware Stings Targeted Linux Systems # Reference: https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/ # Tests: syntax only; # Yara: # - MALWARE_Linux_Trojan_HiddenWasp # - INDICATOR_Linux_File_References_Clearing_History # ClamAV: # - MALWARE_Linux.Trojan.HiddenWasp-1 # - MALWARE_Linux.Trojan.HiddenWasp-2 # - INDICATOR_Linux_File_References_Clearing_History-1 # - INDICATOR_Linux_File_References_Clearing_History-2 # Hashes: # - de823a4e958168ff8800b9d10b0dbfc911a57dda0f76a120b4e1cc71cada8ae7 (bash script) # Note: # - No access to ELF samples on VTI. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.HiddenWasp outbound connection attempt"; flow:to_server,established; content:"/test?data="; fast_pettern:only; http_uri; content:"User-Agent: curl/"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000672; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Linux.Trojan.HiddenWasp outbound connection attempt"; flow:to_server,established; content:"|75 63 65 73 00 01|"; depth:6; fast_pettern; metadata:ruleset community; classtype:trojan-activity; sid:8000673; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Linux.Trojan.HiddenWasp inbound connection attempt"; flow:to_client,established; content:"|75 63 65 73 00 01|"; depth:6; fast_pettern; metadata:ruleset community; classtype:trojan-activity; sid:8000674; rev:1;)
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 029 Y M via Snort-sigs (Jun 04)
- Re: Multiple signatures 029 Matthew Mickel (Jun 05)