[Snort-sigs] [Snort-users] APT28 Snort Signatures

Joel Esler (jesler) jesler at ...3865...
Tue Oct 28 16:19:20 EDT 2014


Thanks Tony, we’ll get these into the system

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

> On Oct 28, 2014, at 12:46 PM, Tony Robinson <deusexmachina667 at ...2420...> wrote:
> 
> Howdy Howdy. I'm sure many of you are aware of the recent news with APT28. If not, have a look:
> http://www.fireeye.com/resources/pdfs/apt28.pdf <http://www.fireeye.com/resources/pdfs/apt28.pdf>
> https://github.com/fireeye/iocs/tree/master/APT28 <https://github.com/fireeye/iocs/tree/master/APT28>
> 
> I have developed and tested signatures based off the PDF report and the IOCs provided by Fire Eye. Here is what I have:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC CORESHELL POST request"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/check/"; http_uri; content:"User-Agent|3A| MSIE 8.0"; http_header; fast_pattern:only; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf <http://www.fireeye.com/resources/pdfs/apt28.pdf> metadata:security-ips drop, service http; sid:1000000; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC CHOPSTICK v1 POST request"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/webhp?rel="; nocase; http_uri; content:"hl="; nocase; http_uri; distance:0; content:"ai="; nocase; http_uri; distance:0; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.|3B| WOW64|3B| rv|3A|20.0) Gecko/20100101 Firefox/20.0"; fast_pattern:only; http_header; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf <http://www.fireeye.com/resources/pdfs/apt28.pdf> metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; sid:1000001; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC CHOPSTICK v2 POST request"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/search?btnG="; nocase; http_uri; content:"utm="; nocase; http_uri; distance:0; content:"ai="; nocase; http_uri; distance:0; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.|3B| WOW64|3B| rv|3A|20.0) Gecko/20100101 Firefox/20.0"; fast_pattern:only; http_header; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf <http://www.fireeye.com/resources/pdfs/apt28.pdf> metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; sid:1000002; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC OLDBAIT POST request"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/index.php"; fast_pattern:only; http_uri; content:"prefs="; nocase; http_client_body; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf <http://www.fireeye.com/resources/pdfs/apt28.pdf> metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; sid:1000003; rev:1;)
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS kavkazcentr.info <http://kavkazcentr.info/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|kavkazcentr|04|info"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000004; rev:1;)
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS rnil.am <http://rnil.am/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|rnil|02|am"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000005; rev:1;)
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS standartnevvs.com <http://standartnevvs.com/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|standartnevvs|03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000006; rev:1;)
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS novinitie.com <http://novinitie.com/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|novinitie|03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000007; rev:1;)
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS n0vinite.com <http://n0vinite.com/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|n0vinite|03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000008; rev:1;)
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS qov.hu.com <http://qov.hu.com/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|qov|02|hu|03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000009; rev:1;)
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS mail.g0v.pl <http://mail.g0v.pl/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mail|03|g0v|02|pl"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000010; rev:1;)
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS baltichost.org <http://baltichost.org/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|baltichost|03|org"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000011; rev:1;)
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS nato.nshq.in <http://nato.nshq.in/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|nato|04|nshq|02|in"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000012; rev:1;)
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS natoexhibitionff14.com <http://natoexhibitionff14.com/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|natoexhibitionff14|03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000013; rev:1;)
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS login-osce.org <http://login-osce.org/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|login-osce|03|org"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000014; rev:1;)
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS smigroup-online.co.uk <http://smigroup-online.co.uk/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|smigroup-online|02|co|02|uk"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000015; rev:1;)
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS q0v.pl <http://q0v.pl/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|q0v|02|pl"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:urlgithub.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://urlgithub.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000016; rev:1;)
> 
> Questions? Concerns? Improvements? Feel free to contact me on-list (for everyone's benefits) or modify as you see fit. Also included as an attachment for your convenience.
> 
> -- 
> when does reality end? when does fantasy begin?
> <apt28.rules>------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141028/4282afe0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4881 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141028/4282afe0/attachment.bin>


More information about the Snort-sigs mailing list