[Snort-sigs] Duke-APT Sigs

Lenny Hansson security at ...4057...
Fri Jul 24 02:52:51 EDT 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

For anyone interested:

I have been following the different Duke attacks. It seams like they for
at least 4 month have been using the same URL construct for hosting
payloads.

I haven't been able to find any false positives with the rules, and I
have replayed about 300GB Internet traffic. I will be very interested if
anyone could test/ run them in there own environment to see how well
they preform.


alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"NF - IOC - Possible
APT - CozyBear aka. Duke - GET Payload - ZIP File 3-4 numbers.zip
download - efax"; flow:to_server,established; content:"GET"; depth:3;
http_method; content:"/eFax/"; http_uri; nocase;
pcre:"/\/[0-9]{3,4}\.zip/Ui"; reference:url,http://networkforensic.dk/;
reference:url,http://zaufanatrzeciastrona.pl/post/przytulny-mis-w-natarc
iu-kampania-cozy-bear-atakuje-takze-polske/;
metadata:NF,25032015; priority:1; sid:5017501; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"NF - IOC - Possible
APT - CozyBear aka. Duke - GET Payload - ZIP File 3-4 numbers.zip
download - fax"; flow:to_server,established; content:"GET"; depth:3;
http_method; content:"/fax/"; http_uri; nocase;
pcre:"/\/[0-9]{3,4}\.zip/Ui"; reference:url,http://networkforensic.dk/;
reference:url,http://zaufanatrzeciastrona.pl/post/przytulny-mis-w-natarc
iu-kampania-cozy-bear-atakuje-takze-polske/;
metadata:NF,25032015; priority:1; sid:5017502; rev:2;)

Other reports about Duke:
F-Secure
https://www.f-secure.com/weblog/archives/00002822.html

Symantec
http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-wea
pon-duke-armory

Paloalto
http://researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-c
ozycars-new-ride-is-related-to-seaduke/

Securelist
https://securelist.com/blog/research/71443/minidionis-one-more-apt-with-
a-usage-of-cloud-drives/

- -- 
Venlig hilsen / Best Regards
Lenny Hansson
***********************************
Web: networkforensic.dk
***********************************
E-mail: security at ...4057...
Key-ID: 1527E63D
***********************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVseDDAAoJEAUh+LgVJ+Y9nFwIAJTm762zyHMcAzWuDbapDSTP
xh4BVnI6Cqk5gITusD56sT+efKlEhCDUN0prMlr0ljMmCZwUhmZXVnjpvwP/pnds
1ta+0ydROrHT+zisfsfKFb/zESfJxZx2P/HBHAw7UzwkhZ1rUBdEt2ql/e8xw0yV
gkSkg1wZkjcINp6EYfu3pMNu/73IOtm32c8HIPFIPePtVTBX+sGOyLD87gKq+R6j
9HGe4XzOX6bRvKNHmJrTX0tG4UU2aTrW+LNdYfDnmDmqgv/ma3rFlakmMGw5AcVH
oJ4EOyiUpZMZ9V1PXc5k3q45QKHLU4f1o8KIpfBIWGoxPEKFCa+TbPuYY98nkzI=
=iTWV
-----END PGP SIGNATURE-----





More information about the Snort-sigs mailing list