[Snort-sigs] Win.Malware.Disttrack

Y M snort at ...3751...
Sun Feb 19 00:52:22 EST 2017


Hello,


The below signatures address the following hashes and the observed C&C traffic. Pcaps and samples should be publicly available. If not, please let me know.



- f4d18316e367a80e1005f38445421b1f
- 45b0e5a457222455384713905f886bd4
- ce25f1597836c28cf415394fb350ae93
- 1b5e33e5a244d2d67d7a09c4ccf16e56
- 03ea9457bf71d51d8109e737158be888
- 19cea065aa033f5bcfa94a583ae59c08
- ecfc0275c7a73a9c7775130ebca45b74
- 43fad2d62bc23ffdc6d301571135222c

These were part of the analysis covered here:  https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Malware.Disttrack second stage payload download response"; flow:to_client,established; content:"Content-type|3A 20|text/html|0D 0A 0D 0A|"; file_data; content:"powershell.exe"; nocase; content:"hidden"; nocase; within:50; content:!"Content-Length"; nocase; content:!"Connection"; nocase; content:!"Location"; nocase; metadata:ruleset community, service http; classtype:trojan-activity; sid:1000849; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Malware.Disttrack third stage payload download response"; flow:to_client,established; content:"Content-type|3A 20|application/octet-stream|0D 0A 0D 0A|"; file_data; content:"function Invoke-ReflectivePEInjection"; nocase; content:!"Content-Length"; nocase; content:!"Connection"; nocase; content:!"Location"; nocase; metadata:ruleset community, service http; classtype:trojan-activity; sid:1000850; rev:1;)

The below rules were simulated in the lab to detect the first stage payload documents in transit. Notes:

1. The first two rules are replicas of sid:26083 and sid:26084 respectively, with the modifications to look for .xlsm instead of .xlsx.
2. sid: 36611 triggered nicely on the suspected traffic.

alert tcp $HOME_NET any -> $EXTERNAL $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office Excel macro-enabled file download request"; flow:to_server,established; content:".xlsm"; fast_pattern:only; http_uri; pcre:"/\x2exlsm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xlsm; metadata:service http; classtype:misc-activity; sid:1000851; rev:1;)

alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Excel macro-enabled file attachment detected"; flow:to_client,established; content:".xlsm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exlsm/i"; flowbits:set,file.xlsm; metadata:service imap, service pop3; classtype:misc-activity; sid:1000852; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IDENTITY Microsoft Office Excel macro-enabled file download response"; flow:to_client,established; content:"Content-Type|3A 20|application/vnd.ms-excel.sheet.macroEnabled"; fast_pattern:only; http_header; file_data; content:"|50 4B 03 04|"; depth:4; flowbits:set,file.xlsm; metadata:service http; classtype:misc-activity; sid:1000853; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IDENTITY Microsoft Office OLE CF file download response"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; fast_pattern; flowbits:set,file.olecf; metadata:service http; classtype:misc-activity; sid:1000854; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Microsoft Office OLE CF file with PowerShell content download"; flow:to_client,established; flowbits:isset,file.olecf; file_data; content:"-window"; content:"hidden"; within:15; content:"powershell.exe"; metadata:service http; classtype:misc-activity; sid:1000855; rev:1;)

Thank you.
YM


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170219/5a46ec7d/attachment.html>


More information about the Snort-sigs mailing list