[Snort-sigs] Win.Malware.Disttrack

Al Lewis (allewi) allewi at ...3865...
Sun Feb 19 21:49:27 EST 2017


Hi,
Please go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...3865...<mailto:allewi at ...3865...>

From: "ILLG, FREDERICK C" <fi763c at ...4234...<mailto:fi763c at ...4234...>>
Date: Sunday, February 19, 2017 at 8:38 PM
To: 'Y M' <snort at ...3751...<mailto:snort at ...3751...>>, "snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>" <snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>>
Subject: Re: [Snort-sigs] Win.Malware.Disttrack

Please remove me from the email distro.

Thank you!

Frederick Illg
Senior Specialist, Technology Security
Global Emerging Services - Security & Advanced Applications
AT&T Services, Inc.

From: Y M [mailto:snort at ...3751...]
Sent: Sunday, February 19, 2017 12:52 AM
To: snort-sigs <snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>>
Subject: [Snort-sigs] Win.Malware.Disttrack


Hello,



The below signatures address the following hashes and the observed C&C traffic. Pcaps and samples should be publicly available. If not, please let me know.


- f4d18316e367a80e1005f38445421b1f
- 45b0e5a457222455384713905f886bd4
- ce25f1597836c28cf415394fb350ae93
- 1b5e33e5a244d2d67d7a09c4ccf16e56
- 03ea9457bf71d51d8109e737158be888
- 19cea065aa033f5bcfa94a583ae59c08
- ecfc0275c7a73a9c7775130ebca45b74
- 43fad2d62bc23ffdc6d301571135222c

These were part of the analysis covered here:  https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Malware.Disttrack second stage payload download response"; flow:to_client,established; content:"Content-type|3A 20|text/html|0D 0A 0D 0A|"; file_data; content:"powershell.exe"; nocase; content:"hidden"; nocase; within:50; content:!"Content-Length"; nocase; content:!"Connection"; nocase; content:!"Location"; nocase; metadata:ruleset community, service http; classtype:trojan-activity; sid:1000849; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Malware.Disttrack third stage payload download response"; flow:to_client,established; content:"Content-type|3A 20|application/octet-stream|0D 0A 0D 0A|"; file_data; content:"function Invoke-ReflectivePEInjection"; nocase; content:!"Content-Length"; nocase; content:!"Connection"; nocase; content:!"Location"; nocase; metadata:ruleset community, service http; classtype:trojan-activity; sid:1000850; rev:1;)

The below rules were simulated in the lab to detect the first stage payload documents in transit. Notes:

1. The first two rules are replicas of sid:26083 and sid:26084 respectively, with the modifications to look for .xlsm instead of .xlsx.
2. sid: 36611 triggered nicely on the suspected traffic.

alert tcp $HOME_NET any -> $EXTERNAL $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office Excel macro-enabled file download request"; flow:to_server,established; content:".xlsm"; fast_pattern:only; http_uri; pcre:"/\x2exlsm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xlsm; metadata:service http; classtype:misc-activity; sid:1000851; rev:1;)

alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Excel macro-enabled file attachment detected"; flow:to_client,established; content:".xlsm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exlsm/i"; flowbits:set,file.xlsm; metadata:service imap, service pop3; classtype:misc-activity; sid:1000852; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IDENTITY Microsoft Office Excel macro-enabled file download response"; flow:to_client,established; content:"Content-Type|3A 20|application/vnd.ms-excel.sheet.macroEnabled"; fast_pattern:only; http_header; file_data; content:"|50 4B 03 04|"; depth:4; flowbits:set,file.xlsm; metadata:service http; classtype:misc-activity; sid:1000853; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IDENTITY Microsoft Office OLE CF file download response"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; fast_pattern; flowbits:set,file.olecf; metadata:service http; classtype:misc-activity; sid:1000854; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Microsoft Office OLE CF file with PowerShell content download"; flow:to_client,established; flowbits:isset,file.olecf; file_data; content:"-window"; content:"hidden"; within:15; content:"powershell.exe"; metadata:service http; classtype:misc-activity; sid:1000855; rev:1;)

Thank you.
YM




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170220/ed3cf35e/attachment.html>


More information about the Snort-sigs mailing list