[Snort-sigs] Backdoor OSCelestial RAT

Tyler Montier tmontier at ...435...
Mon Mar 6 15:17:21 EST 2017


Yaser,

Thanks for your submission. We will review the rules and get back to you
when they're finished.

Since you have pcaps available, can you send them my way?

Sincerely,

Tyler Montier
Cisco Talos

On Mon, Mar 6, 2017 at 6:06 AM, Y M <snort at ...3751...> wrote:

> Hello,
>
>
> The below rules are for the OSCelestial RAT. I left the OS (Win, Osx,
> etc.) at the beginning of the rules' messages since the sample in
> question seems to be targeting multiple OSes. The sample was successfully
> tested on Windows, OS X, and Linux (Ubuntu). Other OSes were not tested.
>
>
> The last rule may be an overkill but the pattern was obvious to be missed
> out. Pcap is available.
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
> Backdoor.OSCelestial variant outbound connection";
> flow:to_server,established; content:"|70 73 72 00|"; content:"|17|com.net.LoginDataPacket";
> distance:0; within:24; metadata:ruleset community; reference:url,
> www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aaf
> d4296592a2985a480575810f4f64442742/analysis/; classtype:trojan-activity;
> sid:1000867; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
> Backdoor.OSCelestial variant outbound connection";
> flow:to_server,established; content:"|70 73 72 00|"; content:"|11|com.net.LoginData";
> distance:0; within:18; content:"|0E|identification";
> content:"|08|maccaddr"; distance:7; within:9;
> content:"|0F|operatingsystem"; distance:7; within:16; content:"|06|pcname";
> distance:7; within:7; content:"|08|username"; distance:7; within:9;
> content:"|07|version"; distance:7; within:8; metadata:ruleset community;
> reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aaf
> d4296592a2985a480575810f4f64442742/analysis/; classtype:trojan-activity;
> sid:1000868; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC
> Backdoor.OSCelestial variant inbound connection";
> flow:to_client,established; dsize:>800; content:"|1B|com.net.DynamicPluginPacket";
> fast_pattern:only; content:"|00 14|com.oscp.client.HRDP"; content:"|00
> 26|net.oscp.client.networking.OpenWebsite"; content:"|00 28|";
> distance:1; content:".UploadExecute"; distance:25; within:15; content:"|00
> 27|"; distance:1; content:".ReverseProxy"; distance:25; within:14;
> content:"|00 2A|"; distance:1; content:".DownloadExecute"; distance:25;
> within:17; content:"|00 29|"; distance:1; content:".KeystrokeLogger";
> distance:24; within:17; content:"|00 27|"; distance:1;
> content:".JarInjector"; distance:26; within:13; content:"|00 2B|";
> distance:1; content:".JarInjectUpload"; distance:26; within:17;
> content:"|00 21|"; distance:1; content:".Explorer"; distance:24; within:10;
> content:"|00 25|"; distance:1; content:".RemoteChat"; distance:25;
> within:12; content:"|00 25|"; distance:1; content:".MessageBox";
> distance:25; within:12; content:"|00 23|"; distance:1;
> content:".DesktopView"; distance:22; within:13; content:"|00 29|";
> distance:1; content:".PasswordRecovery"; distance:23; within:18;
> content:"|00 21|"; distance:1; content:".WebcamView"; distance:21;
> within:12; content:"|00 27|"; content:".Terminal"; distance:23; within:10;
> metadata:ruleset community; reference:url,www.virustotal.com/en/file/
> 9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/;
> classtype:trojan-activity; sid:1000869; rev:1;)
>
> Thank you.
>
> YM
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170306/3c12dd85/attachment.html>


More information about the Snort-sigs mailing list