[Snort-sigs] Zebrocy family sigs

Y M snort at outlook.com
Fri Apr 27 10:03:31 EDT 2018


Hi,

The below rules are based on the information provided by the reference. The traffic from the hashes listed below was tested against the rules. Pcap are available.

# Title: Sednit update: Analysis of Zebrocy
# Reference: https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
# Tests: pcap
# Hashes: 54b14fc84f152b43c63babc46f2597b053e94627 (Delf Downloader), d379b94a3eb4fd9c9a973f64d436d7fc2e9d6762 (AutoIt Downloader), 4ccbe222bd97dc229b36efaf52520939da9d51c8 (Delf Backdoor), cdf9c24b86bc9a872035dcf3f53f380c904ed98b (Delf Backdoor)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family Delphi downloader outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"?fort="; fast_pattern:only; http_uri; content:"pol="; http_client_body; content:"Accept-Encoding|3A 20|identity|0D 0A|"; http_header; pcre:"/\.(php|dat)\x3ffort\x3d[A-Z0-9]{8,16}/U"; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/; classtype:trojan-activity; sid:8000022; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family Delphi downloader outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/protocol.php"; fast_pattern:only; http_uri; content:"porg="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/; classtype:trojan-activity; sid:8000023; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family AutoIt downloader outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"dbgate="; fast_pattern:only; http_client_body; content:"win32="; http_client_body; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/; classtype:trojan-activity; sid:8000024; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family Delphi backdoor outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"Content-Disposition: form-data|3B| name=|22|userfile|22 3B| filename=|22|"; fast_pattern:only; http_client_body; content:"Accept-Encoding|3A 20|identity|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/; classtype:trojan-activity; sid:8000025; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family bad known user-agent"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla v"; fast_pattern:only; http_header; pcre:"/User-Agent\x3a\x20Mozilla\x20v[0-9]/Hi"; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/; classtype:trojan-activity; sid:8000026; rev:1;)

Thanks
YM


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180427/a43dce93/attachment.html>


More information about the Snort-sigs mailing list