[Snort-sigs] Zebrocy family sigs

Phillip Lee phillile at sourcefire.com
Fri Apr 27 10:48:25 EDT 2018


Yaser,

Thanks for your submission. We will review the rules and get back to you when they're finished. 

Can you send along the pcaps that you have? 

Regards,
Phil Lee
Cisco Talos

> On Apr 27, 2018, at 10:03 AM, Y M via Snort-sigs <snort-sigs at lists.snort.org> wrote:
> 
> Hi,
> 
> The below rules are based on the information provided by the reference. The traffic from the hashes listed below was tested against the rules. Pcap are available.
> 
> # Title: Sednit update: Analysis of Zebrocy
> # Reference: https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ <https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/>
> # Tests: pcap
> # Hashes: 54b14fc84f152b43c63babc46f2597b053e94627 (Delf Downloader), d379b94a3eb4fd9c9a973f64d436d7fc2e9d6762 (AutoIt Downloader), 4ccbe222bd97dc229b36efaf52520939da9d51c8 (Delf Backdoor), cdf9c24b86bc9a872035dcf3f53f380c904ed98b (Delf Backdoor)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family Delphi downloader outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"?fort="; fast_pattern:only; http_uri; content:"pol="; http_client_body; content:"Accept-Encoding|3A 20|identity|0D 0A|"; http_header; pcre:"/\.(php|dat)\x3ffort\x3d[A-Z0-9]{8,16}/U"; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ <http://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/>; classtype:trojan-activity; sid:8000022; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family Delphi downloader outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/protocol.php"; fast_pattern:only; http_uri; content:"porg="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ <http://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/>; classtype:trojan-activity; sid:8000023; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family AutoIt downloader outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"dbgate="; fast_pattern:only; http_client_body; content:"win32="; http_client_body; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ <http://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/>; classtype:trojan-activity; sid:8000024; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family Delphi backdoor outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"Content-Disposition: form-data|3B| name=|22|userfile|22 3B| filename=|22|"; fast_pattern:only; http_client_body; content:"Accept-Encoding|3A 20|identity|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ <http://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/>; classtype:trojan-activity; sid:8000025; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family bad known user-agent"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla v"; fast_pattern:only; http_header; pcre:"/User-Agent\x3a\x20Mozilla\x20v[0-9]/Hi"; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ <http://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/>; classtype:trojan-activity; sid:8000026; rev:1;)
> 
> Thanks
> YM
> 
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org <mailto:Snort-sigs at lists.snort.org>
> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>
> 
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
> 
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette>
> 
> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180427/a2b55d8f/attachment-0001.html>


More information about the Snort-sigs mailing list