[Snort-sigs] Win.Trojan.Bandook + Win.Trojan.CrossRAT

Y M snort at outlook.com
Fri Feb 2 05:13:02 EST 2018


Hi Tyler,


Based on a new pcap, here are two additional rules with updated VT reference. The second rule requires adding the C&C server port to the stream_5 preprocessor. Pcap is coming your way in a minute.


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.CrossRAT outbound connection attempt"; flow:to_server,established; content:"$#@"; fast_pattern:only; metadata:ruleset community; reference:url,info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf; reference:url,www.virustotal.com/#/file/15af5bbf3c8d5e5db41fd7c3d722e8b247b40f2da747d5c334f7fd80b715a649/detection; classtype:trojan-activity; sid:9000017; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.CrossRAT outbound connection attempt"; flow:to_server,established; content:"$#@@"; fast_pattern:only; content:"$#@&&&"; isdataat:!0,relative; metadata:ruleset community; reference:url,info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf; reference:url,www.virustotal.com/#/file/15af5bbf3c8d5e5db41fd7c3d722e8b247b40f2da747d5c334f7fd80b715a649/detection; classtype:trojan-activity; sid:9000018; rev:1;)


Thanks.

YM

________________________________
From: Tyler Montier <tmontier at sourcefire.com>
Sent: Monday, January 22, 2018 4:31 PM
To: Y M
Cc: snort-sigs
Subject: Re: [Snort-sigs] Win.Trojan.Bandook + Win.Trojan.CrossRAT

Yaser,

Thanks for your submission. We will review the rules and get back to you when they're finished.

Can you send the pcaps our way?

Sincerely,
Tyler Montier
Cisco Talos


On Mon, Jan 22, 2018 at 7:35 AM, Y M via Snort-sigs <snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>> wrote:

Hi,


Putting these into one email since they belong to the same report/campaign. Two samples (desktop) were identified and signatures were written against them. Unfortunately, no signatures against the Android samples. Pcaps are available.


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Bandook/Anbacas outbound connection attempt"; flow:to_server,established; dsize:<250; content:"QDAwMD"; depth:6; fast_pattern; content:"&&&"; within:200; isdataat:!0,relative; metadata:ruleset community; reference:url,info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf<http://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf>; reference:url,www.virustotal.com/#/file/bf600e7b27bdd9e396e5c396aba7f079c244bfb92ee45c721c2294aa36586206/detection<http://www.virustotal.com/#/file/bf600e7b27bdd9e396e5c396aba7f079c244bfb92ee45c721c2294aa36586206/detection>; classtype:trojan-activity; sid:9000012; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CrossRAT outbound HTTP request"; flow:to_server,established; content:"GET"; http_method; content:"/get.php?"; fast_pattern:only; http_uri; content:"action=check"; http_uri; content:!"Connection"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf<http://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf>; reference:url,www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a76619c90f81e83c5bd8aa0676922cae96b9ad/detection<http://www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a76619c90f81e83c5bd8aa0676922cae96b9ad/detection>; classtype:trojan-activity; sid:9000013; rev:1;)


tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CrossRAT outbound HTTP request"; flow:to_server,established; content:"POST"; http_method; content:"/get.php?"; fast_pattern:only; http_uri; content:"file1="; http_uri; content:"&file2="; http_uri; content:"&port="; http_uri; content:"&id="; http_uri; content:"&name="; http_uri; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf<http://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf>; reference:url,www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a76619c90f81e83c5bd8aa0676922cae96b9ad/detection<http://www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a76619c90f81e83c5bd8aa0676922cae96b9ad/detection>; classtype:trojan-activity; sid:9000014; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Uploador - Win.Trojan.CrossRAT"; flow:to_server,established; content:"User-Agent|3A| Uploador|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf<http://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf>; reference:url,www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a76619c90f81e83c5bd8aa0676922cae96b9ad/detection<http://www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a76619c90f81e83c5bd8aa0676922cae96b9ad/detection>; classtype:trojan-activity; sid:9000015; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.CrossRAT outbound connection attempt"; flow:to_server,established; content:"S_0001|5B|"; depth:7; fast_pattern; content:"&&&"; within:200; isdataat:!0,relative; metadata:ruleset community; reference:url,info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf<http://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf>; reference:url,www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a76619c90f81e83c5bd8aa0676922cae96b9ad/detection<http://www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a76619c90f81e83c5bd8aa0676922cae96b9ad/detection>; classtype:trojan-activity; sid:9000016; rev:1;)


Thanks.

YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.snort.org<mailto:Snort-sigs at lists.snort.org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180202/b837c490/attachment-0001.html>


More information about the Snort-sigs mailing list