[Snort-sigs] Win.Trojan.Elise variant

Tyler Montier tmontier at sourcefire.com
Fri Feb 2 16:10:23 EST 2018


Yaser,

Thanks for your submission. We will review the rules and get back to you
when they're finished.

Can you send along the pcaps that you have?

Regards,
Tyler Montier
Cisco Talos

On Fri, Feb 2, 2018 at 10:53 AM, Y M via Snort-sigs <
snort-sigs at lists.snort.org> wrote:

> Hi,
>
>
> Below rules are for detecting Elise variant. Pcap is available.
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Elise variant IP address check"; flowbits:set,trojan_elise_ipcheck;
> flow:to_server,established; content:"GET"; http_method;
> content:"/myip?format=txt"; fast_pattern:only; http_uri;
> content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| ";
> http_header; content:!"Referer"; http_header; content:!"Accept";
> http_header; flowbits:set,elise_trojan; metadata:ruleset community, service
> http; reference:url,www.accenture.com/t20180127T003755Z__w__/us-
> en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf;
> reference:url,community.rsa.com/community/products/
> netwitness/blog/2018/01/30/apt32-continues-asean-targeting; reference:url,
> www.virustotal.com/#/file/6dc2a49d58dc568944fef8285ad7a0
> 3b772b9bdf1fe4bddff3f1ade3862eae79/detection; classtype:trojan-activity;
> sid:9000019; rev:1;)
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Elise variant outbound connection attempt";
> flow:to_server,established; content:"POST"; http_method; content:"==|3B|";
> http_cookie; content:"=|3B|"; http_cookie; content:"Connection|3A
> 20|Keep-Alive|0D 0A|"; http_header; content:"Cache-Control|3A
> 20|no-cache|0D 0A|"; http_header; content:"Pragma|3A 20|no-cache|0D 0A|";
> http_header; content:!"Referer"; http_header; flowbits:isset,trojan_elise_ipcheck;
> metadata:ruleset community, service http; reference:url,www.accenture.
> com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-
> Security-Dragonfish-Threat-Analysis.pdf; reference:url,community.rsa.
> com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-
> targeting; reference:url,www.virustotal.com/#/file/
> 6dc2a49d58dc568944fef8285ad7a03b772b9bdf1fe4bddff3f1ade3862eae79/detection;
> classtype:trojan-activity; sid:9000020; rev:1;)
>
>
> Thanks.
>
> YM
>
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-
> the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180202/6b27c02f/attachment-0001.html>


More information about the Snort-sigs mailing list