[Snort-sigs] Win.Trojan.Bandook + Win.Trojan.CrossRAT

Tyler Montier tmontier at sourcefire.com
Mon Jan 22 08:31:49 EST 2018


Yaser,

Thanks for your submission. We will review the rules and get back to you
when they're finished.

Can you send the pcaps our way?

Sincerely,
Tyler Montier
Cisco Talos


On Mon, Jan 22, 2018 at 7:35 AM, Y M via Snort-sigs <
snort-sigs at lists.snort.org> wrote:

> Hi,
>
>
> Putting these into one email since they belong to the same
> report/campaign. Two samples (desktop) were identified and signatures were
> written against them. Unfortunately, no signatures against the Android
> samples. Pcaps are available.
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
> Win.Trojan.Bandook/Anbacas outbound connection attempt";
> flow:to_server,established; dsize:<250; content:"QDAwMD"; depth:6;
> fast_pattern; content:"&&&"; within:200; isdataat:!0,relative;
> metadata:ruleset community; reference:url,info.lookout.
> com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf;
> reference:url,www.virustotal.com/#/file/bf600e7b27bdd9e396e5c396aba7f0
> 79c244bfb92ee45c721c2294aa36586206/detection; classtype:trojan-activity;
> sid:9000012; rev:1;)
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.CrossRAT outbound HTTP request"; flow:to_server,established;
> content:"GET"; http_method; content:"/get.php?"; fast_pattern:only;
> http_uri; content:"action=check"; http_uri; content:!"Connection";
> http_header; content:!"Accept"; http_header; content:!"Referer";
> http_header; metadata:ruleset community, service http; reference:url,
> info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_
> 20180118_us_v.1.0.pdf; reference:url,www.virustotal.com/#/file/
> da81aec00b563123d2fbd14fb6a76619c90f81e83c5bd8aa0676922cae96b9ad/detection;
> classtype:trojan-activity; sid:9000013; rev:1;)
>
>
> tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.CrossRAT outbound HTTP request"; flow:to_server,established;
> content:"POST"; http_method; content:"/get.php?"; fast_pattern:only;
> http_uri; content:"file1="; http_uri; content:"&file2="; http_uri;
> content:"&port="; http_uri; content:"&id="; http_uri; content:"&name=";
> http_uri; content:!"Referer"; http_header; metadata:ruleset community,
> service http; reference:url,info.lookout.com/rs/051-ESQ-475/images/
> Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf; reference:url,
> www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a766
> 19c90f81e83c5bd8aa0676922cae96b9ad/detection; classtype:trojan-activity;
> sid:9000014; rev:1;)
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> User-Agent known malicious user-agent string Uploador -
> Win.Trojan.CrossRAT"; flow:to_server,established; content:"User-Agent|3A|
> Uploador|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset
> community, service http; reference:url,info.lookout.
> com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf;
> reference:url,www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a766
> 19c90f81e83c5bd8aa0676922cae96b9ad/detection; classtype:trojan-activity;
> sid:9000015; rev:1;)
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
> Win.Trojan.CrossRAT outbound connection attempt";
> flow:to_server,established; content:"S_0001|5B|"; depth:7; fast_pattern;
> content:"&&&"; within:200; isdataat:!0,relative; metadata:ruleset
> community; reference:url,info.lookout.com/rs/051-ESQ-475/images/
> Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf; reference:url,
> www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a766
> 19c90f81e83c5bd8aa0676922cae96b9ad/detection; classtype:trojan-activity;
> sid:9000016; rev:1;)
>
>
> Thanks.
>
> YM
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-
> the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180122/d0d9a1d0/attachment-0001.html>


More information about the Snort-sigs mailing list