[Snort-sigs] Multiple singatures - 002

Y M snort at outlook.com
Tue Jul 3 09:26:34 EDT 2018


An additional hash for another PDF embedding an exploit document:

8f15fd0d9f4812a7984f526ecb05322427fbcf2216fa19789c9286160e2b5f6f

Thanks.
YM
________________________________
From: Snort-sigs <snort-sigs-bounces at lists.snort.org> on behalf of Y M via Snort-sigs <snort-sigs at lists.snort.org>
Sent: Monday, July 2, 2018 8:12 PM
To: snort-sigs
Subject: [Snort-sigs] Multiple singatures - 002

Hi,

Here is another set of rules. Pcaps available for all them, some of which generated with file2pcap for testing.

# --------------------
# Date: 2018-06-30
# Title: Observations from Lokibot, Emotet, and FormBook Droppers
# Reference: Research
# Hashes:
#     - 43cbdf813e2fcfab554b9a6d9483fc4011fe75fbf45fb8412a2350e5456a3f18 > Ref: https://twitter.com/James_inthe_box/status/1012731702232223745
#     - 8f859c1a9965427848315e9456237e9c018b487e3bd1d632bce2acd0c370341e > Ref: https://blog.talosintelligence.com/2018/06/my-little-formbook.html
#     - dac2202e74458d67b95f566d3f83f88ca4a33c3b28da31c3c183a656f485cd8c > Ref: https://www.virustotal.com/#/file/dac2202e74458d67b95f566d3f83f88ca4a33c3b28da31c3c183a656f485cd8c/detection
#     - 3ac6b5be53b3d1f6cff8706168bc8cd4c7774f5bd82959c1f2186106efea59e8 > Ref: https://myonlinesecurity.co.uk/fake-signed-contract-agreeement-delivers-lokibot-and-formbook-malware/
#     - 3de96921a07553cf5ef25cab246480f04383d44cc921042e1462b7ffbe1fe720 > Ref: https://isc.sans.edu/forums/diary/A+Malicious+Word+Document+Inside+a+PDF+Document/19623/
# Tests: pcap (file2pcap)
# Confidence: low
# Notes: some of the samples were not tested since they are on VTI only. The flowbit file.pdf_embed_doc is
#        an attempt to reduce FPs.

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE PDF file embeding .DOC/.DOCX/.DOTM/.DOTX document"; flow:to_client,established; flowbits:isset,file.pdf; flowbits:set,file.pdf_embed_doc; file_data; content:"/EmbeddedFile"; fast_pattern; content:"/Names"; within:15; content:".do"; within:50; pcre:"/\.do(c|tm|cx|tx)/"; metadata:ruleset community, service http; classtype:misc-activity; sid:8000148; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE PDF file with JS exporting embedded .DOC/.DOCX/.DOTM/.DOTX document"; flow:to_client,established; flowbits:isset,file.pdf; flowbits:isset,file.pdf_embed_doc; file_data; content:"exportDataObject("; content:"cName"; within:15; content:"nLaunch"; within:50; metadata:ruleset community, service http; classtype:misc-activity; sid:8000149; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE PDF file embeding .RTF document"; flow:to_client,established; flowbits:isset,file.pdf; flowbits:set,file.pdf_embed_rtf; file_data; content:"/EmbeddedFile"; fast_pattern; content:"/Names"; within:15; content:".rtf"; within:50; metadata:ruleset community, service http; classtype:misc-activity; sid:8000150; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE PDF file with JS exporting embedded .RTF document"; flow:to_client,established; flowbits:isset,file.pdf; flowbits:isset,file.pdf_embed_rtf; file_data; content:"exportDataObject("; content:"cName"; within:15; content:".rtf"; within:50; content:"nLaunch"; within:50; metadata:ruleset community, service http; classtype:misc-activity; sid:8000151; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE PDF file with JS exporting object from array"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"exportDataObject"; content:"cName"; within:15; content:"[0].name"; within:50; content:"nLaunch"; within:50; metadata:ruleset community, service http; classtype:misc-activity; sid:8000152; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE PDF file embeding .DOC/.DOCX/.DOTM/.DOTX document"; flow:to_server,established; flowbits:isset,file.pdf; flowbits:set,file.pdf_embed_doc; file_data; content:"/EmbeddedFile"; fast_pattern; content:"/Names"; within:15; content:".do"; within:50; pcre:"/\.do(c|tm|cx|tx)/"; metadata:ruleset community, service imap, service pop3, service smtp; classtype:misc-activity; sid:8000153; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE PDF file with JS exporting embedded .DOC/.DOCX/.DOTM/.DOTX document"; flow:to_server,established; flowbits:isset,file.pdf; flowbits:isset,file.pdf_embed_doc; file_data; content:"exportDataObject("; content:"cName"; within:15; content:"nLaunch"; within:50; metadata:ruleset community, service imap, service pop3, service smtp; classtype:misc-activity; sid:8000154; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE PDF file embeding .RTF document"; flow:to_server,established; flowbits:isset,file.pdf; flowbits:set,file.pdf_embed_rtf; file_data; content:"/EmbeddedFile"; fast_pattern; content:"/Names"; within:15; content:".rtf"; within:50; metadata:ruleset community, service imap, service pop3, service smtp; classtype:misc-activity; sid:8000155; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE PDF file with JS exporting embedded .RTF document"; flow:to_server,established; flowbits:isset,file.pdf; flowbits:isset,file.pdf_embed_rtf; file_data; content:"exportDataObject("; content:"cName"; within:15; content:".rtf"; within:50; content:"nLaunch"; within:50; metadata:ruleset community, service imap, service pop3, service smtp; classtype:misc-activity; sid:8000156; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE PDF file with JS exporting object from array"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"exportDataObject"; content:"cName"; within:15; content:"[0].name"; within:50; content:"nLaunch"; within:50; metadata:ruleset community, service imap, service pop3, service smtp;; classtype:misc-activity; sid:8000157; rev:1;)

# --------------------
# Date: 2018-06-30
# Title: Slight changes to Trickbot delivery system
# Reference:
#     - https://myonlinesecurity.co.uk/slight-changes-to-trickbot-delivery-system/
#     - https://twitter.com/HybridAnalysis/status/1012694777454661635
# Hashes:
#     - a11af88bc26878f73fe2bbe541e6eb50fce4ff2b9c5c033f3cd27a021218bb3d
#     - 9f350ff27f614015b25cd8f3325084e0345e25ffa2f840a1c712f55c5bbedfff
#     - 3ac85313fd21ee48cd20576d116fb1961fd30f6aef692c50c6a041417be7da73
# Tests: pcap (file2pcap)
# Confidence: medium

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE document with InkPicture ActiveX within VBA macro"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"InkPicture"; nocase; content:"MSINKAUTLib"; within:30; nocase; content:"Painted(ByVal"; within:50; nocase; metadata:ruleset community, service http; classtype:misc-activity; sid:8000162; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE document with InkPicture ActiveX within VBA macro"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"InkP|00|icture"; nocase; content:"MSINK|00|AUTLib"; within:30; nocase; content:"Pain|00|ted(ByVa|00|l"; within:50; nocase; metadata:ruleset community, service http; classtype:misc-activity; sid:8000163; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE document with InkPicture ActiveX within VBA macro"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"InkP|00|icture"; nocase; content:"|00|Painted(|00|ByVal"; within:20; nocase; content:"MSINKAU"; within:50; content:"TLib"; within:10; metadata:ruleset community, service http; classtype:misc-activity; sid:8000164; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE document with InkPicture ActiveX within VBA macro"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"InkPicture"; nocase; content:"MSINKAUTLib"; within:30; nocase; content:"Painted(ByVal"; within:50; nocase; metadata:ruleset community, service imap, service pop3, service smtp; classtype:misc-activity; sid:8000165; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE document with InkPicture ActiveX within VBA macro"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"InkP|00|icture"; nocase; content:"MSINK|00|AUTLib"; within:30; nocase; content:"Pain|00|ted(ByVa|00|l"; within:50; nocase; metadata:ruleset community, service imap, service pop3, service smtp;; classtype:misc-activity; sid:8000166; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE document with InkPicture ActiveX within VBA macro"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"InkP|00|icture"; nocase; content:"|00|Painted(|00|ByVal"; within:20; nocase; content:"MSINKAU"; within:50; content:"TLib"; within:10; metadata:ruleset community, service imap, service pop3, service smtp; classtype:misc-activity; sid:8000167; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE document with VBA project - unicode"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"_|00|V|00|B|00|A|00|_|00|P|00|R|00|O|00|J|00|E|00|C|00|T"; fast_pattern:only; metadata:ruleset community, service http; classtype:misc-activity; sid:8000168; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE document with VBA project - unicode"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"_|00|V|00|B|00|A|00|_|00|P|00|R|00|O|00|J|00|E|00|C|00|T"; fast_pattern:only; metadata:ruleset community, service imap, service pop3, service smtp; classtype:misc-activity; sid:8000169; rev:1;)

# --------------------
# Date: 2018-07-02
# Title: All-Radio 4.27 Portable Can't Be Removed? Then Your PC is Severely Infected
# Reference: https://www.bleepingcomputer.com/news/security/all-radio-427-portable-cant-be-removed-then-your-pc-is-severely-infected/
# Tests: pcap
# Confidence: medium
# Hashes: 9d891048dddda8a65de966c71f81464b20e402766aaee8a284da8d25c98270bd

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector outbound connection"; flow:to_server,established; content:".php?mykeyone="; fast_pattern:only; http_uri; content:"&mykeytwo="; http_uri; content:"&anti_cache="; http_uri; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/9d891048dddda8a65de966c71f81464b20e402766aaee8a284da8d25c98270bd/detection; classtype:trojan-activity; sid:8000170; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector outbound connection"; flow:to_server,established; content:"/radio/"; fast_pattern:only; http_uri; content:".php?ver="; http_uri; content:"&prov="; http_uri; content:"&serverpassword="; http_uri; content:"&portable=1"; http_uri; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/9d891048dddda8a65de966c71f81464b20e402766aaee8a284da8d25c98270bd/detection; classtype:trojan-activity; sid:8000171; rev:1;)

Thanks
YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180703/80b2b774/attachment-0001.html>


More information about the Snort-sigs mailing list