[Snort-sigs] Multiple signatures - 003

Marcos Rodriguez mrodriguez at sourcefire.com
Tue Jul 3 12:02:07 EDT 2018


On Tue, Jul 3, 2018 at 9:23 AM, Y M via Snort-sigs <
snort-sigs at lists.snort.org> wrote:

> Hi,
>
> Happy soon-to-be 4th of July to you all. Pcaps for the first two sets of
> signatures are available.
>
> # --------------------
> # Date: 2018-07-03
> # Title: Tick Group Weaponized Secure USB Drives to Target Air-Gapped
> Critical Systems
> # Tests: pcap (partial)
> # Reference: https://researchcenter.paloaltonetworks.com/2018/06/
> unit42-tick-group-weaponized-secure-usb-drives-target-air-
> gapped-critical-systems/
> # Hashes:
> #    - 3227d1e39fc3bc842245ccdb16eeaadad3bcd298e811573b2e68ef2a7077f6f6
> #    - 92e0d0346774127024c672cc7239dd269824a79e85b84c532128fd9663a0ce78
> #    - 33665d93ab2a0262551c61ec9a3adca2c2b8dfea34e6f3f723274d88890f6ceb
> #    - 019874898284935719dc74a6699fb822e20cdb8e3a96a7dc8ec4f625e3f1116e
> #    - f817c9826089b49d251b8a09a0e9bf9b4b468c6e2586af60e50afe48602f0bec
> # Confidence: low
> # Note: The trojanized loader binaries, the standalone bianries, and the
> C&C domain (plus an additional domain)
> #       succeffully correlates to the observed HTTP URI and Header.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.HomamDownloader outbound connection";
> flow:to_server,established; content:"User-Agent: Mozilla/4.0
> (compatible|3B| MSIE 6.0|3B| Win32)|3B|51|3B|"; fast_pattern:only;
> http_header; content:"/index.htm"; http_uri; content:!"Connection: ";
> http_header; content:!"Accept"; http_header; content:!"Referer";
> http_header; metadata:ruleset community, service http; reference:url,
> researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-
> secure-usb-drives-target-air-gapped-critical-systems/;
> classtype:trojan-activity; sid:8000172; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.HomamDownloader outbound connection";
> flow:to_server,established; content:"User-Agent: Mozilla/4.0
> (compatible|3B| MSIE 8.0|3B| Win32)|3B|61|3B|"; fast_pattern:only;
> http_header; content:"/index.htm"; http_uri; content:!"Connection: ";
> http_header; content:!"Accept"; http_header; content:!"Referer";
> http_header; metadata:ruleset community, service http; reference:url,
> researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-
> secure-usb-drives-target-air-gapped-critical-systems/;
> classtype:trojan-activity; sid:8000173; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.HomamDownloader outbound connection - PCRE";
> flow:to_server,established; content:"User-Agent: Mozilla/4.0
> (compatible|3B| MSIE "; http_header; content:"|3B| Win32)|3B|"; within:12;
> http_header; fast_pattern; content:"/index.htm"; http_uri;
> content:!"Connection: "; http_header; content:!"Accept"; http_header;
> content:!"Referer"; http_header; pcre:"/User-Agent\x3a\sMozilla\/4\.0\s\
> x28compatible\x3b\sMSIE\s\d\.0\x3b\sWin32\x29\x3b[0-9]{2}\x3b\w+/H";
> metadata:ruleset community, service http; reference:url,researchcenter.
> paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-
> secure-usb-drives-target-air-gapped-critical-systems/;
> classtype:trojan-activity; sid:8000174; rev:1;)
>
> # --------------------
> # Date: 2018-07-03
> # Title: PUA FileTour/MediaDrug
> # Tests: pcap, live traffic
> # Reference: Research
> # Confidence: medium+
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
> Win.Adware.MediaDrug/FileTour outbound connection";
> flow:to_server,established; content:"/client.config/?"; fast_pattern:only;
> http_uri; content:"app="; http_uri; content:"&format="; http_uri;
> content:"&uid="; http_uri; metadata:ruleset community, service http;
> reference:url,www.virustotal.com/#/file/c25cb815710871b5e984a0b002f6f5
> 7088e43c5e3f19da9e889f4b962cd4da56/detection; classtype:trojan-activity;
> sid:8000175; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-ADWARE
> Win.Adware.MediaDrug/FileTour inbound connection";
> flow:to_client,established; content:"200"; http_stat_code;
> content:"Content-Type: text/xml"; http_header; file_data;
> content:"<LogUrl>"; fast_pattern; nocase; content:"<csrtmm>"; nocase;
> content:"<advertid>"; nocase; metadata:ruleset community, service http;
> reference:url,www.virustotal.com/#/file/c25cb815710871b5e984a0b002f6f5
> 7088e43c5e3f19da9e889f4b962cd4da56/detection; classtype:trojan-activity;
> sid:8000176; rev:1;)
>
> # --------------------
> # Date: 2018-07-03
> # Title: MirageFox: APT15 Resurfaces With New Tools Based On Old Ones
> # Tests: syntax only
> # Reference: https://www.intezer.com/miragefox-apt15-resurfaces-
> with-new-tools-based-on-old-ones/
> # Confidence: low-- (use for threat hunting? You assume way too much...)
> # Notes: All content matches were extracted from the binaries strings.
> Most of the remaining samples
> #        , specifically, Mirage share the same URI patterns.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Backdoor.RoyalAPT outbound connection"; flow:to_server,established;
> content:"/image_download.php?"; fast_pattern:only; http_uri;
> content:"uid="; http_uri; content:"part="; http_cookie; metadata:ruleset
> community, service http; reference:url,www.virustotal.com/#/file/
> 016948ec7743b09e41b6968b42dfade5480774df3baf915e4c8753f5f90d1734/detection;
> reference:url,www.malwares.com/report/file?hash=
> 016948EC7743B09E41B6968B42DFADE5480774DF3BAF915E4C8753F5F90D1734;
> classtype:trojan-activity; sid:8000177; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Backdoor.MirageFox outbound connection"; flow:to_server,established;
> content:"/search?gid="; fast_pattern:only; http_uri; content:"User-Agent:
> Mozilla/4.0"; http_header; content:"Accept: */*"; http_header;
> content:"POST"; http_method; content:!"Referer"; http_header; reference:url,
> www.virustotal.com/#/file/28d6a9a709b9ead84aece250889a16
> 87c07e19f6993325ba5295410a478da30a/detection; reference:url,
> www.virustotal.com/#/file/97813e76564aa829a359c2d12c9c6b
> 824c532de0fc15f43765cf6b106a32b9a5/detection; classtype:trojan-activity;
> sid:8000178; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Backdoor.Mirage variant outbound connection";
> flow:to_server,established; content:"/net/server.asp?"; fast_pattern:only;
> http_uri; nocase; content:"cmd="; http_uri; nocase; content:"&adminid=";
> http_uri; nocase; content:"&adminkey="; http_uri; nocase; metadata:ruleset
> community, service http; reference:url,www.virustotal.com/#/file/
> 1534432fafb21c0479343bc2d9f3991e56c75baa41c54b3470d41055bb578f8f/detection;
> reference:url,www.malwares.com/report/file?hash=
> 1534432FAFB21C0479343BC2D9F3991E56C75BAA41C54B3470D41055BB578F8F;
> classtype:trojan-activity; sid:8000179; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Backdoor.Mirage variant outbound connection";
> flow:to_server,established; content:"/users/login.asp?"; fast_pattern:only;
> http_uri; nocase; content:"type="; http_uri; nocase;
> content:"&server_ver="; http_uri; nocase; metadata:ruleset community,
> service http; reference:url,www.virustotal.com/#/file/
> 1534432fafb21c0479343bc2d9f3991e56c75baa41c54b3470d41055bb578f8f/detection;
> reference:url,www.malwares.com/report/file?hash=
> 1534432FAFB21C0479343BC2D9F3991E56C75BAA41C54B3470D41055BB578F8F;
> classtype:trojan-activity; sid:8000180; rev:1;)
>
> Thanks.
> YM
>

Hi Yaser,

Thanks for these submissions. We will review each of them and get back to
you when finished.


-- 
Marcos Rodriguez
Cisco Talos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180703/e9374f4b/attachment-0001.html>


More information about the Snort-sigs mailing list