[Snort-sigs] ThreadKit Documents

John Levy johlevy at sourcefire.com
Tue Jun 5 07:37:38 EDT 2018


Hi Yaser,

Thank you the additional information and for the four additional
submissions from yesterday. We will review the rules for Nocturnal, Joanap,
Danabot, and Autophyte, and we will get back to you when we are done
evaluating them. Lastly and when you get a chance, could you send over the
pcaps for the three new submissions? Thanks again!

Regards,

John Levy
Cisco Talos

On Mon, Jun 4, 2018 at 4:27 PM, Y M via Snort-sigs <
snort-sigs at lists.snort.org> wrote:

> New hash(es) have been added:
>
> - 819e0e82f2f5c3633e00adef10796da3755620546667da4d4942158536b8fbdf
> - caed167c45c346e5d0014298311c84c393b2fdff4c122ed56b5cac00763635ee
> - a76350c33a56af0bd1b90bc5fb3358cef8cd3eb7b8307760e33d36ea67f18754
>
> The following sid(s) from the original post triggered successfully: 8000077,
> 8000079, 8000084 (rev:2).
>
> The following sid(s) from the original post have been modified: 8000075-
> 8000078, 8000084.
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding TXT
> file"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
> content:"61636B61676500"; distance:0; nocase; content:"2E747874";
> within:100; nocase; metadata:ruleset community, service ftp-data, service
> http, service imap, service pop3; classtype:attempted-user; sid:8000075;
> rev:2;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding SCT
> file"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
> content:"61636B61676500"; distance:0; nocase; content:"2E736374";
> within:100; nocase; metadata:ruleset community, service ftp-data, service
> http, service imap, service pop3; classtype:attempted-user; sid:8000076;
> rev:2;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding BAT
> file"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
> content:"61636B61676500"; distance:0; nocase; content:"2E626174";
> within:100; nocase; metadata:ruleset community, service ftp-data, service
> http, service imap, service pop3; classtype:attempted-user; sid:8000077;
> rev:2;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding EXE
> file"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
> content:"61636B61676500"; distance:0; nocase; content:"2E657865";
> within:100; nocase; metadata:ruleset community, service ftp-data, service
> http, service imap, service pop3; classtype:attempted-user; sid:8000078;
> rev:2;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"MALWARE-OTHER ThreadKit document - distinct obj structure";
> flow:to_client,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|object|5C|obj"; content:"|5C|objupdate";
> pcre:"/\x5cobject\x5cobj(emb|html)\x5cobjupdate\x5cv[\x5c\x0a\x20\x0d]/";
> metadata:ruleset community, service ftp-data, service http, service imap,
> service pop3; classtype:attempted-user; sid:8000084; rev:3;)
>
> Thanks.
> YM
>
>
> ------------------------------
> *From:* Snort-sigs <snort-sigs-bounces at lists.snort.org> on behalf of Y M
> via Snort-sigs <snort-sigs at lists.snort.org>
> *Sent:* Wednesday, May 30, 2018 10:16 PM
> *To:* O C via Snort-sigs
> *Subject:* Re: [Snort-sigs] ThreadKit Documents
>
> New hash(es) have been added, thanks to the original identifiers.
>
> - 5c526ede8ecd510b985d366b0a9cd8704abc7abdf477b65695016f695d00a1d7
> - db5a46b9d8419079ea8431c9d6f6f55e4f7d36f22eee409bd62d72ea79fb8e72
> - 52be37fca69737ea52edcc4dbb7549fc63bfd017f36a308d08514534b522e4bc
>
> The following sid(s) from the original post triggered successfully: 8000075,
> 8000076, 8000077, 8000078, 8000079, 8000080, 8000081, 8000082.
>
> The following sid(s) from the original post have been modified: 8000084.
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"MALWARE-OTHER ThreadKit document - distinct obj structure";
> flow:to_client,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|object|5C|obj"; content:"|5C|objupdate";
> pcre:"/\x5cobject\x5cobj(emb|html)\x5cobjupdate\x5cv[\x5c\x0a\x20]/";
> metadata:ruleset community, service ftp-data, service http, service imap,
> service pop3; classtype:attempted-user; sid:8000084; rev:2;)
>
> Pcaps for these should be ready in a minute.
>
> Thanks.
> YM
>
> ------------------------------
> *From:* Snort-sigs <snort-sigs-bounces at lists.snort.org> on behalf of O C
> via Snort-sigs <snort-sigs at lists.snort.org>
> *Sent:* Tuesday, May 29, 2018 8:37 PM
> *To:* snort-sigs
> *Subject:* [Snort-sigs] ThreadKit Documents
>
> Hi,
>
> The below rules attempt at detecting exploit documents generated by
> ThreadKit. While there are rules to detect the exploit attempts, the
> permissiveness of the RTF syntax may result in FN. The below sample hashes
> were worked with and pcaps are available for these. As I stumble upon
> more documents, I will update this thread. I added these under the
> MALWARE-OTHER category since the rules to do not look for the exploits, but
> the documents themselves.
>
> Some of the rules can be grouped using PCRE, but I kept them separate.
> Some of the rules may also seem redundant, but the idea is to capture as
> many variants as possible.
>
> If this sounds like a bad idea, please let me know so I won't waste cycles
> on them.
>
> # --------------------
> # Date: 2018-05-28
> # Title: ThreadKit Documents
> # Tests: pcap
> # Reference: Research
> # Hashes:
> #   - bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c
> #   - af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5
> #   - 8e1c6f44b02e72b1c1c9af0ffdcee0fbe67fb8ee370bc67e4e01ec43f8b92ec9
> #   - 53e8890f0d002d9611675419b3d8d0899b599c59f4557e105211d294bf92f023
> #   - 2bb9d0d8166a8d330cb3c5be6fb60539fe29e05cc3acb4ac7ec3da233fb013ec
>
> # HTTP
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding TXT
> file"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
> content:"5061636B61676500"; distance:0; nocase; content:"2E747874";
> within:100; nocase; metadata:ruleset community, service ftp-data, service
> http, service imap, service pop3; classtype:attempted-user; sid:8000075;
> rev:1;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding SCT
> file"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
> content:"5061636B61676500"; distance:0; nocase; content:"2E736374";
> within:100; nocase; metadata:ruleset community, service ftp-data, service
> http, service imap, service pop3; classtype:attempted-user; sid:8000076;
> rev:1;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding BAT
> file"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
> content:"5061636B61676500"; distance:0; nocase; content:"2E626174";
> within:100; nocase; metadata:ruleset community, service ftp-data, service
> http, service imap, service pop3; classtype:attempted-user; sid:8000077;
> rev:1;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding EXE
> file"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
> content:"5061636B61676500"; distance:0; nocase; content:"2E657865";
> within:100; nocase; metadata:ruleset community, service ftp-data, service
> http, service imap, service pop3; classtype:attempted-user; sid:8000078;
> rev:1;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"MALWARE-OTHER ThreadKit document - objhtml mmath object obfuscation";
> flow:to_client,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0;
> content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:100; nocase;
> metadata:ruleset community, service ftp-data, service http, service imap,
> service pop3; classtype:attempted-user; sid:8000079; rev:1;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"MALWARE-OTHER ThreadKit document - objhtml mmath object obfuscation
> OLE2Link"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0;
> content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:50;
> content:"OLE2Link"; within:150; nocase; metadata:ruleset community, service
> ftp-data, service http, service imap, service pop3;
> classtype:attempted-user; sid:8000080; rev:1;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"MALWARE-OTHER ThreadKit document - objhtml object obfuscation
> OLE2Link"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0;
> content:"|5C|bin"; within:50; nocase; content:"OLE2Link"; within:150;
> metadata:ruleset community, service ftp-data, service http, service imap,
> service pop3; classtype:attempted-user; sid:8000081; rev:1;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"MALWARE-OTHER ThreadKit document - objemb mmath object obfuscation";
> flow:to_client,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|objemb"; content:"|5C|objupdate"; distance:0;
> content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:100; nocase;
> metadata:ruleset community, service ftp-data, service http, service imap,
> service pop3; classtype:attempted-user; sid:8000082; rev:1;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"MALWARE-OTHER ThreadKit document - picture object remote";
> flow:to_client,established; flowbits:isset,file.rtf; file_data;
> content:"METAFILEPICT"; content:"INCLUDEPICTURE |22|http"; distance:0;
> content:"MZ"; within:200; metadata:ruleset community, service ftp-data,
> service http, service imap, service pop3; classtype:attempted-user;
> sid:8000083; rev:1;)
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"MALWARE-OTHER ThreadKit document - distinct obj structure";
> flow:to_client,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|object|5C|obj"; content:"|5C|objupdate";
> pcre:"/\x5cobject\x5cobj(emb|html)\x5cobjupdate\x5cv\x0a\x20/";
> metadata:ruleset community, service ftp-data, service http, service imap,
> service pop3; classtype:attempted-user; sid:8000084; rev:1;)
>
> # SMTP
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
> ThreadKit document - ActiveX Package embedding TXT file";
> flow:to_server,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
> content:"5061636B61676500"; distance:0; nocase; content:"2E747874";
> within:100; nocase; metadata:ruleset community, service ftp-data, service
> http, service imap, service pop3; classtype:attempted-user; sid:8000085;
> rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
> ThreadKit document - ActiveX Package embedding SCT file";
> flow:to_server,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
> content:"5061636B61676500"; distance:0; nocase; content:"2E736374";
> within:100; nocase; metadata:ruleset community, service ftp-data, service
> http, service imap, service pop3; classtype:attempted-user; sid:8000086;
> rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
> ThreadKit document - ActiveX Package embedding BAT file";
> flow:to_server,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
> content:"5061636B61676500"; distance:0; nocase; content:"2E626174";
> within:100; nocase; metadata:ruleset community, service ftp-data, service
> http, service imap, service pop3; classtype:attempted-user; sid:8000087;
> rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
> ThreadKit document - ActiveX Package embedding EXE file";
> flow:to_server,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
> content:"5061636B61676500"; distance:0; nocase; content:"2E657865";
> within:100; nocase; metadata:ruleset community, service ftp-data, service
> http, service imap, service pop3; classtype:attempted-user; sid:8000088;
> rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
> ThreadKit document - objhtml mmath object obfuscation";
> flow:to_server,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0;
> content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:100; nocase;
> metadata:ruleset community, service ftp-data, service http, service imap,
> service pop3; classtype:attempted-user; sid:8000089; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
> ThreadKit document - objhtml mmath object obfuscation OLE2Link";
> flow:to_server,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0;
> content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:50;
> content:"OLE2Link"; within:150; nocase; metadata:ruleset community, service
> ftp-data, service http, service imap, service pop3;
> classtype:attempted-user; sid:8000090; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
> ThreadKit document - objhtml object obfuscation OLE2Link";
> flow:to_server,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0;
> content:"|5C|bin"; within:50; nocase; content:"OLE2Link"; within:150;
> metadata:ruleset community, service ftp-data, service http, service imap,
> service pop3; classtype:attempted-user; sid:8000091; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
> ThreadKit document - objemb mmath object obfuscation";
> flow:to_server,established; flowbits:isset,file.rtf; file_data;
> content:"|5C|objemb"; content:"|5C|objupdate"; distance:0;
> content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:100; nocase;
> metadata:ruleset community, service ftp-data, service http, service imap,
> service pop3; classtype:attempted-user; sid:8000092; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
> ThreadKit document - picture object remote"; flow:to_server,established;
> flowbits:isset,file.rtf; file_data; content:"METAFILEPICT";
> content:"INCLUDEPICTURE |22|http"; distance:0; content:"MZ"; within:200;
> metadata:ruleset community, service ftp-data, service http, service imap,
> service pop3; classtype:attempted-user; sid:8000093; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
> ThreadKit document - distinct obj structure"; flow:to_server,established;
> flowbits:isset,file.rtf; file_data; content:"|5C|object|5C|obj";
> content:"|5C|objupdate"; pcre:"/\x5cobject\x5cobj(emb|
> html)\x5cobjupdate\x5cv\x0a\x20/"; metadata:ruleset community, service
> ftp-data, service http, service imap, service pop3;
> classtype:attempted-user; sid:8000094; rev:1;)
>
> Thanks.
> YM
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-
> the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180605/b1cc5509/attachment-0001.html>


More information about the Snort-sigs mailing list