[Snort-sigs] Win.Trojan.InvisiMole

Y M snort at outlook.com
Mon Jun 11 15:04:12 EDT 2018


Hi,

A pcap with partial C&C communication is available for the first rule. The second rule is derived from the research reference.

# --------------------
# Date: 2018-06-11
# Title: InvisiMole: surprisingly equipped spyware, undercover since 2013
# Tests: pcap (partial)
# Reference: https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.InvisiMole outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/www/|25|"; fast_pattern:only; content:"/00";  content:!"Accept"; content:!"Referer"; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/cd54a42008631d3e21eb663b71aac0d9cbb3d6d9ca34209a4cc9a278a3b445e0/detection; classtype:trojan-activity; sid:8000118; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.InvisiMole outbound connection"; flow:to_server,established; content:"HIDE"; http_method; content:"/in_U"; fast_pattern:only;  content:!"Accept"; content:!"Referer"; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/cd54a42008631d3e21eb663b71aac0d9cbb3d6d9ca34209a4cc9a278a3b445e0/detection; classtype:trojan-activity; sid:8000119; rev:1;)

Thanks.
YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180611/24677981/attachment.html>


More information about the Snort-sigs mailing list