[Snort-sigs] Multiple signatures

Y M snort at outlook.com
Wed Jun 27 09:34:13 EDT 2018


Hi,

Below are a set of rules for various detection aggregated in one email. Oddly, I was not able to acquire any of the binaries/payloads, hence, the lack of pcaps. It was just weird. Each set of signatures are separated by "#----". Please let me if this format is not favorable and I will work something out.

# --------------------
# Date: 2018-06-17
# Title: CVE-2017-8570 RTF and the Sisfader RAT
# Tests: syntax only
# Reference: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/
# Confidence: low-
# Notes: Rules are based on assumptions of the custom protocol detailed in the reference

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sisfader RAT outbound connection - Register"; flow:to_server,established; content:"|FF DD EE AA|"; within:4; byte_test:1,=,4,4,relative; content:"|0F 01|"; offset:8; metadata:ruleset community; reference:url,www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/; classtype:trojan-activity; sid:8000120; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sisfader RAT outbound connection - Beacon"; flow:to_server,established; content:"|FF DD EE AA|"; within:4; byte_test:1,=,4,4,relative; content:"|F0 E1|"; offset:8; metadata:ruleset community; reference:url,www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/; classtype:trojan-activity; sid:8000121; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sisfader RAT outbound connection - Pong"; flow:to_server,established; content:"|FF DD EE AA|"; within:4; byte_test:1,=,4,4,relative; content:"|F0 E3|"; offset:8; metadata:ruleset community; reference:url,www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/; classtype:trojan-activity; sid:8000122; rev:1;)

# --------------------
# Date: 2018-06-21
# Title: Kardon Loader Looks for Beta Testers
# Tests: syntax only
# Reference: https://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kardon loader outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/gate.php"; http_uri; content:"&os="; fast_pattern:only; http_client_body; content:"&pv="; http_client_body; content:"&ip="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/; classtype:trojan-activity; sid:8000123; rev:1;)

# --------------------
# Date: 2018-06-21
# Title: Nigelthorn Malware Abuses Chrome Extensions to Cryptomine and Steal Data
# Tests: syntax only
# Reference: https://blog.radware.com/security/2018/05/nigelthorn-malware-abuses-chrome-extensions/
# Confidence: low-

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Nigelthorn browser plugin social media credentials theft attempt"; flow:to_server,established; content:"GET"; http_method; content:"/php3/"; fast_pattern:only; http_uri; content:".php?"; http_uri; content:"u="; http_uri; content:"&p="; http_header; metadata:ruleset community, service http; reference:url,blog.radware.com/security/2018/05/nigelthorn-malware-abuses-chrome-extensions/; classtype:trojan-activity; sid:8000124; rev:1;)

# --------------------
# Date: 2018-06-21
# Title: Red Alert v2.0: Misadventures in Reversing Android Bot Malware
# Tests: syntax only
# Reference: https://www.trustwave.com/Resources/SpiderLabs-Blog/Red-Alert-v2-0--Misadventures-in-Reversing-Android-Bot-Malware/
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.BankerBot outbound connection"; flow:to_server,established; urilen:=5; content:"POST"; http_method; content:"/stbi"; fast_pattern:only; http_uri; content:" Android "; http_header; content:"Content-Type: application/json"; http_header; content:"eyJ"; within:3; http_client_body; metadata:ruleset community, service http; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Red-Alert-v2-0--Misadventures-in-Reversing-Android-Bot-Malware/; classtype:trojan-activity; sid:8000125; rev:1;)

# --------------------
# Date: 2018-06-22
# Title: RAT Gone Rogue: Meet ARS VBS Loader
# Tests: syntax only
# Reference: https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"?os="; http_uri; content:"&user="; http_uri; content:"&av="; http_uri; content:"&fw="; http_uri; content:"&hwid="; http_uri; metadata:ruleset community, service http; reference:url,www.flashpoint-intel.com/blog/meet-ars-vbs-loader/; classtype:trojan-activity; sid:8000126; rev:1;)

# --------------------
# Date: 2018-06-27
# Title: Six Years and Counting: Inside the Complex Zacinlo Ad Fraud Operation
# Tests: syntax only
# Reference: https://labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"/toolbar/"; http_uri; fast_pattern:only; http_uri; content:"User-Agent: wget"; http_header; content:"Referer:"; http_header; content:"/toolbar"; within:50; http_header; content:!"Accept-"; http_headr; content:!"Content-"; http_header; metadata:ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:8000127; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"/entry/"; http_uri; content:"&mac="; fast_pattern:only; http_uri; content:"User-Agent: wget"; http_header; content:"Referer:"; http_header; content:"/entry/"; within:50; http_header; content:!"Accept-"; http_headr; content:!"Content-"; http_header; metadata:ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:8000128; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"/interface/getFile?"; fast_pattern:only; http_uri; content:"User-Agent: wget"; http_header; content:!"Referer:"; http_header; content:"Accept-"; http_headr; metadata:ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:8000129; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"User-Agent: SmartService|0D 0A|"; fast_pattern:only; http_header; content:"/getFile?"; http_uri; metadata:ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:8000130; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; urilen:>200; content:"/api/"; fast_pattern:only; http_uri; content:"q="; http_uri; content:!"Referer:"; http_header; pcre:"/\/api\/(cpx|ss|lt)\x3fq\x3d/Ui"; metadata:ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:8000131; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"User-Agent: BypassUac|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:8000132; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"/report?s="; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B WOW64) "; http_header; content:!"Referer:"; http_header; content:"Accept"; http_header; metadata:ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:8000133; rev:1;)

# --------------------
# Date: 2018-06-27
# Title: RedAlpha: New Campaigns Discovered Targeting the Tibetan Community
# Tests: syntax only
# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf
#     - Dinwod: https://www.virustotal.com/#/file/e94284e487e59b53efab9d4584fca766883b916118c9a8ff59514087555e9a8e/behavior
#     - NetHelp: https://www.virustotal.com/#/file/e8b8e4d8694600116b0d7d6062d8f5b77f25e69e993f13be56399cadf175e512/behavior
#     - SpyGate: https://www.virustotal.com/#/file/30e628bfbf80a8cb432b679fdeaccbe3c0ab7eaee8d0899fba7a16853abf35b9/behavior
# Confidence: low-

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dinwod/NetHelp variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:53.0) Gecko/20100101 Chrome /53.0"; fast_pattern:only; http_header; content:"/index.html"; http_uri; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf; classtype:trojan-activity; sid:8000134; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpyGate variant outbound connection"; flow:to_server,established; urilen:<100; content:"/index?"; content:"Accept: */*|0D 0A|Accept-Encoding: gzip, deflate|0D 0A|User-Agent: "; http_header; fast_pattern; content:"Connection: Keep-Alive|0D 0A|"; http_header; content:!"Referer"; http_header; content:!"Content-"; http_header; metadata:ruleset community, service http; reference:url,go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf; classtype:trojan-activity; sid:8000135; rev:1;)

# --------------------
# Date: 2018-06-27
# Title: FakeSpy Android Information-Stealing Malware Targets Japanese and Korean-Speaking Users
# Tests: syntax only
# Reference:
#     - https://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/
#     - https://documents.trendmicro.com/assets/appendix-fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.pdf
# Confidence: low-

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andro.Trojan.FakeSpy variant outbound connection"; flow:to_server,established; content:"/jiagu/"; http_uri; content:"/infos"; fast_pattern:only; http_uri; content:" Android "; http_header; metadata:ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/; classtype:trojan-activity; sid:8000136; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andro.Trojan.FakeSpy variant outbound connection"; flow:to_server,established; content:"/servlet/OnLine"; fast_pattern:only; http_uri; content:" Android "; http_header; metadata:ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/; classtype:trojan-activity; sid:8000137; rev:1;)

# --------------------
# Date: 2018-06-27
# Title: FakeSpy Android Information-Stealing Malware Targets Japanese and Korean-Speaking Users
# Tests: syntax only
# Reference:
#     - https://threatvector.cylance.com/en_us/home/threat-spotlight-urlzone-malware-campaigns-targeting-japan.html
#     - https://github.com/arbor/urlzone/blob/master/urlzone.py#L94
#     - https://totalhash.cymru.com/analysis/?110f2b3114ce891b620d84ca1072d7b46880ca02
# Confidence: low-
# Note: Older references show that this is via HTTPS. Newer references show this via HTTP.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.URLZone dropper variant outbound connection"; flow:to_server, established; content:"?tver="; fast_pattern:only; http_uri; content:"&vcmd="; http_uri; content:"&ipcnf="; http_uri; metadata:ruleset community, service http; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-urlzone-malware-campaigns-targeting-japan.html; reference:url,github.com/arbor/urlzone/blob/master/urlzone.py; classtype:trojan-activity; sid:8000138; rev:1;)

Thanks.
YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180627/498de049/attachment-0001.html>


More information about the Snort-sigs mailing list