[Snort-sigs] Multiple signatures

John Levy johlevy at sourcefire.com
Wed Jun 27 10:54:35 EDT 2018


Hi Yaser,

Thanks for these submissions. We will review each of them and get back to
you when finished. The format used is great, and we were able to easily
parse the different submissions. Thanks again.

Sincerely,

John Levy
Cisco Talos

On Wed, Jun 27, 2018 at 9:34 AM, Y M via Snort-sigs <
snort-sigs at lists.snort.org> wrote:

> Hi,
>
> Below are a set of rules for various detection aggregated in one email. Oddly,
> I was not able to acquire any of the binaries/payloads, hence, the lack
> of pcaps. It was just weird. Each set of signatures are separated by
> "#----". Please let me if this format is not favorable and I will work
> something out.
>
> # --------------------
> # Date: 2018-06-17
> # Title: CVE-2017-8570 RTF and the Sisfader RAT
> # Tests: syntax only
> # Reference: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/
> blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/
> # Confidence: low-
> # Notes: Rules are based on assumptions of the custom protocol detailed in
> the reference
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
> Win.Trojan.Sisfader RAT outbound connection - Register";
> flow:to_server,established; content:"|FF DD EE AA|"; within:4;
> byte_test:1,=,4,4,relative; content:"|0F 01|"; offset:8; metadata:ruleset
> community; reference:url,www.nccgroup.trust/uk/about-us/newsroom-
> and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/;
> classtype:trojan-activity; sid:8000120; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
> Win.Trojan.Sisfader RAT outbound connection - Beacon";
> flow:to_server,established; content:"|FF DD EE AA|"; within:4;
> byte_test:1,=,4,4,relative; content:"|F0 E1|"; offset:8; metadata:ruleset
> community; reference:url,www.nccgroup.trust/uk/about-us/newsroom-
> and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/;
> classtype:trojan-activity; sid:8000121; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
> Win.Trojan.Sisfader RAT outbound connection - Pong";
> flow:to_server,established; content:"|FF DD EE AA|"; within:4;
> byte_test:1,=,4,4,relative; content:"|F0 E3|"; offset:8; metadata:ruleset
> community; reference:url,www.nccgroup.trust/uk/about-us/newsroom-
> and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/;
> classtype:trojan-activity; sid:8000122; rev:1;)
>
> # --------------------
> # Date: 2018-06-21
> # Title: Kardon Loader Looks for Beta Testers
> # Tests: syntax only
> # Reference: https://asert.arbornetworks.com/kardon-loader-looks-for-
> beta-testers/
> # Confidence: low
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Kardon loader outbound connection"; flow:to_server,established;
> content:"POST"; http_method; content:"/gate.php"; http_uri; content:"&os=";
> fast_pattern:only; http_client_body; content:"&pv="; http_client_body;
> content:"&ip="; http_client_body; content:!"User-Agent"; http_header;
> metadata:ruleset community, service http; reference:url,asert.
> arbornetworks.com/kardon-loader-looks-for-beta-testers/;
> classtype:trojan-activity; sid:8000123; rev:1;)
>
> # --------------------
> # Date: 2018-06-21
> # Title: Nigelthorn Malware Abuses Chrome Extensions to Cryptomine and
> Steal Data
> # Tests: syntax only
> # Reference: https://blog.radware.com/security/2018/05/nigelthorn-
> malware-abuses-chrome-extensions/
> # Confidence: low-
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Nigelthorn browser plugin social media credentials theft attempt";
> flow:to_server,established; content:"GET"; http_method; content:"/php3/";
> fast_pattern:only; http_uri; content:".php?"; http_uri; content:"u=";
> http_uri; content:"&p="; http_header; metadata:ruleset community, service
> http; reference:url,blog.radware.com/security/2018/05/
> nigelthorn-malware-abuses-chrome-extensions/; classtype:trojan-activity;
> sid:8000124; rev:1;)
>
> # --------------------
> # Date: 2018-06-21
> # Title: Red Alert v2.0: Misadventures in Reversing Android Bot Malware
> # Tests: syntax only
> # Reference: https://www.trustwave.com/Resources/SpiderLabs-Blog/Red-
> Alert-v2-0--Misadventures-in-Reversing-Android-Bot-Malware/
> # Confidence: low
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Andr.Trojan.BankerBot outbound connection"; flow:to_server,established;
> urilen:=5; content:"POST"; http_method; content:"/stbi"; fast_pattern:only;
> http_uri; content:" Android "; http_header; content:"Content-Type:
> application/json"; http_header; content:"eyJ"; within:3; http_client_body;
> metadata:ruleset community, service http; reference:url,www.trustwave.
> com/Resources/SpiderLabs-Blog/Red-Alert-v2-0--Misadventures-
> in-Reversing-Android-Bot-Malware/; classtype:trojan-activity;
> sid:8000125; rev:1;)
>
> # --------------------
> # Date: 2018-06-22
> # Title: RAT Gone Rogue: Meet ARS VBS Loader
> # Tests: syntax only
> # Reference: https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/
> # Confidence: low
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.ARS VBS loader outbound connection"; flow:to_server,established;
> content:"POST"; http_method; content:"?os="; http_uri; content:"&user=";
> http_uri; content:"&av="; http_uri; content:"&fw="; http_uri;
> content:"&hwid="; http_uri; metadata:ruleset community, service http;
> reference:url,www.flashpoint-intel.com/blog/meet-ars-vbs-loader/;
> classtype:trojan-activity; sid:8000126; rev:1;)
>
> # --------------------
> # Date: 2018-06-27
> # Title: Six Years and Counting: Inside the Complex Zacinlo Ad Fraud
> Operation
> # Tests: syntax only
> # Reference: https://labs.bitdefender.com/2018/06/six-years-and-
> counting-inside-the-complex-zacinlo-ad-fraud-operation/
> # Confidence: low
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Zacinlo outbound connection"; flow:to_server,established;
> content:"/toolbar/"; http_uri; fast_pattern:only; http_uri;
> content:"User-Agent: wget"; http_header; content:"Referer:"; http_header;
> content:"/toolbar"; within:50; http_header; content:!"Accept-"; http_headr;
> content:!"Content-"; http_header; metadata:ruleset community, service http;
> reference:url,labs.bitdefender.com/2018/06/six-
> years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/;
> classtype:trojan-activity; sid:8000127; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Zacinlo outbound connection"; flow:to_server,established;
> content:"/entry/"; http_uri; content:"&mac="; fast_pattern:only; http_uri;
> content:"User-Agent: wget"; http_header; content:"Referer:"; http_header;
> content:"/entry/"; within:50; http_header; content:!"Accept-"; http_headr;
> content:!"Content-"; http_header; metadata:ruleset community, service http;
> reference:url,labs.bitdefender.com/2018/06/six-
> years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/;
> classtype:trojan-activity; sid:8000128; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Zacinlo outbound connection"; flow:to_server,established;
> content:"/interface/getFile?"; fast_pattern:only; http_uri;
> content:"User-Agent: wget"; http_header; content:!"Referer:"; http_header;
> content:"Accept-"; http_headr; metadata:ruleset community, service http;
> reference:url,labs.bitdefender.com/2018/06/six-
> years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/;
> classtype:trojan-activity; sid:8000129; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Zacinlo outbound connection"; flow:to_server,established;
> content:"User-Agent: SmartService|0D 0A|"; fast_pattern:only; http_header;
> content:"/getFile?"; http_uri; metadata:ruleset community, service http;
> reference:url,labs.bitdefender.com/2018/06/six-
> years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/;
> classtype:trojan-activity; sid:8000130; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Zacinlo outbound connection"; flow:to_server,established;
> urilen:>200; content:"/api/"; fast_pattern:only; http_uri; content:"q=";
> http_uri; content:!"Referer:"; http_header; pcre:"/\/api\/(cpx|ss|lt)\x3fq\x3d/Ui";
> metadata:ruleset community, service http; reference:url,labs.
> bitdefender.com/2018/06/six-years-and-counting-inside-the-
> complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity;
> sid:8000131; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Zacinlo outbound connection"; flow:to_server,established;
> content:"User-Agent: BypassUac|0D 0A|"; fast_pattern:only; http_header;
> metadata:ruleset community, service http; reference:url,labs.
> bitdefender.com/2018/06/six-years-and-counting-inside-the-
> complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity;
> sid:8000132; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Zacinlo outbound connection"; flow:to_server,established;
> content:"/report?s="; fast_pattern:only; http_uri; content:"User-Agent:
> Mozilla/5.0 (Windows NT 6.1|3B WOW64) "; http_header; content:!"Referer:";
> http_header; content:"Accept"; http_header; metadata:ruleset community,
> service http; reference:url,labs.bitdefender.com/2018/06/six-
> years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/;
> classtype:trojan-activity; sid:8000133; rev:1;)
>
> # --------------------
> # Date: 2018-06-27
> # Title: RedAlpha: New Campaigns Discovered Targeting the Tibetan Community
> # Tests: syntax only
> # Reference: https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf
> #     - Dinwod: https://www.virustotal.com/#/file/
> e94284e487e59b53efab9d4584fca766883b916118c9a8ff59514087555e9a8e/behavior
> #     - NetHelp: https://www.virustotal.com/#/file/
> e8b8e4d8694600116b0d7d6062d8f5b77f25e69e993f13be56399cadf175e512/behavior
> #     - SpyGate: https://www.virustotal.com/#/file/
> 30e628bfbf80a8cb432b679fdeaccbe3c0ab7eaee8d0899fba7a16853abf35b9/behavior
> # Confidence: low-
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Dinwod/NetHelp variant outbound connection";
> flow:to_server,established; content:"POST"; http_method;
> content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:53.0)
> Gecko/20100101 Chrome /53.0"; fast_pattern:only; http_header;
> content:"/index.html"; http_uri; http_header; content:!"Referer";
> http_header; metadata:ruleset community, service http; reference:url,go.
> recordedfuture.com/hubfs/reports/cta-2018-0626.pdf;
> classtype:trojan-activity; sid:8000134; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.SpyGate variant outbound connection";
> flow:to_server,established; urilen:<100; content:"/index?";
> content:"Accept: */*|0D 0A|Accept-Encoding: gzip, deflate|0D 0A|User-Agent:
> "; http_header; fast_pattern; content:"Connection: Keep-Alive|0D 0A|";
> http_header; content:!"Referer"; http_header; content:!"Content-";
> http_header; metadata:ruleset community, service http; reference:url,go.
> recordedfuture.com/hubfs/reports/cta-2018-0626.pdf;
> classtype:trojan-activity; sid:8000135; rev:1;)
>
> # --------------------
> # Date: 2018-06-27
> # Title: FakeSpy Android Information-Stealing Malware Targets Japanese and
> Korean-Speaking Users
> # Tests: syntax only
> # Reference:
> #     - https://blog.trendmicro.com/trendlabs-security-
> intelligence/fakespy-android-information-stealing-malware-
> targets-japanese-and-korean-speaking-users/
> #     - https://documents.trendmicro.com/assets/appendix-fakespy-
> android-information-stealing-malware-targets-japanese-and-
> korean-speaking-users.pdf
> # Confidence: low-
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Andro.Trojan.FakeSpy variant outbound connection";
> flow:to_server,established; content:"/jiagu/"; http_uri; content:"/infos";
> fast_pattern:only; http_uri; content:" Android "; http_header;
> metadata:ruleset community, service http; reference:url,blog.trendmicro.
> com/trendlabs-security-intelligence/fakespy-android-
> information-stealing-malware-targets-japanese-and-korean-speaking-users/;
> classtype:trojan-activity; sid:8000136; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Andro.Trojan.FakeSpy variant outbound connection";
> flow:to_server,established; content:"/servlet/OnLine"; fast_pattern:only;
> http_uri; content:" Android "; http_header; metadata:ruleset community,
> service http; reference:url,blog.trendmicro.com/trendlabs-security-
> intelligence/fakespy-android-information-stealing-malware-
> targets-japanese-and-korean-speaking-users/; classtype:trojan-activity;
> sid:8000137; rev:1;)
>
> # --------------------
> # Date: 2018-06-27
> # Title: FakeSpy Android Information-Stealing Malware Targets Japanese and
> Korean-Speaking Users
> # Tests: syntax only
> # Reference:
> #     - https://threatvector.cylance.com/en_us/home/threat-
> spotlight-urlzone-malware-campaigns-targeting-japan.html
> #     - https://github.com/arbor/urlzone/blob/master/urlzone.py#L94
> #     - https://totalhash.cymru.com/analysis/?
> 110f2b3114ce891b620d84ca1072d7b46880ca02
> # Confidence: low-
> # Note: Older references show that this is via HTTPS. Newer references
> show this via HTTP.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.URLZone dropper variant outbound connection"; flow:to_server,
> established; content:"?tver="; fast_pattern:only; http_uri;
> content:"&vcmd="; http_uri; content:"&ipcnf="; http_uri; metadata:ruleset
> community, service http; reference:url,threatvector.
> cylance.com/en_us/home/threat-spotlight-urlzone-malware-
> campaigns-targeting-japan.html; reference:url,github.com/
> arbor/urlzone/blob/master/urlzone.py; classtype:trojan-activity;
> sid:8000138; rev:1;)
>
> Thanks.
> YM
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-
> the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180627/bfb7d0b2/attachment-0001.html>


More information about the Snort-sigs mailing list