[Snort-sigs] Backdoor OSCelestial RAT

Phillip Lee phillile at sourcefire.com
Thu Mar 22 10:17:15 EDT 2018


Dear Yaser,

This rule has been reviewed and added to the community ruleset (SID: 45979-45980). Modifications were made to include the first three bytes prior to Java class name, since these represent the data type and length of the following java class names.

Submitted Rules:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC MultiOS.Trojan.OSCelestial variant outbound connection"; flow:to_server,established; content:"|72 00 17|com.net.LoginDataPacket"; fast_pattern:only; content:"|74 00 13|Lcom/net/LoginData"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/ <http://www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/>; classtype:trojan-activity; sid:45979; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC MultiOS.Trojan.OSCelestial variant inbound connection"; flow:to_client,established; content:"|74 00 29|net.oscp.client.keylogger.KeystrokeLogger"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/ <http://www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/>; classtype:trojan-activity; sid:45980; rev:1;)

Thank you for your contribution.  

Sincerely,
Phil Lee
Cisco Talos


> On Mar 6, 2017, at 3:17 PM, Tyler Montier <tmontier at sourcefire.com> wrote:
> 
> Yaser,
> 
> Thanks for your submission. We will review the rules and get back to you when they're finished.
> 
> Since you have pcaps available, can you send them my way?
> 
> Sincerely,
> 
> Tyler Montier
> Cisco Talos
> 
> On Mon, Mar 6, 2017 at 6:06 AM, Y M <snort at outlook.com <mailto:snort at outlook.com>> wrote:
> Hello,
> 
> 
> The below rules are for the OSCelestial RAT. I left the OS (Win, Osx, etc.) at the beginning of the rules' messages since the sample in question seems to be targeting multiple OSes. The sample was successfully tested on Windows, OS X, and Linux (Ubuntu). Other OSes were not tested. 
> 
> 
> The last rule may be an overkill but the pattern was obvious to be missed out. Pcap is available.
> 
> 
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Backdoor.OSCelestial variant outbound connection"; flow:to_server,established; content:"|70 73 72 00|"; content:"|17|com.net <http://com.net/>.LoginDataPacket"; distance:0; within:24; metadata:ruleset community; reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/ <http://www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/>; classtype:trojan-activity; sid:1000867; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Backdoor.OSCelestial variant outbound connection"; flow:to_server,established; content:"|70 73 72 00|"; content:"|11|com.net <http://com.net/>.LoginData"; distance:0; within:18; content:"|0E|identification"; content:"|08|maccaddr"; distance:7; within:9; content:"|0F|operatingsystem"; distance:7; within:16; content:"|06|pcname"; distance:7; within:7; content:"|08|username"; distance:7; within:9; content:"|07|version"; distance:7; within:8; metadata:ruleset community; reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/ <http://www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/>; classtype:trojan-activity; sid:1000868; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Backdoor.OSCelestial variant inbound connection"; flow:to_client,established; dsize:>800; content:"|1B|com.net <http://com.net/>.DynamicPluginPacket"; fast_pattern:only; content:"|00 14|com.oscp.client.HRDP"; content:"|00 26|net.oscp.client.networking.OpenWebsite"; content:"|00 28|"; distance:1; content:".UploadExecute"; distance:25; within:15; content:"|00 27|"; distance:1; content:".ReverseProxy"; distance:25; within:14; content:"|00 2A|"; distance:1; content:".DownloadExecute"; distance:25; within:17; content:"|00 29|"; distance:1; content:".KeystrokeLogger"; distance:24; within:17; content:"|00 27|"; distance:1; content:".JarInjector"; distance:26; within:13; content:"|00 2B|"; distance:1; content:".JarInjectUpload"; distance:26; within:17; content:"|00 21|"; distance:1; content:".Explorer"; distance:24; within:10; content:"|00 25|"; distance:1; content:".RemoteChat"; distance:25; within:12; content:"|00 25|"; distance:1; content:".MessageBox"; distance:25; within:12; content:"|00 23|"; distance:1; content:".DesktopView"; distance:22; within:13; content:"|00 29|"; distance:1; content:".PasswordRecovery"; distance:23; within:18; content:"|00 21|"; distance:1; content:".WebcamView"; distance:21; within:12; content:"|00 27|"; content:".Terminal"; distance:23; within:10; metadata:ruleset community; reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/ <http://www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/>; classtype:trojan-activity; sid:1000869; rev:1;)
> 
> 
> Thank you.
> 
> YM
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot <http://sdm.link/slashdot>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net <mailto:Snort-sigs at lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/snort-sigs <https://lists.sourceforge.net/lists/listinfo/snort-sigs>
> 
> http://www.snort.org <http://www.snort.org/>
> 
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
> 
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!
> 
> ------------------------------------------------------------------------------
> Announcing the Oxford Dictionaries API! The API offers world-renowned
> dictionary content that is easy and intuitive to access. Sign up for an
> account today to start using our lexical data to power your apps and
> projects. Get started today and enter our developer competition.
> http://sdm.link/oxford_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> http://www.snort.org
> 
> Please visit http://blog.snort.org for the latest news about Snort!
> 
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180322/1231ff1d/attachment-0001.html>


More information about the Snort-sigs mailing list