[Snort-sigs] Win.Trojan.RedLeaves variant

Y M snort at outlook.com
Tue May 1 14:17:31 EDT 2018


Hi,

Below signature attempts to detect a variant of RedLeaves. Pcap is available. There are subtle differences between the HTTP request in the pcap and its details in the research. The signature attempts to accommodate both. The HTTP body can be expressedin pcre, but either would lose detection of almost half the requests, or the pcre becomes unnecessary, I guess.

# Title: Hogfish RedLeaves Campaign
# Tests: pcaps
# Reference: https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf, https://www.virustotal.com/#/file/f6449e255bc1a9d4a02391be35d0dd37def19b7e20cfcc274427a0b39cb21b7b/detection

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.RedLeaves variant outbound connection"; flow:to_server,established; urilen:<20; content:"POST"; http_method; content:"Connection: Keep-Alive|0D 0A|Accept: */*|0D 0A|"; http_header; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 6.1|3B| WOW64|3B| Trident/4.0|3B| SLCC2|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.5.30729|3B| .NET CLR 3.0.30729|3B| .NET4.0C|3B| .NET4.0E)|0D 0A|Content-Length"; http_header; content:"/index.php"; http_uri; content:!"Content-Type"; http_header; content:!"Referer"; http_header; content:!"Accept-"; http_header; metadata:ruleset community, service http; reference:url,www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf; reference:url,www.virustotal.com/#/file/f6449e255bc1a9d4a02391be35d0dd37def19b7e20cfcc274427a0b39cb21b7b/detection; classtype:trojan-activity; sid:8000038; rev:1;)

Thanks.
YM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180501/603ceb70/attachment.html>


More information about the Snort-sigs mailing list