[Snort-sigs] Andr.Trojan.ZooPark family

Y M snort at outlook.com
Mon May 7 12:42:57 EDT 2018


Hi,

The below rules are driven by the report from the reference. The signatures should trigger on v1.0 - v3.0 variants. I couldn't locate the v4.0 samples, but I understand is that it should be similar. No pcaps available.

# --------------------
# Date: 2018-05-06
# Title: Who's Who in the Zoo - Cyberespionage Operation Targets Android Users in the Middle East
# Tests: syntax only
# Reference: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Piom v1.0/v2.0 outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/get/index.php?"; fast_pattern:only; http_uri; content:"id="; http_uri; content:"&user="; http_uri; content:"&pass="; http_uri; content:"&data="; http_uri; metadata:ruleset community, service http; reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf; reference:url,www.virustotal.com/#/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/detection; classtype:trojan-activity; sid:8000042; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Piom v1.0 outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/sv/sv.php"; fast_pattern:only; http_uri; content:"id"; http_client_body; content:"data"; http_client_body; metadata:ruleset community, service http; reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf; reference:url,www.virustotal.com/#/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/detection; classtype:trojan-activity; sid:8000043; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Piom v1.0 outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?set=show"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf; reference:url,www.virustotal.com/#/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/detection; classtype:trojan-activity; sid:8000044; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.ZooPark outbound connection"; flow:to_server,established; content:"POST"; http_method; content:".php?key="; fast_pattern:only; http_uri; pcre:"/\/(get|save)\.php\x3fkey\x3d.*(\x26id\x3d[0-9]{15})?$/U"; metadata:ruleset community, service http; reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf; reference:url,www.virustotal.com/#/file/59ece87dfa254ba8d47503e069e5e2cb99e22140e9a2e6e56d382a6427171889/detection; reference:url,virustotal.com/#/file/d7da061b55d24a54988a3fca60009da907d14c2bcd32f2e53ef13bd8085b96cc/detection; reference:url,www.virustotal.com/#/file/7a7eee78dfffa5974a2da9bdd3337fb16e5e1d658cbe5284ef352114ef446f6a/detection; classtype:trojan-activity; sid:8000045; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.ZooPark v3.0 outbound connection"; flow:to_server,established; content:"/spyMobile/upload.php?"; fast_pattern:only; http_uri; content:"imei="; http_uri; metadata:ruleset community, service http; reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf; reference:url,koodous.com/apks/91659d5f35a8fea1c98f3ea32bcdd71a222f11095de680eb635ec8210fb5dc04/analysis; classtype:trojan-activity; sid:8000046; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.ZooPark v3.0 outbound connection"; flow:to_server,established; content:"/spyMobile/api_"; fast_pattern:only; http_uri; content:".php"; http_uri; metadata:ruleset community, service http; reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf; reference:url,koodous.com/apks/91659d5f35a8fea1c98f3ea32bcdd71a222f11095de680eb635ec8210fb5dc04/analysis; classtype:trojan-activity; sid:8000047; rev:1;)

Thanks.
YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180507/c1b20bd5/attachment.html>


More information about the Snort-sigs mailing list