[Snort-sigs] Andr.Trojan.ZooPark family

Phillip Lee phillile at sourcefire.com
Mon May 7 13:29:38 EDT 2018


Yaser,

Thanks for your submission. We will review the rules and get back to you when they're finished. 

Regards,
Phil Lee
Cisco Talos

> On May 7, 2018, at 12:42 PM, Y M via Snort-sigs <snort-sigs at lists.snort.org> wrote:
> 
> Hi,
> 
> The below rules are driven by the report from the reference. The signatures should trigger on v1.0 - v3.0 variants. I couldn't locate the v4.0 samples, but I understand is that it should be similar. No pcaps available.
> 
> # --------------------
> # Date: 2018-05-06
> # Title: Who's Who in the Zoo - Cyberespionage Operation Targets Android Users in the Middle East
> # Tests: syntax only
> # Reference: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf <https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf>
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Piom v1.0/v2.0 outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/get/index.php?"; fast_pattern:only; http_uri; content:"id="; http_uri; content:"&user="; http_uri; content:"&pass="; http_uri; content:"&data="; http_uri; metadata:ruleset community, service http; reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf <http://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf>; reference:url,www.virustotal.com/#/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/detection <http://www.virustotal.com/#/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/detection>; classtype:trojan-activity; sid:8000042; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Piom v1.0 outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/sv/sv.php"; fast_pattern:only; http_uri; content:"id"; http_client_body; content:"data"; http_client_body; metadata:ruleset community, service http; reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf <http://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf>; reference:url,www.virustotal.com/#/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/detection <http://www.virustotal.com/#/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/detection>; classtype:trojan-activity; sid:8000043; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Piom v1.0 outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?set=show"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf <http://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf>; reference:url,www.virustotal.com/#/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/detection <http://www.virustotal.com/#/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/detection>; classtype:trojan-activity; sid:8000044; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.ZooPark outbound connection"; flow:to_server,established; content:"POST"; http_method; content:".php?key="; fast_pattern:only; http_uri; pcre:"/\/(get|save)\.php\x3fkey\x3d.*(\x26id\x3d[0-9]{15})?$/U"; metadata:ruleset community, service http; reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf <http://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf>; reference:url,www.virustotal.com/#/file/59ece87dfa254ba8d47503e069e5e2cb99e22140e9a2e6e56d382a6427171889/detection <http://www.virustotal.com/#/file/59ece87dfa254ba8d47503e069e5e2cb99e22140e9a2e6e56d382a6427171889/detection>; reference:url,virustotal.com/#/file/d7da061b55d24a54988a3fca60009da907d14c2bcd32f2e53ef13bd8085b96cc/detection <http://virustotal.com/#/file/d7da061b55d24a54988a3fca60009da907d14c2bcd32f2e53ef13bd8085b96cc/detection>; reference:url,www.virustotal.com/#/file/7a7eee78dfffa5974a2da9bdd3337fb16e5e1d658cbe5284ef352114ef446f6a/detection <http://www.virustotal.com/#/file/7a7eee78dfffa5974a2da9bdd3337fb16e5e1d658cbe5284ef352114ef446f6a/detection>; classtype:trojan-activity; sid:8000045; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.ZooPark v3.0 outbound connection"; flow:to_server,established; content:"/spyMobile/upload.php?"; fast_pattern:only; http_uri; content:"imei="; http_uri; metadata:ruleset community, service http; reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf <http://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf>; reference:url,koodous.com/apks/91659d5f35a8fea1c98f3ea32bcdd71a222f11095de680eb635ec8210fb5dc04/analysis <http://koodous.com/apks/91659d5f35a8fea1c98f3ea32bcdd71a222f11095de680eb635ec8210fb5dc04/analysis>; classtype:trojan-activity; sid:8000046; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.ZooPark v3.0 outbound connection"; flow:to_server,established; content:"/spyMobile/api_"; fast_pattern:only; http_uri; content:".php"; http_uri; metadata:ruleset community, service http; reference:url,media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf <http://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf>; reference:url,koodous.com/apks/91659d5f35a8fea1c98f3ea32bcdd71a222f11095de680eb635ec8210fb5dc04/analysis <http://koodous.com/apks/91659d5f35a8fea1c98f3ea32bcdd71a222f11095de680eb635ec8210fb5dc04/analysis>; classtype:trojan-activity; sid:8000047; rev:1;)
> 
> Thanks.
> YM
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org <mailto:Snort-sigs at lists.snort.org>
> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>
> 
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
> 
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette>
> 
> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180507/a4044356/attachment-0001.html>


More information about the Snort-sigs mailing list