[Snort-sigs] Multiple signatures 015

Y M snort at outlook.com
Wed Oct 3 13:35:53 EDT 2018


Hi,

Hope all is well. Pcaps and ClamAV/Yara signatures are available for some the cases.

Thank you.
YM

# --------------------
# Date: 2018-09-19
# Title: Osx.Trojan.AMCleaner/AutoFixer
# Reference: Research
# Tests: pcap + sandbox
# Hashes:
#    - ff274bc19a82b09d5d7b841bcc90859e7eb7ebffb1c9ef8c258a534736d00070
#    - d8647dfb73ad636c7c1a743754b47ff1824c11cfef040104efabca92715ffcff
#    - 444d85360e6cf24b9808bab627b69cbdc82dc6d6471e1785e4046d355cee1ad2
#    - cf00d0789911e58cf1d6fcdb1da64dfe7b0b91c1737b6ad0369a9a968dab214a
# Note:
#    - TechyUtils Software Private Limited have been busy:
#      https://www.virustotal.com/#/ip-address/64.185.181.238
#    - C&C IP address hosts APKs and EXEs which also communicate with it.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mac Auto Fixer"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000350; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mac|25 32 30|Auto|25 32 30|Fixer"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000351; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"User-Agent: maftask/"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000352; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"/install/maf/"; fast_pattern:only; http_uri; content:"&btnid="; http_uri; content:"&appversion="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000353; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"/mtrack/?metd="; fast_pattern:only; http_uri; content:"&ram="; http_uri; content:"&model="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000354; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"/amc/more/"; fast_pattern:only; http_uri; content:".html"; http_uri; content:"&affiliateid="; http_uri; content:"&btnid="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000355; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nis/gn"; http_uri; content:"|22|Display|22|"; http_client_body; content:"Origin:"; http_header; content:"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000355; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"User-Agent: helperamc/"; fast_pattern:only; http_header; content:".plist"; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000356; rev:1;)

# --------------------
# Date: 2018-09-19
# Title: Deep Analysis of a Driver-Based MITM Malware: iTranslator
# Reference: https://www.fortinet.com/blog/threat-research/deep-analysis-of-driver-based-mitm-malware-itranslator.html
# Tests: pcap
# Yara:
#    - MALWARE_Win_Trojan_iTranslator_EXE
#    - MALWARE_Win_Trojan_iTranslator_DLL
# ClamAV:
#    - MALWARE_Win_Trojan_iTranslator_EXE
#    - MALWARE_Win_Trojan_iTranslator_DLL
# Notes:
#     - HTTP C&C behavior is consistent with the research reference.
#     - First rule matches on the unique header. Remaining rules match
#       in case the unique header is not present or changed.
#     - Some of the JSON responses can be sig'ed as well but they weren't
#       in this case.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iTranslator outbound connection"; flow:to_server,established; content:"UID: P002|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000363; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iTranslator outbound connection"; flow:to_server,established; content:"/gl.php?"; http_uri; content:"uid=078B"; http_uri; fast_pattern:only; content:"&v="; http_uri; content:"&x="; http_uri; content:!"Connection"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000364; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iTranslator outbound connection"; flow:to_server,established; content:"/in.php?"; http_uri; content:"type="; http_uri; fast_pattern:only; content:"&ch="; http_uri; content:"&mc="; http_uri; content:"MC: "; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000365; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known malicious User-Agent - Win.Trojan.iTranslator"; flow:to_server,established; content:"User-Agent: ITRANSLATOR|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000366; rev:1;)

# --------------------
# Date: 2018-09-29
# Title: Office Exploit Builder - Phantom Crypter/Ancalog
# Reference: Triage from: https://twitter.com/GaborSzappanos/status/1045573257909415936
# Tests: pcap (file2pcap)
# Yara:
#    - FILE_OFFICE_RTF_Ancalog_Builder_Doc
# ClamAV:
#    - FILE_OFFICE.RTF.Ancalog_Builder.Doc
# Hashes:
#    - 3b4215b2b0dfb8fb1f96984a41d38da3fd19234f0f2c1957f32a3e0e25a8bb3e
#    - f8a111e5c6b6da694567bdbd51c3113f92acd0e9b77e9c01784f1166d7fd3e5f
#    - 43b07839c4b79076cb33428fee4400fbed2e92a9654a2837de7e470f9e4fb004

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Ancalog Exploit Builder generated payload detected"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|*|5C|ancalog"; nocase; fast_pattern:only; pcre:"/\x5c\x2a\x5cancalog[0-9]{1,4}\s[0-9]{1,9}/"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:8000367; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Ancalog Exploit Builder generated payload detected"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|*|5C|ancalog"; nocase; fast_pattern:only; pcre:"/\x5c\x2a\x5cancalog[0-9]{1,4}\s[0-9]{1,9}/"; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000368; rev:1;)

# --------------------
# Date: 2018-09-29
# Title: New KONNI Malware attacking Eurasia and Southeast Asia
# Reference: https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/
# Tests: pcap
# Yara:
#    - MALWARE_Win_Trojan_Konni
# ClamAV:
#    - MALWARE_Win.Trojan.Konni_1
#    - MALWARE_Win.Trojan.Konni_2
# Hashes:
#    - 07b90088ec02ef6757f6590a62e2a038ce769914139aff1a26b50399a31dcde9
#    - 9b1a21d352ededd057ee3a965907126dd11d13474028a429d91e2349b1f00e10
#    - 9bf634ff0bc7c69ffceb75f9773c198944d907ba822c02c44c83e997b88eeabd
#    - b8120d5c9c2c889b37aa9e37514a3b4964c6e41296be216b327cdccd2e908311
#    - dce53e59b0c48e269dadc766a78667a14f11b72c49f57d95abde62c84ac8d7ae

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Konni outbound connection"; flow:to_server,established; content:"subject="; http_client_body; content:"&data="; http_client_body; content:".php"; http_uri; content:!"User-Agent"; http_header; content:!"Referer"; http_header; content:!"Accept"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000369; rev:1;)

# --------------------
# Date: 2018-10-02
# Title: Osx.Trojan.Wave?
# Reference: Research
#    - https://www.virustotal.com/#/file/087add809dca997a546b8d86f0a0be23cb04b8cf1dc77c58c475e50a3b6fa6ab/detection
# Tests: syntax only

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Wave outbound connection attempt"; flow:to_server,established; content:"/?localTime="; fast_pattern:only; http_uri; content:"User-Agent: MailBar/"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/087add809dca997a546b8d86f0a0be23cb04b8cf1dc77c58c475e50a3b6fa6ab/detection; classtype:trojan-activity; sid:8000370; rev:1;)

# --------------------
# Date: 2018-10-03
# Title: Win.Trojan.Trickbot variant
# Reference: Research
# Tests: pcap + sandbox
# Hashes:
#    - dropper       : 109ca2be52cf8a2953ee823b3bf20ff18af6e76c312b6cea086dab3aecd28853
#    - loader        : 595c49d0ba30eff4a48adb927cda9062efc7bb352ea75c6eadcbfe841a81e09c
#    - inject module : b105891f90b2a8730bbadf02b5adeccbba539883bf75dec2ff7a5a97625dd222
#    - system module : ba2a255671d33677cab8d93531eb25c0b1f1ac3e3085b95365a017463662d787
#    - network module: 1c62f004d0c9b91d3467b1b8106772e667e7e2075470c2ec7982b63573c90c54
# Notes:
#     - Where is the "config.conf"?
#     - Found and decoded the module configs
#     - Persisted via Task Scheduler

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWWARE-CNC Win.Trojan.Trickbot variant outbound connection"; flow:to_server,established; content:"form-data|3B| name=|22|proclist|22|"; http_client_body; content:"process list"; nocase; http_client_body; content:"[System Process]"; http_client_body; content:"form-data|3B| name=|22|sysinfo|22|"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000371; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Trickbot variant potential server response"; flow:to_client,established; content:"200"; http_stat_code; content:"server: Cowboy"; http_header; content:"content-length: 3|0D 0A|"; http_header; file_data; content:"/1/"; depth:3; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000372; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20181003/aeb25a8a/attachment-0001.html>


More information about the Snort-sigs mailing list