[Snort-sigs] Multiple signatures 015

Marcos Rodriguez mrodriguez at sourcefire.com
Wed Oct 3 13:46:53 EDT 2018


On Wed, Oct 3, 2018 at 1:36 PM Y M via Snort-sigs
<snort-sigs at lists.snort.org> wrote:
>
> Hi,
>
> Hope all is well. Pcaps and ClamAV/Yara signatures are available for some the cases.
>
> Thank you.
> YM
>
> # --------------------
> # Date: 2018-09-19
> # Title: Osx.Trojan.AMCleaner/AutoFixer
> # Reference: Research
> # Tests: pcap + sandbox
> # Hashes:
> #    - ff274bc19a82b09d5d7b841bcc90859e7eb7ebffb1c9ef8c258a534736d00070
> #    - d8647dfb73ad636c7c1a743754b47ff1824c11cfef040104efabca92715ffcff
> #    - 444d85360e6cf24b9808bab627b69cbdc82dc6d6471e1785e4046d355cee1ad2
> #    - cf00d0789911e58cf1d6fcdb1da64dfe7b0b91c1737b6ad0369a9a968dab214a
> # Note:
> #    - TechyUtils Software Private Limited have been busy:
> #      https://www.virustotal.com/#/ip-address/64.185.181.238
> #    - C&C IP address hosts APKs and EXEs which also communicate with it.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mac Auto Fixer"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000350; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mac|25 32 30|Auto|25 32 30|Fixer"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000351; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"User-Agent: maftask/"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000352; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"/install/maf/"; fast_pattern:only; http_uri; content:"&btnid="; http_uri; content:"&appversion="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000353; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"/mtrack/?metd="; fast_pattern:only; http_uri; content:"&ram="; http_uri; content:"&model="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000354; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"/amc/more/"; fast_pattern:only; http_uri; content:".html"; http_uri; content:"&affiliateid="; http_uri; content:"&btnid="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000355; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nis/gn"; http_uri; content:"|22|Display|22|"; http_client_body; content:"Origin:"; http_header; content:"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000355; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"User-Agent: helperamc/"; fast_pattern:only; http_header; content:".plist"; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000356; rev:1;)
>
> # --------------------
> # Date: 2018-09-19
> # Title: Deep Analysis of a Driver-Based MITM Malware: iTranslator
> # Reference: https://www.fortinet.com/blog/threat-research/deep-analysis-of-driver-based-mitm-malware-itranslator.html
> # Tests: pcap
> # Yara:
> #    - MALWARE_Win_Trojan_iTranslator_EXE
> #    - MALWARE_Win_Trojan_iTranslator_DLL
> # ClamAV:
> #    - MALWARE_Win_Trojan_iTranslator_EXE
> #    - MALWARE_Win_Trojan_iTranslator_DLL
> # Notes:
> #     - HTTP C&C behavior is consistent with the research reference.
> #     - First rule matches on the unique header. Remaining rules match
> #       in case the unique header is not present or changed.
> #     - Some of the JSON responses can be sig'ed as well but they weren't
> #       in this case.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iTranslator outbound connection"; flow:to_server,established; content:"UID: P002|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000363; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iTranslator outbound connection"; flow:to_server,established; content:"/gl.php?"; http_uri; content:"uid=078B"; http_uri; fast_pattern:only; content:"&v="; http_uri; content:"&x="; http_uri; content:!"Connection"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000364; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iTranslator outbound connection"; flow:to_server,established; content:"/in.php?"; http_uri; content:"type="; http_uri; fast_pattern:only; content:"&ch="; http_uri; content:"&mc="; http_uri; content:"MC: "; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000365; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known malicious User-Agent - Win.Trojan.iTranslator"; flow:to_server,established; content:"User-Agent: ITRANSLATOR|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000366; rev:1;)
>
> # --------------------
> # Date: 2018-09-29
> # Title: Office Exploit Builder - Phantom Crypter/Ancalog
> # Reference: Triage from: https://twitter.com/GaborSzappanos/status/1045573257909415936
> # Tests: pcap (file2pcap)
> # Yara:
> #    - FILE_OFFICE_RTF_Ancalog_Builder_Doc
> # ClamAV:
> #    - FILE_OFFICE.RTF.Ancalog_Builder.Doc
> # Hashes:
> #    - 3b4215b2b0dfb8fb1f96984a41d38da3fd19234f0f2c1957f32a3e0e25a8bb3e
> #    - f8a111e5c6b6da694567bdbd51c3113f92acd0e9b77e9c01784f1166d7fd3e5f
> #    - 43b07839c4b79076cb33428fee4400fbed2e92a9654a2837de7e470f9e4fb004
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Ancalog Exploit Builder generated payload detected"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|*|5C|ancalog"; nocase; fast_pattern:only; pcre:"/\x5c\x2a\x5cancalog[0-9]{1,4}\s[0-9]{1,9}/"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:8000367; rev:1;)
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Ancalog Exploit Builder generated payload detected"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|*|5C|ancalog"; nocase; fast_pattern:only; pcre:"/\x5c\x2a\x5cancalog[0-9]{1,4}\s[0-9]{1,9}/"; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000368; rev:1;)
>
> # --------------------
> # Date: 2018-09-29
> # Title: New KONNI Malware attacking Eurasia and Southeast Asia
> # Reference: https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/
> # Tests: pcap
> # Yara:
> #    - MALWARE_Win_Trojan_Konni
> # ClamAV:
> #    - MALWARE_Win.Trojan.Konni_1
> #    - MALWARE_Win.Trojan.Konni_2
> # Hashes:
> #    - 07b90088ec02ef6757f6590a62e2a038ce769914139aff1a26b50399a31dcde9
> #    - 9b1a21d352ededd057ee3a965907126dd11d13474028a429d91e2349b1f00e10
> #    - 9bf634ff0bc7c69ffceb75f9773c198944d907ba822c02c44c83e997b88eeabd
> #    - b8120d5c9c2c889b37aa9e37514a3b4964c6e41296be216b327cdccd2e908311
> #    - dce53e59b0c48e269dadc766a78667a14f11b72c49f57d95abde62c84ac8d7ae
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Konni outbound connection"; flow:to_server,established; content:"subject="; http_client_body; content:"&data="; http_client_body; content:".php"; http_uri; content:!"User-Agent"; http_header; content:!"Referer"; http_header; content:!"Accept"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000369; rev:1;)
>
> # --------------------
> # Date: 2018-10-02
> # Title: Osx.Trojan.Wave?
> # Reference: Research
> #    - https://www.virustotal.com/#/file/087add809dca997a546b8d86f0a0be23cb04b8cf1dc77c58c475e50a3b6fa6ab/detection
> # Tests: syntax only
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Wave outbound connection attempt"; flow:to_server,established; content:"/?localTime="; fast_pattern:only; http_uri; content:"User-Agent: MailBar/"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/087add809dca997a546b8d86f0a0be23cb04b8cf1dc77c58c475e50a3b6fa6ab/detection; classtype:trojan-activity; sid:8000370; rev:1;)
>
> # --------------------
> # Date: 2018-10-03
> # Title: Win.Trojan.Trickbot variant
> # Reference: Research
> # Tests: pcap + sandbox
> # Hashes:
> #    - dropper       : 109ca2be52cf8a2953ee823b3bf20ff18af6e76c312b6cea086dab3aecd28853
> #    - loader        : 595c49d0ba30eff4a48adb927cda9062efc7bb352ea75c6eadcbfe841a81e09c
> #    - inject module : b105891f90b2a8730bbadf02b5adeccbba539883bf75dec2ff7a5a97625dd222
> #    - system module : ba2a255671d33677cab8d93531eb25c0b1f1ac3e3085b95365a017463662d787
> #    - network module: 1c62f004d0c9b91d3467b1b8106772e667e7e2075470c2ec7982b63573c90c54
> # Notes:
> #     - Where is the "config.conf"?
> #     - Found and decoded the module configs
> #     - Persisted via Task Scheduler
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWWARE-CNC Win.Trojan.Trickbot variant outbound connection"; flow:to_server,established; content:"form-data|3B| name=|22|proclist|22|"; http_client_body; content:"process list"; nocase; http_client_body; content:"[System Process]"; http_client_body; content:"form-data|3B| name=|22|sysinfo|22|"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000371; rev:1;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Trickbot variant potential server response"; flow:to_client,established; content:"200"; http_stat_code; content:"server: Cowboy"; http_header; content:"content-length: 3|0D 0A|"; http_header; file_data; content:"/1/"; depth:3; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000372; rev:1;)

Hi Yaser,

Thanks for the submissions and hope all is well with you!  We'll get
bugs open for these and report to you our findings. We'd appreciate
any pcaps, etc, you'd be willing to share. Thanks again!
-- 
Marcos Rodriguez
Cisco Talos


More information about the Snort-sigs mailing list