[Snort-sigs] Multiple signatures 016

Marcos Rodriguez mrodriguez at sourcefire.com
Thu Oct 25 13:43:18 EDT 2018


On Thu, Oct 25, 2018 at 11:32 AM Y M via Snort-sigs
<snort-sigs at lists.snort.org> wrote:
>
> Hi,
>
> Hope all sig makers are doing great today. Pcaps and Yara/ClamAV signatures are available for all of the cases below.
>
> Thank you.
>
> # --------------------
> # Date: 2018-10-06
> # Title: ARS Loader evolution, a new stealer (ZeroEvil) and AirNaine (TA545)
> # Reference: Triage from: https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/
> # Tests: pcap
> # Yara:
> #    - TOOL_PWS_LaZagne
> # ClamAV:
> #    - TOOL.PWS.LaZagne
> # Hashes:
> #    - cb197616e12daff971b86544eb06554583e95b137b69a4b7cbe83c7de2a38948
> #    - 29eadfb89fa2af7567f34b20778c1dc2a1be2f5b8aa84f642da0291a68de32d0
> #    - 1c963f531b1870f8edffcc9a9a96019c296801f69ea0a9dda555d91cf791a837
> #    - 2c90585b53a28a3413099c94c38f250ca5b17f72ddf6a4e346421eb0a6bdd881
> #    - 82cbdd4822630e179b685733490dc61db4761151656e1663ab91430f32ce86b6
> #    - 0e1320fd39174b14b7e817491d5e95807e66226d60659a07eb0e4bdedb06bea1
> # Notes:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader / ZeroEvil variant outbound connection"; flow:to_server,established; content:"/logs_gate.php?plugin="; fast_pattern:only; http_uri; content:"|3B| name=|22|file|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000373; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader variant outbound connection"; flow:to_server,established; content:"/plugin_gate.php?plugin="; fast_pattern:only; http_uri; content:"|3B| name=|22|file|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000374; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader variant / ZeroEvil outbound connection"; flow:to_server,established; content:"/gate.php"; http_uri; content:"version="; http_client_body; fast_pattern; content:!"Referer"; http_header; pcre:"/version\x3d([0-9]{3}\x255F)+/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000375; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader variant outbound connection"; flow:to_server,established; content:"/screenshot_gate.php?hwid="; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000376; rev:1;)
>
> # --------------------
> # Date: 2018-10-10
> # Title: MuddyWater
> # Reference: Triage from:
> #    - https://s.tencent.com/research/report/509.html
> #    - https://securelist.com/muddywater/88059/
> # Tests: pcap
> # Yara:
> #    - FILE_OFFICE_OLE_Dropper_Doc
> #    - TOOL_CNC_Shootback
> #    - TOOL_PWS_Credstealer
> # ClamAV:
> #    - FILE_OFFICE.OLE.Dropper.Doc
> #    - TOOL_PWS.Credstealer
> #    - TOOL_CNC.Shootback
> #    - Doc.Dropper.Agent-HSB1
> #    - Doc.Dropper.Agent-HSB2
> #    - Doc.Dropper.Agent-HSB3
> #    - Doc.Dropper.Agent-HSB4
> # Hashes:
> #    - 009cc0f34f60467552ef79c3892c501043c972be55fe936efb30584975d45ec0: Composite Document File V2 Document
> #    - 153117aa54492ca955b540ac0a8c21c1be98e9f7dd8636a36d73581ec1ddcf58: Composite Document File V2 Document
> #    - 18479a93fc2d5acd7d71d596f27a5834b2b236b44219bb08f6ca06cf760b74f6: Composite Document File V2 Document
> #    - 18cf5795c2208d330bd297c18445a9e25238dd7f28a1a6ef55e2a9239f5748cd: Composite Document File V2 Document
> #    - 209fb398318a0d346b933b0c408467fce8dea36c10cd0f69ce4b342e28cee9dc: Composite Document File V2 Document
> #    - 2a49d29d58d4d962bee5430e40f488bb79ebab92cf13db5bb4708f3eaf95caed: Composite Document File V2 Document
> #    - 2cea0b740f338c513a6390e7951ff3371f44c7c928abf14675b49358a03a5d13: Composite Document File V2 Document
> #    - 38556ba0b512636006c00b51f24ac92755bd1f1b21b4ae1812abf6bf9543221e: Composite Document File V2 Document
> #    - 3da24cd3af9a383b731ce178b03c68a813ab30f4c7c8dfbc823a32816b9406fb: Composite Document File V2 Document
> #    - 3eb27ecfbe5381b9cf4dcba2486e9773d9893b92c95032be784e0d2198740539: Composite Document File V2 Document
> #    - 3f14a1210d1f2cdb916275bf32cb49159b6f49a54f246bdcb0e967cd0edb8e82: Composite Document File V2 Document
> #    - 40ffcbf044ec951242a92a09b6a239183def2e74fc18e5975fa70e849d875a2e: Composite Document File V2 Document
> #    - 41a32a19c78a542ab4d0701c31d9ef6c7f019c9bc604ab9415f4790b7ac6c591: Composite Document File V2 Document
> #    - 5c7d16bd89ef37fe02cac1851e7214a01636ee4061a80bfdbde3a2d199721a79: Composite Document File V2 Document
> #    - 5f2a6601d349af00a4cc101a638003af2f330879c333168cbf6a7a123dfb3928: Composite Document File V2 Document
> #    - 6a68e8b12960257621cb89f979c1fbbd0f13c2338fad0f64e133deb95c99b2f9: Composite Document File V2 Document
> #    - 707d2128a0c326626adef0d3a4cab78562abd82c2bd8ede8cc82f86c01f1e024: Composite Document File V2 Document
> #    - 76e9988dad0278998861717c774227bf94112db548946ef617bfaa262cb5e338: Composite Document File V2 Document
> #    - 818253f297fea7d8a2324ee1a233aabbaf3b0b4b9cdaa1ebd676fe00f2247388: PE32+ executable (console) x86-64, for MS Windows
> #    - 9038ba1b7991ff38b802f28c0e006d12d466a8e374d2f2a83a039aabcbe76f5c: Composite Document File V2 Document
> #    - 94625dd8151814dd6186735a6a6a87b2a4c71c04b8402caf314fb6f98434eaad: Composite Document File V2 Document
> #    - abc269676eab9cf71f4f00195d1be02c10ea5bfb383fa1396dc108e0f6f9b9be: Composite Document File V2 Document
> #    - b9c70adbc731b1b2779ab35bb0fab29ae703e2a4a7214c5e2749b02daf326a9b: Composite Document File V2 Document
> #    - bbcafdb4fd7bf107d8b85934286d531536b7a0a30e5eeed07e27f0f7afcf8a77: Composite Document File V2 Document
> #    - bfb4fc96c1ba657107c7c60845f6ab720634c8a9214943b5221378a37a8916cd: Composite Document File V2 Document
> #    - c87799cce6d65158da97aa31a5160a0a6b6dd5a89dea312604cc66ed5e976cc9: Composite Document File V2 Document
> #    - eff78c23790ee834f773569b52cddb01dc3c4dd9660f5a476af044ef6fe73894: Composite Document File V2 Document
> #    - f2f573af0f76fe0f21bbe630a4bb50b1c1836eb24429bfb8c93673276f27e374: Composite Document File V2 Document
> #    - f6707b5f41192353be3311fc7f48ee30465038366386b909e6cefaade70c91bc: PE32+ executable (console) x86-64, for MS Windows
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Doc.Dropper.Agent outbound connection"; flow:to_server,established; content:"/main.php?t="; http_uri; content:"&type=info"; http_uri; fast_pattern:only; content:"&f=s"; http_uri; content:"&id="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000378; rev:1;)
>
> # --------------------
> # Date: 2018-10-23
> # Title: Win.Trojan.Micropsia
> # Reference: Research
> # Tests: pcap + sandbox
> # Yara:
> #    - MALWARE_Win_Trojan_Micropsia
> # ClamAV:
> #    - MALWARE_Win.Trojan.Micropsia-1
> #    - MALWARE_Win.Trojan.Micropsia-2
> # Hashes:
> #    - 0180e2b601ae643e7adf1784c313dd2d10d114bd2b5692eb6e9c031a6e448ed1
> #    - 027b1042621f86394fd7da27c5310e4906f41b96f6e5474875e63d39b32a9c11
> #    - 0d05f333f1ce2567eb8f42f7a9098a7e044b1cccac9133d65872445608c89665
> #    - 228ea63f4f03e98aae13fafc4d850f7cdd6344fa824427f7ec42f31a2ae8345d
> #    - 3522805eba6bf69f801028252985bd71437875db051c2ed2c8d9f40cefc86edb
> #    - 368845729255ab7fcfb5c0b6c153929d5ccb8d1f9a40cc02ca7c026b4b6813ec
> #    - 370f8196b9351289796df63d927e496107d3d6af26272bddf769721beee7de91
> #    - 5bab8a360d1d08e37e4e6c052f7fce13a291ad9b99f950770a647222bfc4d6b4
> #    - 75329e7b79284f63c1383244b20fb0d9c4bb1e9c4feba04307f1223db30c9203
> #    - 9cb5ef0b17eea1a43d5d323277e08645574c53ab1f65b0031a6fc323f52b0079
> #    - b60bca59de9c7f9c796de3e5c3a1466c0929c7355f4db8c59548af357777e59b
> #    - b6f8b5ba026af863e878eded79f40e5efa1dd7ce725cd0479e5f062dbf4fdd4f
> #    - c4e79e151986dc5e16ce763321de90d8c214909df7210ec05e590c4375423a76
> #    - dd185667015d23438a994adc9e9b30572a1e7479c05f563e0b6c71b8c6023685
> #    - e326d427695efc1f1eea5f86b545d16b46b45ef3cc0151e22d8a583f391571a9
> #    - e477b5e00699a9ccb3868de543c29087042fd44c631f8fcda5faaf7922382146
> #    - effa0e01adad08ae4bc787678ce67510d013a06d1a10d39ec6b19e2449e25fbd
> #    - f70681c7e8ab419fd0938802a823337abad936cccc0ace9ee232f2b874e561f1
> #    - fb95a719c4b26bb577cea5837cac6ba9fdfcfd240bc2fc7b1d0759bf392d5191
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Micropsia variant infection report outbound connection"; flow:to_server,established; content:"/api/"; http_uri; content:"Accept-Encoding: UTF8|0D 0A|"; http_header; content:"-Embt-Boundary-"; fast_pattern; http_client_body; content:"::Windows"; within:1000; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000379; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Micropsia variant screenshot exfiltration outbound connection"; flow:to_server,established; content:"/api/"; http_uri; content:"-Embt-Boundary-"; http_header; fast_pattern:only; content:"Accept: image/"; http_header; content:"Accept-Encoding: UTF8|0D 0A|"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000380; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Micropsia variant heartbeat outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/api/"; http_uri; content:"Googlebot"; http_header; fast_pattern:only; content:"-Embt-Boundary-"; http_header; content:"Accept-Encoding: UTF8|0D 0A|"; http_header; content:"-Embt-Boundary-"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000381; rev:1;)
>
> # --------------------
> # Date: 2018-07-25, Updated: 2018-10-23
> # Title: AgentTesla SMTP Exfil.
> # Reference: Research
> # Test: pcap + sandbox
> # Yara:
> #   - MALWARE_Win_Keylogger_AgentTesla
> # ClamAv:
> #   - MALWARE_Win.Keylogger.AgentTesla-1
> #   - MALWARE_Win.Keylogger.AgentTesla-2
> #   - MALWARE_Win.Keylogger.AgentTesla-3
> # Hashes:
> #   - 030228c5caa62e7727e0a664ef18fdf5663e7edbc2d2f7e5c38bf06526a5023e
> #   - 0c5f9ab0d84eada4be9e6f86cf81a2b3dd0fbb708342eded078a152490ceb15e
> #   - b9253b60188214a143b2b7d2b0a3b1adb1d0834b6fc231b9da7b61c9c3184e92
> #   - 4827ceccbdd20c966bdaa3648f67cb82f319bcbc1766dd134c4fac3f5483179e
> #   - Updated:
> #   - 0676b96e49d703a5d09f4b42d108a725603f17da080fc8a7a182bf63eac0ec39
> #   - 4aa0b4fb7554a5dbaca53bcdc3bc6f69fd1772d444d29c5513bc95d2b49c1c97
> #   - 4aa2b0ad01e19160db78a327fa0080f13ef0b6fb514b36d64430a4f08d356385
> #   - 58fe2c7eddb9e31a670eee8397031608f6f1bb30dc1b92df6565551f0118599c
> #   - 5a5d5b0c3917a59751c4c8404f9711b07395f058a29187fc3a37c2db94a0cc64
> #   - 64d85ae3f57011ed0b6795712ec436c1ad85c6775fb00c71a1bec6d379950484
> #   - 869799260e8fe99eca1de03f9baf4de1388de7f7ef41fb70eb03c9cd56dc6e24
> #   - 97b42e993ec5a3a94e684a12e231cba6a67fab8ff5aa2e4be1ba15a01f015784
> #   - 98939aa778b7528b635c5336dfd9d7a3ca292de233c2866e50408af34b211921
> #   - a0b515b02f3e9a6a8738ba40dc2dbb6cecc375b0a69bf44b4a33a7daafeac29a
> #   - a8605e3124ea7db12ae794943e1aeeeadb9c8563a81be4060d95f9d370d9fbf9
> #   - c3521771621a724196f6b89fb3ed9fd1c1567dd0157d11a2c060b41128f7cbb9
> #   - c36a1a233fe7b9a4ef5418000825636bd67c6582a7215a9a82ea863374805ab9
> #   - d21242ac305be4cbb3ea072ddfe56be87965ea37a1d85808cee1926018c44395
> #   - e21cc93868d9a1126bc7563a56387477ac9aece7dcc7c17dbd4f0c0c1848a886
> #   - f2968fc4d637bc878207c704b7984014cc9a04f468d8242576fe9bf7a4d57659
> # Notes:
> #   - CVE-2017-11882 > opendir(s) > dropped binary.
> #   - opendirs(s) files dumpped (see screenshots).
> #   - the "test.doc" is also a CVE-2017-11882.
> #   - operated by "operations[at]tms-tamkers[.]com"
> #   - sid 8000207 was utterly wrong, fixed in rev:2.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC Win.Keylogger.AgentTesla outbound SMTP connection"; flow:to_server,established; content:"|0D 0A|Subject: "; content:"Passwords Recovered From: "; within:150; fast_pattern; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000207; rev:2;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC Win.Keylogger.AgentTesla outbound SMTP connection"; flow:to_server,established; content:"|0D 0A|Subject: "; content:"Screen Capture From: "; within:150; fast_pattern; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000382; rev:1;)
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!

Hi Yaser,

Thanks for these submissions, we'll get these into our testing process
and get back to you as soon as possible.  We'd appreciate any pcaps
you'd be willing to share.  Thanks again!

-- 
Marcos Rodriguez
Cisco Talos


More information about the Snort-sigs mailing list