[Snort-sigs] Multiple signatures 014

Y M snort at outlook.com
Wed Sep 12 13:03:30 EDT 2018


Hi,

Pcaps and ClamAV/Yara signatures are available for the majority of the cases below.

Thanks.
YM

# --------------------
# Date: 2018-08-29
# Title: A walk through the AcridRain Stealer
# Reference: Triage from: https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/
# Tests: pcap
# Yara:
#    - MALWARE_Win_Trojan_AcridRain
# ClamAV:
#    - MALWARE_Win.Trojan.AcridRain
# Hashes (triage):
#    - fb9581e5432392c7fac47b5883a381659345c08d3c26764e689f3110d5d6be53
#    - 009d46cbfb0e8796ed754a18020491b1a1e6a3dccbdc2f8843cbace9def60896
#    - 3d28392d2dc1292a95b6d8f394c982844a9da0cdd84101039cf6ca3cf9874c1c
#    - 56c73dbd50d9161476b904f542491b6f27c6a42fccd661a3032ab1e01b0ca8f5
#    - 769df72c4c32e94190403d626bd9e46ce0183d3213ecdf42c2725db9c1ae960b
#    - 7afa4e20058a95dec77629f22195a0d9af796fa2dfadf0ce73786e46654ea8b7
#    - 7b045eec693e5598b0bb83d21931e9259c8e4825c24ac3d052254e4925738b43
#    - 80217425c6fd2f588a42121ff061b085fd26510e9b9b44bfee8a3c693425ed3c
#    - 80c6632fac75e4b5769e11f1ee5603821e73a0bacff8300c7373220f20f3535a
#    - 8fffaaaae976e558ee64f1f7d2e3670c19497c5b78e9a59c3ccc37c9ae177c66
#    - b78c78477cd7f5a0571a5db6fd0062e25f8659a9d7b428b7709d8d587c11b453
#    - db8f74ebd5ddd43f07f580ee72c2e18fb3f9ab7465479b2a81c366df4509375f
#    - fdf613b16fc7025ec8f3a8833064c8feb292a7cc103f7c10f1133c9832f2d3fd

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AcridRain outbound connection"; flow:to_server,established; content:"/Upload/"; fast_pattern:only; http_uri; content:"form-data|3B| name=|22|file|22|"; http_client_body; content:"form-data|3B| name=|22|id|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000311; rev:1;)

# --------------------
# Date: 2018-09-02
# Title: Win.Trojan.Arkei (a.k.a Win.Trojan.Nocturnal?)
# Reference: Research
# Tests: pcap
# Yara:
#    - MALWARE_Win_Trojan_Nocturnal
# ClamAV:
#    - MALWARE_Win.Trojan.Nocturnal
# Hashes:
#    - 0892104dceefa48f5fac31d030432689ee151ab577f0e1e0f2d6676238a70de9
#    - 5283b968056136a34c2e89c352c02c5b4422a5aa75b261a2f7713f24ad56abc5
#    - bae982b9b1712e05f2fad90e0227bb21341eac9766a395641f07c22c3368debe
# Notes: HTTP POST traffic partially matches SID:8000096 - Win.Trojan.Nocturnal sumbitted a while back.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known malicious User-Agent - Win.Trojan.Nocturnal/Arkei"; flow:to_server,established; content:"User-Agent: Arkei/"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000322; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nocturnal/Arkei outbound connection"; flow:to_server,established; content:"/server/grubConfig"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000323; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nocturnal/Arkei outbound connection"; flow:to_server,established; content:"/server/gate"; fast_pattern:only; http_uri; content:"name=|22|hwid|22|"; http_client_body; content:"name=|22|os|22|"; http_client_body; content:"name=|22|platform|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000324; rev:1;)

# --------------------
# Date: 2018-09-02
# Title: PowerPool malware exploits ALPC LPE zero-day vulnerability
# Reference: Triage from: https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/
# Tests: pcap + sandbox
# Yara:
#    - MALWARE_Win_Trojan_PowerPool_Stage_1
#    - MALWARE_Win_Trojan_PowerPool_Stage_2
# ClamAV:
#    - MALWARE_Win.Trojan.PowerPool_Stage_1
#    - MALWARE_Win.Trojan.PowerPool_Stage_2
# Hashes:
#    1st_stage:
#        - 035f97af0def906fbd8f7f15fb8107a9e852a69160669e7c0781888180cd46d5
#        - 8c2e729bc086921062e214b7e4c9c4ddf324a0fa53b4ed106f1341cfe8274fe4
#        - 8c32d6f2408115476c5552a4e3e86a3cc5e7148cc0111a4b464509461f3c0d20
#        - fb05c7b6087ebaf129036639e3cd9cd199ab450d69c2faac4a51064c1505334d
#    2nd_stage:
#        - 58a50840c04cd15f439f1cc1b684e9f9fa22c0d64f44a391d9e2b1222e5cd6bd
#        - af2abf0748013a7084507f8e96f6e7c21a3f962fbbb148dcbb482a98c06940a1
# Notes:
#    1. Triage on C&C and Yara revealed additional samples.
#    2. Sandbox execution reveals C&C not mentioned in original reference.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PowerPool first stage outbound connection attempt"; flow:to_server,established; content:"/?id="; http_uri; content:"&info="; distance:16; fast_pattern; http_uri; content:!"Accept-"; http_header; content:!"Referer"; http_header; content:!"Content"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000329; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PowerPool second stage heartbeat outbound connection attempt"; flow:to_server,established; urilen:6; content:"/heart"; http_uri; fast_pattern:only; content:"User-Agent: Mozilla/4.0 (compatible|3b| )"; http_header; content:"|22|sessionid|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000330; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PowerPool second stage execute command outbound connection"; flow:to_server,established; urilen:8; content:"/cmdpool"; http_uri; fast_pattern:only; content:"User-Agent: Mozilla/4.0 (compatible|3b| )"; http_header; content:"|22|dos|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000331; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PowerPool second stage lsit directory outbound connection"; flow:to_server,established; urilen:8; content:"/cmdpool"; http_uri; fast_pattern:only; content:"User-Agent: Mozilla/4.0 (compatible|3b| )"; http_header; content:"|22|folder|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000332; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE outbound IP address check to l2.io"; flow:to_server,established; urilen:3; content:"/ip"; fast_pattern:only; http_uri; content:"Host: www.l2.io"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000333; rev:1;)

# --------------------
# Date: 2018-09-08
# Title: CVE-2018-5002 Exploit/Infection Chain
# Reference:
#    - https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack
#    - https://researchcenter.paloaltonetworks.com/2018/09/unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/
# Tests: pcap

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER CVE-2018-5002 infection chain detected"; flow:to_server,established; content:"/doc?token="; fast_pattern:only; http_uri; content:"x-flash-version"; http_header; content:!"Referer"; http_header; pcre:"/\/doc\x3ftoken\x3d[a-f0-9]{32}$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000334; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER CVE-2018-5002 infection chain detected"; flow:to_server,established; urilen:<70; content:"/stab/"; fast_pattern:only; http_uri; content:".png?x="; http_uri; content:"Referer"; http_header; content:"x-flash-version"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000335; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER CVE-2018-5002 infection chain detected"; flow:to_server,established; urilen:<45; content:"POST"; http_method; content:"/download/"; http_uri; content:"Referer"; http_header; content:"x-flash-version"; http_header; content:"Content-Type: application/x-www-form-urlencoded"; http_header; pcre:"/\/download\/[a-f0-9]{32}\/$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000336; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER CVE-2018-5002 infection chain detected"; flow:to_server,established; urilen:<40; content:"POST"; http_method; content:"/log/"; http_uri; content:"Content-Type: text/plain"; http_header; pcre:"/\/log\/[a-f0-9]{32}$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000337; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER CVE-2018-5002 infection chain detected"; flow:to_server,established; urilen:<40; content:"POST"; http_method; content:"/home/"; http_uri; content:"Content-Type: text/plain"; http_header; pcre:"/\/home\/[a-f0-9]{32}$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000338; rev:1;)

# --------------------
# Date: 2018-09-08
# Title: OilRig targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE
# Reference:
#    - https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/
# Tests: syntax only
# Notes:
#    - Computer name maximum allowed length (CN) = 63 > (Win7/Win10)
#    - User name maximum allowed length (UN) = 20     > (Win7/Win10)
#    - Separartor (SP, \) = 1

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt"; flow:to_server,established; urilen:<90; content:"/khc?"; depth:5; http_uri; content:"|5C|"; http_uri; pcre:"/\/khc\?[A-F0-9]{3,84}$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000339; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt"; flow:to_server,established; urilen:<91; content:"/tahw?"; depth:6; http_uri; content:"|5C|"; http_uri; pcre:"/\/chk\?[A-F0-9]{3,84}$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000340; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt"; flow:to_server,established; urilen:<1100; content:"/pser?"; depth:6; http_uri; content:"|5C|"; http_uri; pcre:"/\/pser\?[A-F0-9]{3,84}(BBZ|BBY)[A-F0-9]{,1000}/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000341; rev:1;)

# --------------------
# Date: 2018-08-29
# Title: Click me if you can, Office social engineering with embedded objects
# Reference: https://securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html
# Tests: pcap (file2pcap)
# Yara:
#     - FILE_OFFICE_RTF_Shell_Explorer_Execution
#     - FILE_OFFICE_RTF_Forms_HTML_Execution
# ClamAV:
#     - FILE_OFFICE_OLE_Shell_Explorer_Execution
#     - FILE_OFFICE_ActiveX_Forms_HTML_Execution
# Notes:
#    1. Documents were converted to RTF and they appear to achieve the same behavior when opened with Word.
#    2. First 6 signatures in this set match what is observed in the generated files.
#    3. Remaining singatures target Forms.HTML:* variants for referencing HTTP URLs instead of file URLs.
#    4. ClamAV signatures don't care if the files are RTF or other.

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF Shell.Explorer.1 CLSID referencing embedded LNK file with remote content"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"c32ab2eac130cf11a7eb0000c05bae0b"; nocase; fast_pattern:only; content:"4c00000001140200"; nocase; content:"6800740074007000"; metadata:ruleset community, service http; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000312; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF Shell.Explorer.1 CLSID referencing embedded LNK file with remote content"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"c32ab2eac130cf11a7eb0000c05bae0b"; nocase; fast_pattern:only; content:"4c00000001140200"; nocase; content:"6800740074007000"; metadata:ruleset community, service smtp; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000313; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing executable file URL"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"12d11255c65ccf118d6700aa00bdce1d"; nocase; content:"660069006c0065003a"; nocase; content:"6500780065"; metadata:ruleset community, service http; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000314; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing executable file URL"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"12d11255c65ccf118d6700aa00bdce1d"; nocase; content:"660069006c0065003a"; nocase; content:"6500780065"; metadata:ruleset community, service smtp; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000315; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing executable file URL"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"10d11255c65ccf118d6700aa00bdce1d"; nocase; content:"660069006c0065003a"; nocase; content:"6500780065"; metadata:ruleset community, service http; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000316; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing executable file URL"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"10d11255c65ccf118d6700aa00bdce1d"; nocase; content:"660069006c0065003a"; nocase; content:"6500780065"; metadata:ruleset community, service smtp; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000317; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing HTTP URL"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"12d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070"; metadata:ruleset community, service http; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000318; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing HTTP URL"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"12d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070"; metadata:ruleset community, service smtp; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000319; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing HTTP URL"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"10d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070"; metadata:ruleset community, service http; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000320; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing HTTP URL"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"10d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070"; metadata:ruleset community, service smtp; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000321; rev:1;)

# --------------------
# Date: 2018-09-03
# Title: Ruler is a tool for interacting with Exchange servers remotely with the the aim of
#        abusing client-side Outlook features and gain a shell remotely.
# Reference: Research
#     - https://github.com/sensepost/ruler
#     - https://attack.mitre.org/wiki/Technique/T1190
#     - https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1046
# Tests: syntax only

alert tcp any any -> $HOME_NET 80 (msg:"INDICATOR-SCAN Ruler interaction attempt"; flow:to_server,established; content:"User-Agent: ruler|0D 0A|"; fast_pattern:only; http_header; content:"/autodiscover/autodiscover.xml"; http_uri; metadata:ruleset community, service http; reference:url,attack.mitre.org/wiki/Technique/T1027; classtype:web-application-activity; sid:8000327; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180912/386eee7f/attachment-0001.html>


More information about the Snort-sigs mailing list