[Snort-sigs] Multiple signatures 014

Marcos Rodriguez mrodriguez at sourcefire.com
Wed Sep 12 13:25:44 EDT 2018


On Wed, Sep 12, 2018 at 1:03 PM, Y M via Snort-sigs <
snort-sigs at lists.snort.org> wrote:

> Hi,
>
> Pcaps and ClamAV/Yara signatures are available for the majority of the
> cases below.
>
> Thanks.
> YM
>
> # --------------------
> # Date: 2018-08-29
> # Title: A walk through the AcridRain Stealer
> # Reference: Triage from: https://thisissecurity.
> stormshield.com/2018/08/28/acridrain-stealer/
> # Tests: pcap
> # Yara:
> #    - MALWARE_Win_Trojan_AcridRain
> # ClamAV:
> #    - MALWARE_Win.Trojan.AcridRain
> # Hashes (triage):
> #    - fb9581e5432392c7fac47b5883a381659345c08d3c26764e689f3110d5d6be53
> #    - 009d46cbfb0e8796ed754a18020491b1a1e6a3dccbdc2f8843cbace9def60896
> #    - 3d28392d2dc1292a95b6d8f394c982844a9da0cdd84101039cf6ca3cf9874c1c
> #    - 56c73dbd50d9161476b904f542491b6f27c6a42fccd661a3032ab1e01b0ca8f5
> #    - 769df72c4c32e94190403d626bd9e46ce0183d3213ecdf42c2725db9c1ae960b
> #    - 7afa4e20058a95dec77629f22195a0d9af796fa2dfadf0ce73786e46654ea8b7
> #    - 7b045eec693e5598b0bb83d21931e9259c8e4825c24ac3d052254e4925738b43
> #    - 80217425c6fd2f588a42121ff061b085fd26510e9b9b44bfee8a3c693425ed3c
> #    - 80c6632fac75e4b5769e11f1ee5603821e73a0bacff8300c7373220f20f3535a
> #    - 8fffaaaae976e558ee64f1f7d2e3670c19497c5b78e9a59c3ccc37c9ae177c66
> #    - b78c78477cd7f5a0571a5db6fd0062e25f8659a9d7b428b7709d8d587c11b453
> #    - db8f74ebd5ddd43f07f580ee72c2e18fb3f9ab7465479b2a81c366df4509375f
> #    - fdf613b16fc7025ec8f3a8833064c8feb292a7cc103f7c10f1133c9832f2d3fd
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.AcridRain outbound connection"; flow:to_server,established;
> content:"/Upload/"; fast_pattern:only; http_uri; content:"form-data|3B|
> name=|22|file|22|"; http_client_body; content:"form-data|3B|
> name=|22|id|22|"; http_client_body; metadata:ruleset community, service
> http; classtype:trojan-activity; sid:8000311; rev:1;)
>
> # --------------------
> # Date: 2018-09-02
> # Title: Win.Trojan.Arkei (a.k.a Win.Trojan.Nocturnal?)
> # Reference: Research
> # Tests: pcap
> # Yara:
> #    - MALWARE_Win_Trojan_Nocturnal
> # ClamAV:
> #    - MALWARE_Win.Trojan.Nocturnal
> # Hashes:
> #    - 0892104dceefa48f5fac31d030432689ee151ab577f0e1e0f2d6676238a70de9
> #    - 5283b968056136a34c2e89c352c02c5b4422a5aa75b261a2f7713f24ad56abc5
> #    - bae982b9b1712e05f2fad90e0227bb21341eac9766a395641f07c22c3368debe
> # Notes: HTTP POST traffic partially matches SID:8000096 -
> Win.Trojan.Nocturnal sumbitted a while back.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> known malicious User-Agent - Win.Trojan.Nocturnal/Arkei";
> flow:to_server,established; content:"User-Agent: Arkei/";
> fast_pattern:only; http_header; metadata:ruleset community, service http;
> classtype:trojan-activity; sid:8000322; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Nocturnal/Arkei outbound connection";
> flow:to_server,established; content:"/server/grubConfig";
> fast_pattern:only; http_uri; metadata:ruleset community, service http;
> classtype:trojan-activity; sid:8000323; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Nocturnal/Arkei outbound connection";
> flow:to_server,established; content:"/server/gate"; fast_pattern:only;
> http_uri; content:"name=|22|hwid|22|"; http_client_body;
> content:"name=|22|os|22|"; http_client_body; content:"name=|22|platform|22|";
> http_client_body; metadata:ruleset community, service http;
> classtype:trojan-activity; sid:8000324; rev:1;)
>
> # --------------------
> # Date: 2018-09-02
> # Title: PowerPool malware exploits ALPC LPE zero-day vulnerability
> # Reference: Triage from: https://www.welivesecurity.
> com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/
> # Tests: pcap + sandbox
> # Yara:
> #    - MALWARE_Win_Trojan_PowerPool_Stage_1
> #    - MALWARE_Win_Trojan_PowerPool_Stage_2
> # ClamAV:
> #    - MALWARE_Win.Trojan.PowerPool_Stage_1
> #    - MALWARE_Win.Trojan.PowerPool_Stage_2
> # Hashes:
> #    1st_stage:
> #        - 035f97af0def906fbd8f7f15fb8107a9e852a69160669e7c0781888180cd
> 46d5
> #        - 8c2e729bc086921062e214b7e4c9c4ddf324a0fa53b4ed106f1341cfe827
> 4fe4
> #        - 8c32d6f2408115476c5552a4e3e86a3cc5e7148cc0111a4b464509461f3c
> 0d20
> #        - fb05c7b6087ebaf129036639e3cd9cd199ab450d69c2faac4a51064c1505
> 334d
> #    2nd_stage:
> #        - 58a50840c04cd15f439f1cc1b684e9f9fa22c0d64f44a391d9e2b1222e5c
> d6bd
> #        - af2abf0748013a7084507f8e96f6e7c21a3f962fbbb148dcbb482a98c069
> 40a1
> # Notes:
> #    1. Triage on C&C and Yara revealed additional samples.
> #    2. Sandbox execution reveals C&C not mentioned in original reference.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.PowerPool first stage outbound connection attempt";
> flow:to_server,established; content:"/?id="; http_uri; content:"&info=";
> distance:16; fast_pattern; http_uri; content:!"Accept-"; http_header;
> content:!"Referer"; http_header; content:!"Content"; http_header;
> metadata:ruleset community, service http; classtype:trojan-activity;
> sid:8000329; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.PowerPool second stage heartbeat outbound connection attempt";
> flow:to_server,established; urilen:6; content:"/heart"; http_uri;
> fast_pattern:only; content:"User-Agent: Mozilla/4.0 (compatible|3b| )";
> http_header; content:"|22|sessionid|22|"; http_client_body;
> metadata:ruleset community, service http; classtype:trojan-activity;
> sid:8000330; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.PowerPool second stage execute command outbound connection";
> flow:to_server,established; urilen:8; content:"/cmdpool"; http_uri;
> fast_pattern:only; content:"User-Agent: Mozilla/4.0 (compatible|3b| )";
> http_header; content:"|22|dos|22|"; http_client_body; metadata:ruleset
> community, service http; classtype:trojan-activity; sid:8000331; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.PowerPool second stage lsit directory outbound connection";
> flow:to_server,established; urilen:8; content:"/cmdpool"; http_uri;
> fast_pattern:only; content:"User-Agent: Mozilla/4.0 (compatible|3b| )";
> http_header; content:"|22|folder|22|"; http_client_body; metadata:ruleset
> community, service http; classtype:trojan-activity; sid:8000332; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"INDICATOR-COMPROMISE outbound IP address check to l2.io";
> flow:to_server,established; urilen:3; content:"/ip"; fast_pattern:only;
> http_uri; content:"Host: www.l2.io"; http_header; metadata:ruleset
> community, service http; classtype:trojan-activity; sid:8000333; rev:1;)
>
> # --------------------
> # Date: 2018-09-08
> # Title: CVE-2018-5002 Exploit/Infection Chain
> # Reference:
> #    - https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack
> #    - https://researchcenter.paloaltonetworks.com/2018/09/
> unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/
> # Tests: pcap
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
> CVE-2018-5002 infection chain detected"; flow:to_server,established;
> content:"/doc?token="; fast_pattern:only; http_uri;
> content:"x-flash-version"; http_header; content:!"Referer"; http_header;
> pcre:"/\/doc\x3ftoken\x3d[a-f0-9]{32}$/U"; metadata:ruleset community,
> service http; classtype:trojan-activity; sid:8000334; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
> CVE-2018-5002 infection chain detected"; flow:to_server,established;
> urilen:<70; content:"/stab/"; fast_pattern:only; http_uri;
> content:".png?x="; http_uri; content:"Referer"; http_header;
> content:"x-flash-version"; http_header; metadata:ruleset community, service
> http; classtype:trojan-activity; sid:8000335; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
> CVE-2018-5002 infection chain detected"; flow:to_server,established;
> urilen:<45; content:"POST"; http_method; content:"/download/"; http_uri;
> content:"Referer"; http_header; content:"x-flash-version"; http_header;
> content:"Content-Type: application/x-www-form-urlencoded"; http_header;
> pcre:"/\/download\/[a-f0-9]{32}\/$/U"; metadata:ruleset community,
> service http; classtype:trojan-activity; sid:8000336; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
> CVE-2018-5002 infection chain detected"; flow:to_server,established;
> urilen:<40; content:"POST"; http_method; content:"/log/"; http_uri;
> content:"Content-Type: text/plain"; http_header;
> pcre:"/\/log\/[a-f0-9]{32}$/U"; metadata:ruleset community, service http;
> classtype:trojan-activity; sid:8000337; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
> CVE-2018-5002 infection chain detected"; flow:to_server,established;
> urilen:<40; content:"POST"; http_method; content:"/home/"; http_uri;
> content:"Content-Type: text/plain"; http_header;
> pcre:"/\/home\/[a-f0-9]{32}$/U"; metadata:ruleset community, service
> http; classtype:trojan-activity; sid:8000338; rev:1;)
>
> # --------------------
> # Date: 2018-09-08
> # Title: OilRig targets a Middle Eastern Government and Adds Evasion
> Techniques to OopsIE
> # Reference:
> #    - https://researchcenter.paloaltonetworks.com/2018/09/
> unit42-oilrig-targets-middle-eastern-government-adds-
> evasion-techniques-oopsie/
> # Tests: syntax only
> # Notes:
> #    - Computer name maximum allowed length (CN) = 63 > (Win7/Win10)
> #    - User name maximum allowed length (UN) = 20     > (Win7/Win10)
> #    - Separartor (SP, \) = 1
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.OilRig variant outbound connection attempt";
> flow:to_server,established; urilen:<90; content:"/khc?"; depth:5; http_uri;
> content:"|5C|"; http_uri; pcre:"/\/khc\?[A-F0-9]{3,84}$/U";
> metadata:ruleset community, service http; classtype:trojan-activity;
> sid:8000339; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.OilRig variant outbound connection attempt";
> flow:to_server,established; urilen:<91; content:"/tahw?"; depth:6;
> http_uri; content:"|5C|"; http_uri; pcre:"/\/chk\?[A-F0-9]{3,84}$/U";
> metadata:ruleset community, service http; classtype:trojan-activity;
> sid:8000340; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.OilRig variant outbound connection attempt";
> flow:to_server,established; urilen:<1100; content:"/pser?"; depth:6;
> http_uri; content:"|5C|"; http_uri; pcre:"/\/pser\?[A-F0-9]{3,84}(BBZ|BBY)[A-F0-9]{,1000}/U";
> metadata:ruleset community, service http; classtype:trojan-activity;
> sid:8000341; rev:1;)
>
> # --------------------
> # Date: 2018-08-29
> # Title: Click me if you can, Office social engineering with embedded
> objects
> # Reference: https://securify.nl/blog/SFY20180801/click-me-if-you-
> can_-office-social-engineering-with-embedded-objects.html
> # Tests: pcap (file2pcap)
> # Yara:
> #     - FILE_OFFICE_RTF_Shell_Explorer_Execution
> #     - FILE_OFFICE_RTF_Forms_HTML_Execution
> # ClamAV:
> #     - FILE_OFFICE_OLE_Shell_Explorer_Execution
> #     - FILE_OFFICE_ActiveX_Forms_HTML_Execution
> # Notes:
> #    1. Documents were converted to RTF and they appear to achieve the
> same behavior when opened with Word.
> #    2. First 6 signatures in this set match what is observed in the
> generated files.
> #    3. Remaining singatures target Forms.HTML:* variants for referencing
> HTTP URLs instead of file URLs.
> #    4. ClamAV signatures don't care if the files are RTF or other.
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"FILE-OFFICE RTF Shell.Explorer.1 CLSID referencing embedded LNK file
> with remote content"; flow:to_client,established; flowbits:isset,file.rtf;
> file_data; content:"c32ab2eac130cf11a7eb0000c05bae0b"; nocase;
> fast_pattern:only; content:"4c00000001140200"; nocase;
> content:"6800740074007000"; metadata:ruleset community, service http;
> reference:url,securify.nl/blog/SFY20180801/click-me-if-
> you-can_-office-social-engineering-with-embedded-objects.html;
> classtype:attempted-user; sid:8000312; rev:1;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25
> (msg:"FILE-OFFICE RTF Shell.Explorer.1 CLSID referencing embedded LNK file
> with remote content"; flow:to_server,established; flowbits:isset,file.rtf;
> file_data; content:"c32ab2eac130cf11a7eb0000c05bae0b"; nocase;
> fast_pattern:only; content:"4c00000001140200"; nocase;
> content:"6800740074007000"; metadata:ruleset community, service smtp;
> reference:url,securify.nl/blog/SFY20180801/click-me-if-
> you-can_-office-social-engineering-with-embedded-objects.html;
> classtype:attempted-user; sid:8000313; rev:1;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing executable file
> URL"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
> content:"12d11255c65ccf118d6700aa00bdce1d"; nocase;
> content:"660069006c0065003a"; nocase; content:"6500780065";
> metadata:ruleset community, service http; reference:url,securify.nl/
> blog/SFY20180801/click-me-if-you-can_-office-social-
> engineering-with-embedded-objects.html; classtype:attempted-user;
> sid:8000314; rev:1;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25
> (msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing executable file
> URL"; flow:to_server,established; flowbits:isset,file.rtf; file_data;
> content:"12d11255c65ccf118d6700aa00bdce1d"; nocase;
> content:"660069006c0065003a"; nocase; content:"6500780065";
> metadata:ruleset community, service smtp; reference:url,securify.nl/
> blog/SFY20180801/click-me-if-you-can_-office-social-
> engineering-with-embedded-objects.html; classtype:attempted-user;
> sid:8000315; rev:1;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing executable
> file URL"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
> content:"10d11255c65ccf118d6700aa00bdce1d"; nocase;
> content:"660069006c0065003a"; nocase; content:"6500780065";
> metadata:ruleset community, service http; reference:url,securify.nl/
> blog/SFY20180801/click-me-if-you-can_-office-social-
> engineering-with-embedded-objects.html; classtype:attempted-user;
> sid:8000316; rev:1;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25
> (msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing executable
> file URL"; flow:to_server,established; flowbits:isset,file.rtf; file_data;
> content:"10d11255c65ccf118d6700aa00bdce1d"; nocase;
> content:"660069006c0065003a"; nocase; content:"6500780065";
> metadata:ruleset community, service smtp; reference:url,securify.nl/
> blog/SFY20180801/click-me-if-you-can_-office-social-
> engineering-with-embedded-objects.html; classtype:attempted-user;
> sid:8000317; rev:1;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing HTTP URL";
> flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"
> 12d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070";
> metadata:ruleset community, service http; reference:url,securify.nl/
> blog/SFY20180801/click-me-if-you-can_-office-social-
> engineering-with-embedded-objects.html; classtype:attempted-user;
> sid:8000318; rev:1;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25
> (msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing HTTP URL";
> flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"
> 12d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070";
> metadata:ruleset community, service smtp; reference:url,securify.nl/
> blog/SFY20180801/click-me-if-you-can_-office-social-
> engineering-with-embedded-objects.html; classtype:attempted-user;
> sid:8000319; rev:1;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing HTTP URL";
> flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"
> 10d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070";
> metadata:ruleset community, service http; reference:url,securify.nl/
> blog/SFY20180801/click-me-if-you-can_-office-social-
> engineering-with-embedded-objects.html; classtype:attempted-user;
> sid:8000320; rev:1;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25
> (msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing HTTP URL";
> flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"
> 10d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070";
> metadata:ruleset community, service smtp; reference:url,securify.nl/
> blog/SFY20180801/click-me-if-you-can_-office-social-
> engineering-with-embedded-objects.html; classtype:attempted-user;
> sid:8000321; rev:1;)
>
> # --------------------
> # Date: 2018-09-03
> # Title: Ruler is a tool for interacting with Exchange servers remotely
> with the the aim of
> #        abusing client-side Outlook features and gain a shell remotely.
> # Reference: Research
> #     - https://github.com/sensepost/ruler
> #     - https://attack.mitre.org/wiki/Technique/T1190
> #     - https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1046
> # Tests: syntax only
>
> alert tcp any any -> $HOME_NET 80 (msg:"INDICATOR-SCAN Ruler interaction
> attempt"; flow:to_server,established; content:"User-Agent: ruler|0D 0A|";
> fast_pattern:only; http_header; content:"/autodiscover/autodiscover.xml";
> http_uri; metadata:ruleset community, service http; reference:url,
> attack.mitre.org/wiki/Technique/T1027; classtype:web-application-activity;
> sid:8000327; rev:1;)
>

Hi Yaser,

Thanks for these submissions, we'll get these into our testing process and
get back to you as soon as possible.  We'd appreciate any pcaps you'd be
willing to share.  Thanks again!

-- 
Marcos Rodriguez
Cisco Talos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180912/42ddf320/attachment-0001.html>


More information about the Snort-sigs mailing list