[Snort-sigs] Multiple signatures 027

Y M snort at outlook.com
Thu May 2 13:23:45 EDT 2019


Hello,

Please find the below Snort rules for multiple cases. PCAPs and Yara/ClamAV signatures are available for the majority of them.

Thank you.
YM

# --------------------
# Title: CVE-2018-20062 = Win.Trojan.Zegost + Mimikatz + Cryptocurrency Mining + Network Scanner + Packet Capture
# Reference: Research
# Tests: pcaps
# Yara:
#   - INDICATOR_Binary_References_WebLogic_Exploit_Artifacts
#   - INDICATOR_Binary_References_EternalBlue_Exploit_Artifacts
#   - INDICATOR_Binary_References_ApacheStrusts_Exploit_Artifacts
# ClamAV:
# Hashes:
#   - 51e880f62a34cf8c49b343eff2f94f75fb8060edea4f3b29e2230dc120d4d38f (nmbsawer)
#   - 9ac977087c08face38d8993db5cc26048f68d412243216887a61130d95150988 (wercplshost > upx-packed)
#   - be0b599cc457131920ed53571856061407c9065a8f79143ed2369805c1a732c3 (download > upx-unpacked)
#   - d233335ee3810e1df0bcc768c283a122b2fbf7c322205098ccef1627be9b4e5d (download > upx-packed)
#   - da0d877e369a565fee04ae241a94e5d826f614821d9a6fb8320272f7a82ecfe9 (wercplshost > upx-unpacked
# Note:
#   - The initial binariy was attempted via CVE-2018-20062.
#   - Full execution fails since the directory "miagration" does not exist, so we manually create it.
#   - Exisitng Yara/ClamAV signature hits:
#       1. TOOL_PWS_Mimikatz
#       2. INDICATOR_Excutable_Packed_Armadillo
#       3. INDICATOR_Binary_References_Sandbox_Hooking_DLL
#       4. INDICATOR_Binary_Process_Name_Manipulation
#       5. INDICATOR_Binary_References_Many_Builtin_Windows_Executables (Updated)
#   - Triaged samples:
#       - a16243c45805e2b249babf3115915730c7b91b378f6a6795fac08436c0e75943
#       - 85d219b921107ebdbb02d677bf2c61143aa9d6b6978dbbcc2c35d33351c05f19

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Zegost variant outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.0)|0D 0A|Accept: */*|0D 0A|"; content:"Cache-Control: no-cache|0D 0A|"; content:!"Content"; content:!"Referer"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000582; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Zegost variant cryptocurrency miner configuration retrieval response"; flow:to_client,established; file_data; content:"[UpdateNode]"; content:"[MainUpdate]"; content:"[Download]"; content:"[mining]"; nocase; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000583; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Zegost variant outbound connection"; flow:to_server,established; urilen:8; content:"/cfg.ini"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000584; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zegost variant outbound connection"; flow:to_server,established; urilen:7; content:"/ic.asp"; fast_pattern:only; http_uri; content:"Accept: */*|0D 0A|"; http_header; content:"Cache-Control: no-cache|0D 0A|"; http_header; content:!"Referer"; http_header; content:!"Accept-"; http_header; content:!"Connection"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000585; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE binary file download attmept from HFS server"; flow:to_client,established; content:"Server: HFS "; content:"Set-Cookie: HFS_SID_="; content:"Content-Disposition: attachment|3B|"; file_data; content:"MZ"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000586; rev:1;)

# --------------------
# Title: PS2EXE
# Reference: https://threatrecon.nshc.net/2019/03/07/sectord02-powershell-backdoor-analysis/
# Tests: pcaps (file2pcap)
# Yara:
#   - INDICATOR_Executable_Packed_PS2EXE
# ClamAV:
#   - INDICATOR_Executable_Packed_PS2EXE
# Hashes:
#   - 4cdf04c09d144c0c1b5ec7ac91009548db1546e1d1ed4d6fbfb64942a0bd0394 (PS2EXE)
#   - d95fada028969497d732771c4220e956a94a372e3fd543ba4d53b9a927cabe1c (PS2EXE)
# Note: Interesting detection results with a larger data set.

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE_EXECUTABLE PS2EXE packed binary download attempt detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"PS2EXE"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000587; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE_EXECUTABLE PS2EXE packed binary download attempt detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"PS2EXE"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000588; rev:1;)

# --------------------
# Title: More packers/builders: ASPack and Titan
# Reference: Research
# Tests: pcaps (file2pcap)
# Yara:
#   - INDICATOR_Excutable_Packed_ASPack
#   - INDICATOR_Excutable_Packed_Titan
# ClamAV:
#   - INDICATOR_Excutable_Packed_ASPack
#   - INDICATOR_Excutable_Packed_Titan
# Hashes:
#   - 07a46c76115b073952617ede7d99192c61f83eb955e814c276de250035ac3e62 (ASPack)
#   - 3229e5c6348a06bd974a0bd201cfcfc72178717c4890c96fc6d6d75879832444 (ASPack)
#   - 4d8bf483900c76c61ab1651917e6154af2c0fe0b635858adc4c6a39bef5d4a55 (ASPack)
#   - 60764591e6222762810c15ac6dcbef3ee155c25e388d1b540da894e584714c92 (ASPack)
#   - 6391452ba76bb2e3f11a720fe75db1cff07e07a7e7ee570ae571aa46d8e906dd (ASPack)
#   - e254af3b563b9179b89ad6891e99f0c479de5763dba171bb8b46b96c856e9c62 (ASPack)
#   - ef3ff88f8ee7487b5c4de03b68f8cf8cdf63099d518ffb1955bfebbed59453a9 (ASPack)
# Note: NA

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE_EXECUTABLE ASPack packed binary download attempt detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|2E 61 73 70 61 63 6B 00 00|"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000589; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE_EXECUTABLE ASPack packed binary download attempt detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|2E 61 73 70 61 63 6B 00 00|"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000590; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE_EXECUTABLE Titan packed binary download attempt detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|2E 74 69 74 61 6E 00 00|"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000591; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE_EXECUTABLE Titan packed binary download attempt detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|2E 74 69 74 61 6E 00 00|"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000592; rev:1;)

# --------------------
# Title: Win.Trojan.PowerShell_Keylogger
# Reference: Research
# Tests: pcaps
# Yara:
#   - INDICATOR_MSI_References_Free_EXE2MSI_Converter
#   - INDICATOR_MSI_References_AutoIt_Artifacts
# ClamAV:
#   - INDICATOR_MSI_References_Free_EXE2MSI_Converter
#   - INDICATOR_MSI_References_AutoIt_Artifacts
# Hashes:
#   - 4b16f75feb826bc076697bfccc5fe5280da2a4255dee4c4441cb6750a24d5f98
# Note:
#   - C&C traffic have hits on existing Snort signatures
#     sent in "Multiple Signatures 009".
#     They are added here with slight modifications.

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE_EXECUTABLE EXE2MSI binary download attempt detected"; flow:to_client,established; flowbits:isset,file.msi|file.ole; file_data; content:"Exe to msi converter free"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000593; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE_EXECUTABLE EXE2MSI binary download attempt detected"; flow:to_server,established; flowbits:isset,file.msi|file.ole; file_data; content:"Exe to msi converter free"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000594; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.DelfAgent outbound connection"; flow:to_server,established; content:"|7C|SYSTEM|7C|WIN_"; fast_pattern; content:"|7C|X64|7C|"; within:10; metadata:ruleset community; classtype:trojan-activity; sid:8000256; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.DelfAgent outbound connection"; flow:to_server,established; content:"|7C|SYSTEM|7C|WIN_"; fast_pattern; content:"|7C|X86|7C|"; within:10; metadata:ruleset community; classtype:trojan-activity; sid:8000257; rev:2;)

# --------------------
# Title: Win.Trojan.NetWire
# Reference: Research
# Tests: pcaps
# Yara:
#   - MALWARE_Win_Trojan_NetWire
#   - MALWARE_Win_Trojan_NetWire_Packed
#   - MALWARE_Win_Trojan_NetWire_Packed_AU3
#   - MALWARE_Win_Trojan_NetWire_Packed_Bonsai
#   - MALWARE_Html_SinonX_Shell
#   - INDICATOR_Pwsh_References_Concatenated_Base64_File_Execution
# ClamAV:
#   - MALWARE_Win.Trojan.NetWire
#   - MALWARE_Win.Trojan.NetWire_Packed
#   - MALWARE_Win.Trojan.NetWire_Packed-AU3
#   - MALWARE_Win.Trojan.NetWire_Packed-Bonsai
#   - MALWARE_Html.SinonX_Shell
#   - MALWARE_Html.SinonX_Shell-Mini
#   - MALWARE_MEM_Binary_References_Html.SinonX_Shell
#   - INDICATOR_Pwsh_References_Concatenated_Base64_File_Execution
# Hashes:
#   - NetWire Entry Point LNKs:
#   - NetWire Droppers
#      - PowerShell
#         - 02dbe6b55c15e9d2025f7d3d7ce06bb9c82734717e59246bacab041f60293a54
#         - 03a8ce78bd5c08f958e744901056e05b348012322d317f9781a280cbb85b5c0a
#         - 38b3d1597473379d5f15191ccba31b69efbf4fbc81ff978c658dd30fccb43e1d
#         - 414312dc60acb5bd9be5c63dcd401c34367a792877ab60d15f2253c36a6d58a1
#         - 792d9300de3010812d6d5597b2fac206a4ce4bc55ec02dd50a0c3b84debbd8de
#         - 80dc6eda5134ef78ceddae35d5ce07c6a53249d2a2561529b6bd1e204ce8f8ce
#         - 977f9cfc23ff3a26baee23ef304b49b1102b4925e5bb67546b5f929b81677333
#         - 9e7e1f74fb1ca8a450a4f8f48728215cbf002a26af50e7a355e5ee453f620944
#         - adb6433b32908b0a8a8257469ec9809bd563b5ae1ef5e181b2229385c5a57ad1
#         - a535cfbe686771a48d66489245532b1b73656e75ccc4520fa67af0c890f8b168
#         - b4bc8392c7ba1db5824303ce17cc7a61a1ef93d0821d645821aa2e15355c33d3
#         - d2f34fe458e969be1ab9c5a0c64bb832a9d1f33e9e314b8c7a827f09eee02484
#         - e300f93c88101fcfcb97a31d4a03c9e0edf42d9b969d64e5246b6c6083e2b4a9
#         - eb561ff247486a95764f2b56090b60ee1f6439dc266a5ddc53275ffb30e75157
#         - eb57e29d4c94449d156a22fe8f13c2a4b1b242198ea3b3a3658ae2e44a9649f1
#         - fc1f6681ee333f6803dca61644c164b87ad3cedf11535291993bbbd2b3ca347f
#      - VBScript HTA
#         - 02e3c79dfa0bbd7d560d268a0251735f128d9839d007623f1b5eac2cd3421be6
#         - 8ad555c2eadd6d2b6538a5692632972f529aab7f7c9bf811f467872b7c843e48
#         - a19b61d138196533cccd07f91da5d20dc5c62c31d7978ceee641f8a61cf77325
#         - a53529d1f2c16f7578dc853a86dbdc8ef5610edce4b923ed6ee2c1b0ea6646a5
#         - af7503464adf2a74abbc1f63d6bfab7a32a27f2774400814944ebc4ea67aa0d6
#   - NetWire Exploit Documents
#      - abb153a1338df8c2639fc6a5d9ea9a6391f302add3719b50ad96718347263756
#   - NetWire Samples
#      - Packed
#         - 1449e88bab1a03d3c745f78a0225ed4d2d4a662d2222a6a7865ef1c326de4508
#         - 323ca2e672375f96484e1a8ce701d45f08a0133f5235e3ed90811b9a23c13ead
#         - 613f39016a98f2886828e4302592b355805a7a6c895341caa495853cbd0750b4
#         - 6471370f1726473738aa3658202599be0e31e136fd9ac4a6ea260fc1a202daa7
#         - a9edef77da13e53ffb9389e1542abeabc931ca199411bb582234a76f914bbbb3
#         - c94c2fc170f185e6183864eba8cab837860054d0c9c3e760a607a2b2e1c0fe6a
#         - e98253395308a5859a8eca299a53e63d8f768e738dc4a52f4d1670d890b8d436
#      - AutoIt
#         - 0fa4237d49a9b749ac4eae290000d6a8ed6c52f053cfee9ef8edf0e99997c288
#         - 1c06638d202c3bd5f36cedca7f199e94e108a0221209f3c509d9f1a7ab970cf4
#         - 13c46e212caa5df33dc4ae6a215180d99a6b0982be9ec709864a50128a01e0a1
#         - 25e2a40f68b7ee59549f78b0acd07b36125b73854857001b029eb0b25cb514e4
#         - 2dea3910f4fc91156cc7d77c8c33562949e784775e416b97345bb263f78e5f76
#         - 3afdca4d4b83024d466c6b90fd5a30ed81a0e5070ac36507ce2d77a7c4a2be6a
#         - 47527265e4f761495b33fc45b0f1aa19f0bc7243b01d30f37e94424315b72041
#         - 610f6349038194fced36ae3c9f14301881c74fbcf858632f251b43882d787ffa
#         - 613f39016a98f2886828e4302592b355805a7a6c895341caa495853cbd0750b4
#         - 8c6ebd67ef03d4287c5ca99314e79660a0ddb623b02c6777b4b082d3df2153f2
#         - 91e1165066bd8dd9625f3fa7256b54d2c5ac9cdb26116f8754c9a0b30155316e
#         - 9467acde15888fe8061bb7e03d306a40e1946941a82cddfc8492952b6b289138
#         - 99733fcaa7e13ff6b19aa9bb575eae1305adeb64299714d9c9952f3993b054b6
#         - a08c2d35a6258f31eb7ec5f545d0c524e60440c8453d17aa04611fbf4e6a28aa
#         - a7cba187b011c82932bb2962e464a4d04488e0fbb48556e3f930f1687259ee26
#         - bf15ab4e9b4e80793dab6d7a5efecf227012fe4e73aebbe0703912ed50a0344e
#         - cc27a95e1ad93653304bcedc69041a121586f7b1fcbc341257c5080ca6d6222e
#         - db1802c62adc8b36b3a1c71772af80aa43424e5e530e8cdc7f72cf4dd316a446
#      - ASPack
#         - 39221998e53f482f1de878698f4afc749fca7ecb0a27df70d0cf07106a760702
#         - c3def6ef22e8db403a0aa0297669d15e0e25a876f22953a0c608b652d22af010
#      - Bonsai (.NET)
#         - 5dd3649a0f4add8b55504a070404100b3049b7f972d83fff51a6af833ef79004
#         - c76caf67b1d38a6b189c9f435f5f246b7e404fccd7998918aa02808da84ed295
# Note:
#   - Existing Yara/ClamAV/Snort rules hits:
#      1. INDICATOR_LNK_References_Download_Execution_Artifacts
#      2. INDICATOR_Internet_Shortcut_References_Local_Executable
#      3. MALWARE_RTF_Excel_URLDownloadToFile
#      4. INDICATOR_Excutable_Packed_ASPack
#      5. SID: 8000503-8000504 (Imminent)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWire variant outbound connection"; flow:to_server,established; dsize:5; content:"|01 00 00 00|"; depth:4; byte_test:1, >, 95, 0, relative; metadata:ruleset community; classtype:trojan-activity; sid:8000595; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.NetWire variant outbound connection"; flow:to_client,established; dsize:5; content:"|01 00 00 00|"; depth:4; byte_test:1, >, 95, 0, relative; metadata:ruleset community; classtype:trojan-activity; sid:8000596; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWire variant outbound connection"; flow:to_server,established; dsize:<80; content:"|41 00 00 00|"; depth:4; byte_test:1, >, 95, 0, relative; metadata:ruleset community; classtype:trojan-activity; sid:8000597; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - Imminent"; flow:to_server,established; dsize:10; content:"|06 00 00 00 81 13 14 6E 5B 69|"; fast_pattern:only; metadata:ruleset community; classtype:policy-violation; sid:8000503; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - Imminent"; flow:to_client,established; dsize:48; content:"|2C 00 00 00 02 00 00 00 01|"; fast_pattern:only; content:"$"; distance:2; metadata:ruleset community; classtype:policy-violation; sid:8000504; rev:1;)

# --------------------
# Title: Osx.Adware.AMC-PCVARK-TechyUtils
# Reference: Research
# Tests: pcaps
# Yara: MALWARE_Osx_Adware_AMC_PCVARK_TechyUtils
# ClamAV: MALWARE_Osx.Adware.AMC-PCVARK-TechyUtils
# Hashes: 1b6990a0acb465b30bead4a193ea22a1d5b52bba29afe4a00bd747cd98bd0e88
# Note:
#    1. The MACH-O binary is developed by someone who works for PCVARK.
#    2. The same MACH-O binary references TechyUtils reported before.
#    3. This lead to the Malwarebytes reference: https://blog.malwarebytes.com/threat-analysis/2016/08/pcvark-plays-dirty/
#    4. The app deletes itself after execution:
#       {"eventType":"Process Execution","process":"sh","pid":841,"user":"N/A","message":"Process Exec: /bin/sh -c sleep 3; rm -rf \"/Users/user/Desktop/findApp.app\"","extra":"{\"parent process\":\"findApp\",\"ppid\":779,\"uid\":20}"}
#       {"eventType":"Process Execution","process":"rm","pid":853,"user":"N/A","message":"Process Exec: rm -rf /Users/user/Desktop/findApp.app","extra":"{\"parent process\":\"sh\",\"ppid\":841,\"uid\":20}"}

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.AMC-PCVARK-TechyUtils fake app outbound connection"; flow:to_server,established; content:"/trackerwcfsrv/tracker.svc/trackOffersAccepted/?"; fast_pattern:only; http_uri; content:"Mac OS"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000598; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.AMC-PCVARK-TechyUtils fake app outbound connection"; flow:to_server,established; content:"x-count="; http_uri; content:"offerpxl="; http_uri; content:"x-fetch="; http_uri; content:"affiliateid="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000599; rev:1;)

# --------------------
# Title: Osx.Adware.MACAgent
# Reference: https://objective-see.com/blog/blog_0x3F.html
# Tests: pcaps
# Yara:
#   - INDICATOR_Executable_Python_Byte_Compiled_Suspicious
# ClamAV:
#   - INDICATOR_Executable_Python_Byte_Compiled_Suspicious
# Hashes:
#   - 20385ff73d68dd39ea81191ff92940d97e0c1567f28431862d8ba1dbbe66d41f
#   - 475de611a1062a55f2a12fb9731caab9326bad2d2ff5505c93106cebf3abe4c2
# Note:
#   - The "dat.db" did not contain "up", so we defer to the built-in file mode (ur)
#     at the same directory where the "dat.db" lives.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.MACAgent variant outbound connection"; flow:to_server,established; content:"&mvr="; http_uri; content:"User-Agent: Python-urllib/"; fast_pattern:only; http_header;  pcre:"/\x26mvr=[0-9]{2}\.[0-9]{2}(\.[0-9]{1,2})?/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000600; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.MACAgent variant outbound connection"; flow:to_server,established; content:"?dom="; http_uri; content:"&mid="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000601; rev:1;)

# --------------------
# Title: Win.Trojan.Amadey downloader
# Reference: Research
# Tests: pcaps
# Yara: MALWARE_Win_Amadey_Downloader
# ClamAV: MALWARE_Win.Amadey.Downloader
# Hashes:
#   - 3fb8ab8a4d1ee6c651b4731b93db2f5aa22dec5400fb73d3c1702fb6128e6bc7
#   - 5576371e9f23a6507898c257523c80a47b9408e54f78ba5a5ce038cc13cf4236 (upx-unpacked)
#   - 76c7f4ebcb84a1418e5ae49889558ec00f5b49e66501f6c915e33396fc3bec92 (upx-packed)
#   - 9753ff52a40c83d08f4db6bfc989292eef5b246ce49882bda1375795efd73f39
#   - ab3cac7d9c1cb2d78e1be8c4749cbc7332fdc926ea85a92000e2c7f52fab51b5
#   - ec6097c4fdbe0736e416b58be0a4dd042c46a9cf7eef997b3eb72384609cbca9
# Note:
#   - One case involved dropping GandCrab ransomware, hitting
#     exisitng rules SIDs 8000551 and 8000552 from "Multiple signatures 024".
#   - One case dropped a binary hitting SID 48940.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Amadey downloader outbound connection attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"id="; http_client_body; content:"vs="; http_client_body; content:"os="; http_client_body; content:"av="; http_client_body; content:"pc="; http_client_body; content:"un="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000602; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Amadey downloader outbound connection attempt post-download"; flow:to_server,established; content:"/index.php"; http_uri; content:"Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Content-Length: 14|0D 0A|"; http_header; content:"POST"; http_method; content:!"User-Agent"; http_header; content:!"Connection"; http_header; pcre:"/[a-z0-9]{2}=[0-9]{10}\x26$/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000603; rev:1;)

# --------------------
# Title: MSIL Stealer
# Reference: Research
# Tests: pcaps
# Yara: MALWARE_MSIL_Stealer
# ClamAV: MALWARE_MSIL.Stealer
# Hashes:
#   - 06c7609239d733d28fbb871b0c9459b6fe1e72df18dc0d4850ade5081b77ab80
#   - 841c6cc82cc2c1fd38531953ffa4559798c082dbeb1852d73a24180fe889e3b4
#   - c31757bd0ff0850199dd28d6db0bc174cd7dff38126979bfef5d8a21b361d22c
# Note:
#   - Existing Yara/ClamAV signatures hits:
#        1. INDICATOR_Binary_References_Many_Browsers
#        2. INDICATOR_Binary_Referenfces_Many_Messaging_Clients
#        3. INDICATOR_Binary_References_Many_Builtin_Windows_Commands (shutdown, attrib, timeout)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL Stealer outbound connection"; flow:to_server,established; urilen:13; content:"/gate/log.php"; fast_pattern:only; http_uri; content:"params="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000604; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL Stealer outbound connection"; flow:to_server,established; content:"/file.php?"; http_uri; content:"hash="; fast_pattern:only; http_uri; content:"&callback="; http_uri; content:"&js="; http_uri;  metadata:ruleset community, service http; classtype:trojan-activity; sid:8000605; rev:1;)

# --------------------
# Title: Win.Trojan.Vidar/Arkei
# Reference: Research
# Tests: pcaps
# Yara: MALWARE_Win_Trojan_Nocturnal (Updated)
# ClamAV: MALWARE_Win.Trojan.Nocturnal (Updated)
# Hashes:
#   - b26324c3eddb7cd723b079275bbcd0a722297dd00acdcd428702a48a5dc9ed2f
#   - c8007a84153ed91db6b39038c06f452b2462d6a82d156e7989669eaf96f45e39
# Note:
#    - SID 46895 does not tirggre since the URLs appear to have
#      changed or became more dynamic

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Arkei/Vidar variant outbound connection ip address check"; flow:to_server,established; content:"/line/"; http_uri; content:"Content-Type: multipart/form-data|3B|"; http_header; content:"Content-Length: "; http_header; content:"|0D 0A|"; distance:2; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000606; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Arkei/Vidar variant outbound connection"; flow:to_server,established; content:"Content-Type: multipart/form-data|3B|"; http_header; content:"|3B 20|name=|22|hwid|22|"; http_client_body; content:"|3B 20|name=|22|os|22|"; http_client_body; content:"|3B 20|name=|22|platform|22|"; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000607; rev:1;)

# --------------------
# Title: Win.Trojan.HawkEye HTTP / FTP variants
# Reference: Research
# Tests: pcaps
# Yara: NA
# ClamAV: NA
# Hashes:
#   - 3be631a20243c923f5d50de878d78f91acda664d3f924c03ef152f76de04c0ba (http)
#   - 96fc6a7c48bd453a7c01f5d521107d94ca18136bcbf90e2c482bbd2a8c0981ac (http)
#   - a20f321a50e849820b6683807f77a2c2507aefc0cc5becf9936a34faf4d18e90 (http)
#   - d1bc1b3c8b84b0ad04adf73fac0542c4a434ca1993db8493e9ef129f409949e2 (http)
#   - a48f9c07a61d328c4364bb9da0f7c673260fdfa5ec7ea8b4380e8e38ae888718 (ftp)
#   - 148ba1a13890f909ecad49e304d6969521729f79aaf17cd52fdb8e133dc0fa36 (ftp)
#   - 542d0c9b0bb3277f44b0267a471049e831a9db0c66a69834f562b38712663fcd (ftp)
#   - 3b2850cd8a54bfdb4c52c45f541c4d97047a28b19d034bbec609389b19019094 (ftp)
# Note: NA.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HawkEye http variant outbound connection"; flow:to_server,established; content:"Secret="; http_client_body; content:"HWID="; nocase; fast_pattern:only; http_client_body; content:"Name="; nocase; content:"OS="; nocase; http_client_body; content:"Type="; http_client_body; content:!"User-Agent"; http_header; content:!"Accept"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000608; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.HawkEye ftp variant outbound connection"; flow:to_server,established; content:"STOR HawkEyeKeylogger"; depth:21; fast_pattern; metadata:ruleset community, service ftp; classtype:trojan-activity; sid:8000609; rev:1;)

# --------------------
# Title: Win.Trojan.RevengeRAT variant
# Reference: Research
# Tests: pcaps
# Yara:
#   - MALWARE_Win_Trojan_RevengeRAT
#   - INDICATOR_JS_References_Local_Script_Executable
#   - INDICATOR_JS_Referencing_Embedded_Hex_Base64_Encoded_Binary
# ClamAV:
#   - MALWARE_Win.Trojan.RevengeRAT
#   - INDICATOR_JS_References_Local_Script_Executable
#   - INDICATOR_JS_References_Embedded_Hex_Base64_Encoded_Binary
# Hashes:
#   - 45f81641791809e1fe09d1b6c3200c39e6fd0eb26713efe410591d17983dbf0d (zipped-js)
#   - 8341231e5dfd89f379c732101097312fbdd55a1f4a4171f56e68c584b355c028 (zipped-js)
#   - c3c3d825a58b7d9e4832e5edade2a0fbbd8664d46dbe53f848fd2537fb4893bf (zipped-js)
#   - cdfb86da0aadb442640137d1b0bd0126317a0bda895284d5b056b8030b0d4604 (decompressed-js)
# Note:
#   - SIDs 45961 and 45962 submitted on Febraury 20, 2018 are still valid.
#     Didn't submit with Yara/ClamAV that time. Review community-ruleset.
#   - Below rule is a genetic one, just in case.
#   - Existing hits:
#      - INDICATOR_Internet_Shortcut_References_Local_Script_Executable (persistence)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.RevengeRAT outbound message pattern detected"; flow:to_server,established; dsize:<100; content:"|2A 2D 5D|NK|5B 2D 2A|"; isdataat:!1,relative; metadata:ruleset community; classtype:trojan-activity; sid:8000610; rev:1;)

# --------------------
# Title: Win.Trojan.AutoHotKey
# Reference: Research
# Tests: pcaps
# Yara: MALWARE_Win_Trojan_AutoHotKey_AHK
# ClamAV: MALWARE_Win.Trojan.AutoHotKey-AHK
# Hashes:
#   - Droppers (OOXML XLS):
#       - 22fefdee6b5f04b8ef4b4cc0127b00a9568365c6a1c6be7a709c6a5aa5fc5490
#       - efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12
#   - AHK Script:
#       - acb3181d0408c908b2a434fc004bf24fb766d4cf68bf2978bc5653022f9f20be
# Note: NA
#   - AutoHotKey script (.ahk) abused with the legitimate AutoHotKey executable.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AutoHotKey-ahk outbound connection"; flow:to_server,established; urilen:<30; content:".php"; http_uri; content:"&string="; http_client_body; content:"|3B| Charset=UTF-8|0D 0A|"; http_header; content:"POST"; http_method; content:!"Accept-"; http_header; pcre:"/^\x26string=[0-9A-Z]{30}$/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000611; rev:1;)

# --------------------
# Title: Win.Trojan.Baldr Stealer
# Reference: https://www.youtube.com/watch?v=E2V4kB_gtcQ
# Reference: https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/
# Tests: pcaps
# Yara: MALWARE_Win_Trojan_Baldr
# ClamAV: MALWARE_Win.Trojan.Baldr
# Hashes:
#   - a0d4500b9aad2c96f5a1775eee1541e78fc504f017b4daaa51f48907b1a49191 (unpacked)
#   - 06a7215e3083038c6a0c58b5752245c20323d8568d614ce448a36a4132fa147e
#   - 12d95ffc99c9225a8a9f8bed6a0390fa7d2f4df4c5db16938584cc9bd28801b6
#   - 2096f782cb91482647ef668b209fa2f098dcb2028aa923aafcb2903a8b91d3aa
#   - 435bb8b28282448aa811dd74b0a4f058729e68aeeb8217dcabaa1208ca4e1cc5
#   - 5fa915ad3471a9f0f7532ae034c93c8c5faaf8c73f7c99e7bbdd221c59b78217
#   - 852eca75ebd886b964d8e9cbeb62bf829f9b3b9e26f50be8415ec8fd0a777321
#   - a0d4500b9aad2c96f5a1775eee1541e78fc504f017b4daaa51f48907b1a49191
#   - b843ef19e3ae2b2dc2b0dc52f26dbee413ff05e7465abce049504cfe12af6a8c
#   - fc3bba2ddf6bc25ef7ff1ad69fa99785206250cdee4cd51fed11aa5510e86690
# Note: NA

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Baldr variant outbound connection"; flow:to_server,established; content:"/gate.php"; http_uri; content:"|3B| filename=|22|Encrypted.zip|22|"; http_client_body; content:"Expect: "; http_header; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Connection"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000612; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Baldr variant outbound connection"; flow:to_server,established; content:"/gate.php HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Host: "; content:"Expect: 100-continue|0D 0A 0D 0A|"; content:"POST"; http_method; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Connection"; http_header; content:!"Referer"; http_header; content:!"Content-Dispositon"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000613; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Baldr variant outbound connection"; flow:to_server,established; content:"hwid="; http_uri; content:"&os=Windows"; fast_pattern:only; http_uri; content:"&file="; http_uri; content:"&cookie="; http_uri; content:"Expect: 100-continue|0D 0A|"; content:"PK"; depth:2; http_client_body; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000614; rev:1;)

# --------------------
# Title: Cryptocurrency Mining (JCEMiner?)
# Reference: Research
# Tests: pcaps
# Yara: NA
# ClamAV: NA
# Hashes: NA
# Note:
#   - The patterns are similar to exisitng signatures but they are
#     still different, causing FNs.
#   - Source binary was not acquired.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-OTHER Cryptocurrency Miner outbound connection attempt"; flow:established,to_server; content:"|7B 22|method|22 3A 22|login|22|"; content:"|22|jsonrpc|22 3A|"; content:"|22 2C 22|params|22 3A 7B 22|login|22 3A|"; content:"|22|pass|22 3A|"; content:"|22|agent|22 3A|"; metadata:ruleset community; classtype:policy-violation; sid:8000615; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-OTHER Cryptocurrency Miner outbound connection attempt"; flow:established,to_server; content:"|7B 22|method|22 3A 22|submit|22|"; content:"|22 2C 22|params|22 3A 7B 22|id|22 3A|"; content:"|22|job_id|22 3A|"; metadata:ruleset community; classtype:policy-violation; sid:8000616; rev:1;)

# --------------------
# Title: Luminati - Residential IP and Proxy Service for Businesses
# Reference: Research
# Reference: https://documents.trendmicro.com/assets/white_papers/wp-illuminating-holaVPN-and-the-danger-it-poses.pdf
# Tests: pcaps
# Yara: NA
# ClamAV: NA
# Hashes: f0a7e492cf4d74ee0cc7e9dc148cba409eeed23971a907d8cbff83a650738b0d
# Note:
#   - Has been observed to be downloaded by other malicious binaries, example:
#       - eb7fc232d8f1fdeb1d34a5951bccb16c2026807239e5e8c3f23230cd7ec383c5
#   - Sample URLs:
#       1. hxxp://51[.]255[.]87[.]66/admin/rmt/luminati.io/static/net_svc-x64-1.129.929.zip
#       2. http://198[.]16[.]72[.]154/admin/rmt/luminati.io/static/net_updater32-1.129.29.exe
#       3. http://217[.]182[.]139[.]96/admin/rmt/luminati.io/static/lum_sdk32-1.129.29.dll

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Iluminati proxy/anonymizer download attempt detected"; flow:to_server,established; content:"/admin/rmt/luminati.io/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000617; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20190502/26168449/attachment-0001.html>


More information about the Snort-sigs mailing list