[Snort-sigs] Multiple signatures 027

Matthew Mickel mmickel at sourcefire.com
Fri May 3 08:42:00 EDT 2019


Hi, Yaser-

Thanks for your submissions.  We will test these and get back to you with the results.  Any PCAPs or Yara/ClamAV signatures you can provide are greatly appreciated.  Best,

Matt Mickel

> On May 2, 2019, at 1:23 PM, Y M via Snort-sigs <snort-sigs at lists.snort.org> wrote:
> 
> Hello,
> 
> Please find the below Snort rules for multiple cases. PCAPs and Yara/ClamAV signatures are available for the majority of them.
> 
> Thank you.
> YM
> 
> # --------------------
> # Title: CVE-2018-20062 = Win.Trojan.Zegost + Mimikatz + Cryptocurrency Mining + Network Scanner + Packet Capture
> # Reference: Research
> # Tests: pcaps
> # Yara:
> #   - INDICATOR_Binary_References_WebLogic_Exploit_Artifacts
> #   - INDICATOR_Binary_References_EternalBlue_Exploit_Artifacts
> #   - INDICATOR_Binary_References_ApacheStrusts_Exploit_Artifacts
> # ClamAV:
> # Hashes:
> #   - 51e880f62a34cf8c49b343eff2f94f75fb8060edea4f3b29e2230dc120d4d38f (nmbsawer)
> #   - 9ac977087c08face38d8993db5cc26048f68d412243216887a61130d95150988 (wercplshost > upx-packed)
> #   - be0b599cc457131920ed53571856061407c9065a8f79143ed2369805c1a732c3 (download > upx-unpacked)
> #   - d233335ee3810e1df0bcc768c283a122b2fbf7c322205098ccef1627be9b4e5d (download > upx-packed)
> #   - da0d877e369a565fee04ae241a94e5d826f614821d9a6fb8320272f7a82ecfe9 (wercplshost > upx-unpacked
> # Note:
> #   - The initial binariy was attempted via CVE-2018-20062.
> #   - Full execution fails since the directory "miagration" does not exist, so we manually create it.
> #   - Exisitng Yara/ClamAV signature hits:
> #       1. TOOL_PWS_Mimikatz
> #       2. INDICATOR_Excutable_Packed_Armadillo
> #       3. INDICATOR_Binary_References_Sandbox_Hooking_DLL
> #       4. INDICATOR_Binary_Process_Name_Manipulation
> #       5. INDICATOR_Binary_References_Many_Builtin_Windows_Executables (Updated)
> #   - Triaged samples:
> #       - a16243c45805e2b249babf3115915730c7b91b378f6a6795fac08436c0e75943
> #       - 85d219b921107ebdbb02d677bf2c61143aa9d6b6978dbbcc2c35d33351c05f19
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Zegost variant outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.0)|0D 0A|Accept: */*|0D 0A|"; content:"Cache-Control: no-cache|0D 0A|"; content:!"Content"; content:!"Referer"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000582; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Zegost variant cryptocurrency miner configuration retrieval response"; flow:to_client,established; file_data; content:"[UpdateNode]"; content:"[MainUpdate]"; content:"[Download]"; content:"[mining]"; nocase; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000583; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Zegost variant outbound connection"; flow:to_server,established; urilen:8; content:"/cfg.ini"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000584; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zegost variant outbound connection"; flow:to_server,established; urilen:7; content:"/ic.asp"; fast_pattern:only; http_uri; content:"Accept: */*|0D 0A|"; http_header; content:"Cache-Control: no-cache|0D 0A|"; http_header; content:!"Referer"; http_header; content:!"Accept-"; http_header; content:!"Connection"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000585; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE binary file download attmept from HFS server"; flow:to_client,established; content:"Server: HFS "; content:"Set-Cookie: HFS_SID_="; content:"Content-Disposition: attachment|3B|"; file_data; content:"MZ"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000586; rev:1;)
> 
> # --------------------
> # Title: PS2EXE
> # Reference: https://threatrecon.nshc.net/2019/03/07/sectord02-powershell-backdoor-analysis/ <https://threatrecon.nshc.net/2019/03/07/sectord02-powershell-backdoor-analysis/>
> # Tests: pcaps (file2pcap)
> # Yara:
> #   - INDICATOR_Executable_Packed_PS2EXE
> # ClamAV:
> #   - INDICATOR_Executable_Packed_PS2EXE
> # Hashes:
> #   - 4cdf04c09d144c0c1b5ec7ac91009548db1546e1d1ed4d6fbfb64942a0bd0394 (PS2EXE)
> #   - d95fada028969497d732771c4220e956a94a372e3fd543ba4d53b9a927cabe1c (PS2EXE)
> # Note: Interesting detection results with a larger data set.
> 
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE_EXECUTABLE PS2EXE packed binary download attempt detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"PS2EXE"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000587; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE_EXECUTABLE PS2EXE packed binary download attempt detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"PS2EXE"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000588; rev:1;)
> 
> # --------------------
> # Title: More packers/builders: ASPack and Titan
> # Reference: Research
> # Tests: pcaps (file2pcap)
> # Yara:
> #   - INDICATOR_Excutable_Packed_ASPack
> #   - INDICATOR_Excutable_Packed_Titan
> # ClamAV:
> #   - INDICATOR_Excutable_Packed_ASPack
> #   - INDICATOR_Excutable_Packed_Titan
> # Hashes:
> #   - 07a46c76115b073952617ede7d99192c61f83eb955e814c276de250035ac3e62 (ASPack)
> #   - 3229e5c6348a06bd974a0bd201cfcfc72178717c4890c96fc6d6d75879832444 (ASPack)
> #   - 4d8bf483900c76c61ab1651917e6154af2c0fe0b635858adc4c6a39bef5d4a55 (ASPack)
> #   - 60764591e6222762810c15ac6dcbef3ee155c25e388d1b540da894e584714c92 (ASPack)
> #   - 6391452ba76bb2e3f11a720fe75db1cff07e07a7e7ee570ae571aa46d8e906dd (ASPack)
> #   - e254af3b563b9179b89ad6891e99f0c479de5763dba171bb8b46b96c856e9c62 (ASPack)
> #   - ef3ff88f8ee7487b5c4de03b68f8cf8cdf63099d518ffb1955bfebbed59453a9 (ASPack)
> # Note: NA
> 
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE_EXECUTABLE ASPack packed binary download attempt detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|2E 61 73 70 61 63 6B 00 00|"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000589; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE_EXECUTABLE ASPack packed binary download attempt detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|2E 61 73 70 61 63 6B 00 00|"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000590; rev:1;)
> 
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE_EXECUTABLE Titan packed binary download attempt detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|2E 74 69 74 61 6E 00 00|"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000591; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE_EXECUTABLE Titan packed binary download attempt detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|2E 74 69 74 61 6E 00 00|"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000592; rev:1;)
> 
> # --------------------
> # Title: Win.Trojan.PowerShell_Keylogger
> # Reference: Research
> # Tests: pcaps
> # Yara:
> #   - INDICATOR_MSI_References_Free_EXE2MSI_Converter
> #   - INDICATOR_MSI_References_AutoIt_Artifacts
> # ClamAV:
> #   - INDICATOR_MSI_References_Free_EXE2MSI_Converter
> #   - INDICATOR_MSI_References_AutoIt_Artifacts
> # Hashes:
> #   - 4b16f75feb826bc076697bfccc5fe5280da2a4255dee4c4441cb6750a24d5f98
> # Note:
> #   - C&C traffic have hits on existing Snort signatures
> #     sent in "Multiple Signatures 009".
> #     They are added here with slight modifications.
> 
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE_EXECUTABLE EXE2MSI binary download attempt detected"; flow:to_client,established; flowbits:isset,file.msi|file.ole; file_data; content:"Exe to msi converter free"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000593; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE_EXECUTABLE EXE2MSI binary download attempt detected"; flow:to_server,established; flowbits:isset,file.msi|file.ole; file_data; content:"Exe to msi converter free"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000594; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.DelfAgent outbound connection"; flow:to_server,established; content:"|7C|SYSTEM|7C|WIN_"; fast_pattern; content:"|7C|X64|7C|"; within:10; metadata:ruleset community; classtype:trojan-activity; sid:8000256; rev:2;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.DelfAgent outbound connection"; flow:to_server,established; content:"|7C|SYSTEM|7C|WIN_"; fast_pattern; content:"|7C|X86|7C|"; within:10; metadata:ruleset community; classtype:trojan-activity; sid:8000257; rev:2;)
> 
> # --------------------
> # Title: Win.Trojan.NetWire
> # Reference: Research
> # Tests: pcaps
> # Yara:
> #   - MALWARE_Win_Trojan_NetWire
> #   - MALWARE_Win_Trojan_NetWire_Packed
> #   - MALWARE_Win_Trojan_NetWire_Packed_AU3
> #   - MALWARE_Win_Trojan_NetWire_Packed_Bonsai
> #   - MALWARE_Html_SinonX_Shell
> #   - INDICATOR_Pwsh_References_Concatenated_Base64_File_Execution
> # ClamAV:
> #   - MALWARE_Win.Trojan.NetWire
> #   - MALWARE_Win.Trojan.NetWire_Packed
> #   - MALWARE_Win.Trojan.NetWire_Packed-AU3
> #   - MALWARE_Win.Trojan.NetWire_Packed-Bonsai
> #   - MALWARE_Html.SinonX_Shell
> #   - MALWARE_Html.SinonX_Shell-Mini
> #   - MALWARE_MEM_Binary_References_Html.SinonX_Shell
> #   - INDICATOR_Pwsh_References_Concatenated_Base64_File_Execution
> # Hashes:
> #   - NetWire Entry Point LNKs:
> #   - NetWire Droppers
> #      - PowerShell
> #         - 02dbe6b55c15e9d2025f7d3d7ce06bb9c82734717e59246bacab041f60293a54
> #         - 03a8ce78bd5c08f958e744901056e05b348012322d317f9781a280cbb85b5c0a
> #         - 38b3d1597473379d5f15191ccba31b69efbf4fbc81ff978c658dd30fccb43e1d
> #         - 414312dc60acb5bd9be5c63dcd401c34367a792877ab60d15f2253c36a6d58a1
> #         - 792d9300de3010812d6d5597b2fac206a4ce4bc55ec02dd50a0c3b84debbd8de
> #         - 80dc6eda5134ef78ceddae35d5ce07c6a53249d2a2561529b6bd1e204ce8f8ce
> #         - 977f9cfc23ff3a26baee23ef304b49b1102b4925e5bb67546b5f929b81677333
> #         - 9e7e1f74fb1ca8a450a4f8f48728215cbf002a26af50e7a355e5ee453f620944
> #         - adb6433b32908b0a8a8257469ec9809bd563b5ae1ef5e181b2229385c5a57ad1
> #         - a535cfbe686771a48d66489245532b1b73656e75ccc4520fa67af0c890f8b168
> #         - b4bc8392c7ba1db5824303ce17cc7a61a1ef93d0821d645821aa2e15355c33d3
> #         - d2f34fe458e969be1ab9c5a0c64bb832a9d1f33e9e314b8c7a827f09eee02484
> #         - e300f93c88101fcfcb97a31d4a03c9e0edf42d9b969d64e5246b6c6083e2b4a9
> #         - eb561ff247486a95764f2b56090b60ee1f6439dc266a5ddc53275ffb30e75157
> #         - eb57e29d4c94449d156a22fe8f13c2a4b1b242198ea3b3a3658ae2e44a9649f1
> #         - fc1f6681ee333f6803dca61644c164b87ad3cedf11535291993bbbd2b3ca347f
> #      - VBScript HTA
> #         - 02e3c79dfa0bbd7d560d268a0251735f128d9839d007623f1b5eac2cd3421be6
> #         - 8ad555c2eadd6d2b6538a5692632972f529aab7f7c9bf811f467872b7c843e48
> #         - a19b61d138196533cccd07f91da5d20dc5c62c31d7978ceee641f8a61cf77325
> #         - a53529d1f2c16f7578dc853a86dbdc8ef5610edce4b923ed6ee2c1b0ea6646a5
> #         - af7503464adf2a74abbc1f63d6bfab7a32a27f2774400814944ebc4ea67aa0d6
> #   - NetWire Exploit Documents
> #      - abb153a1338df8c2639fc6a5d9ea9a6391f302add3719b50ad96718347263756
> #   - NetWire Samples
> #      - Packed
> #         - 1449e88bab1a03d3c745f78a0225ed4d2d4a662d2222a6a7865ef1c326de4508
> #         - 323ca2e672375f96484e1a8ce701d45f08a0133f5235e3ed90811b9a23c13ead
> #         - 613f39016a98f2886828e4302592b355805a7a6c895341caa495853cbd0750b4
> #         - 6471370f1726473738aa3658202599be0e31e136fd9ac4a6ea260fc1a202daa7
> #         - a9edef77da13e53ffb9389e1542abeabc931ca199411bb582234a76f914bbbb3
> #         - c94c2fc170f185e6183864eba8cab837860054d0c9c3e760a607a2b2e1c0fe6a
> #         - e98253395308a5859a8eca299a53e63d8f768e738dc4a52f4d1670d890b8d436
> #      - AutoIt
> #         - 0fa4237d49a9b749ac4eae290000d6a8ed6c52f053cfee9ef8edf0e99997c288
> #         - 1c06638d202c3bd5f36cedca7f199e94e108a0221209f3c509d9f1a7ab970cf4
> #         - 13c46e212caa5df33dc4ae6a215180d99a6b0982be9ec709864a50128a01e0a1
> #         - 25e2a40f68b7ee59549f78b0acd07b36125b73854857001b029eb0b25cb514e4
> #         - 2dea3910f4fc91156cc7d77c8c33562949e784775e416b97345bb263f78e5f76
> #         - 3afdca4d4b83024d466c6b90fd5a30ed81a0e5070ac36507ce2d77a7c4a2be6a
> #         - 47527265e4f761495b33fc45b0f1aa19f0bc7243b01d30f37e94424315b72041
> #         - 610f6349038194fced36ae3c9f14301881c74fbcf858632f251b43882d787ffa
> #         - 613f39016a98f2886828e4302592b355805a7a6c895341caa495853cbd0750b4
> #         - 8c6ebd67ef03d4287c5ca99314e79660a0ddb623b02c6777b4b082d3df2153f2
> #         - 91e1165066bd8dd9625f3fa7256b54d2c5ac9cdb26116f8754c9a0b30155316e
> #         - 9467acde15888fe8061bb7e03d306a40e1946941a82cddfc8492952b6b289138
> #         - 99733fcaa7e13ff6b19aa9bb575eae1305adeb64299714d9c9952f3993b054b6
> #         - a08c2d35a6258f31eb7ec5f545d0c524e60440c8453d17aa04611fbf4e6a28aa
> #         - a7cba187b011c82932bb2962e464a4d04488e0fbb48556e3f930f1687259ee26
> #         - bf15ab4e9b4e80793dab6d7a5efecf227012fe4e73aebbe0703912ed50a0344e
> #         - cc27a95e1ad93653304bcedc69041a121586f7b1fcbc341257c5080ca6d6222e
> #         - db1802c62adc8b36b3a1c71772af80aa43424e5e530e8cdc7f72cf4dd316a446
> #      - ASPack
> #         - 39221998e53f482f1de878698f4afc749fca7ecb0a27df70d0cf07106a760702
> #         - c3def6ef22e8db403a0aa0297669d15e0e25a876f22953a0c608b652d22af010
> #      - Bonsai (.NET)
> #         - 5dd3649a0f4add8b55504a070404100b3049b7f972d83fff51a6af833ef79004
> #         - c76caf67b1d38a6b189c9f435f5f246b7e404fccd7998918aa02808da84ed295
> # Note:
> #   - Existing Yara/ClamAV/Snort rules hits:
> #      1. INDICATOR_LNK_References_Download_Execution_Artifacts
> #      2. INDICATOR_Internet_Shortcut_References_Local_Executable
> #      3. MALWARE_RTF_Excel_URLDownloadToFile
> #      4. INDICATOR_Excutable_Packed_ASPack
> #      5. SID: 8000503-8000504 (Imminent)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWire variant outbound connection"; flow:to_server,established; dsize:5; content:"|01 00 00 00|"; depth:4; byte_test:1, >, 95, 0, relative; metadata:ruleset community; classtype:trojan-activity; sid:8000595; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.NetWire variant outbound connection"; flow:to_client,established; dsize:5; content:"|01 00 00 00|"; depth:4; byte_test:1, >, 95, 0, relative; metadata:ruleset community; classtype:trojan-activity; sid:8000596; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWire variant outbound connection"; flow:to_server,established; dsize:<80; content:"|41 00 00 00|"; depth:4; byte_test:1, >, 95, 0, relative; metadata:ruleset community; classtype:trojan-activity; sid:8000597; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - Imminent"; flow:to_server,established; dsize:10; content:"|06 00 00 00 81 13 14 6E 5B 69|"; fast_pattern:only; metadata:ruleset community; classtype:policy-violation; sid:8000503; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - Imminent"; flow:to_client,established; dsize:48; content:"|2C 00 00 00 02 00 00 00 01|"; fast_pattern:only; content:"$"; distance:2; metadata:ruleset community; classtype:policy-violation; sid:8000504; rev:1;)
> 
> # --------------------
> # Title: Osx.Adware.AMC-PCVARK-TechyUtils
> # Reference: Research
> # Tests: pcaps
> # Yara: MALWARE_Osx_Adware_AMC_PCVARK_TechyUtils
> # ClamAV: MALWARE_Osx.Adware.AMC-PCVARK-TechyUtils
> # Hashes: 1b6990a0acb465b30bead4a193ea22a1d5b52bba29afe4a00bd747cd98bd0e88
> # Note:
> #    1. The MACH-O binary is developed by someone who works for PCVARK.
> #    2. The same MACH-O binary references TechyUtils reported before.
> #    3. This lead to the Malwarebytes reference: https://blog.malwarebytes.com/threat-analysis/2016/08/pcvark-plays-dirty/ <https://blog.malwarebytes.com/threat-analysis/2016/08/pcvark-plays-dirty/>
> #    4. The app deletes itself after execution:
> #       {"eventType":"Process Execution","process":"sh","pid":841,"user":"N/A","message":"Process Exec: /bin/sh -c sleep 3; rm -rf \"/Users/user/Desktop/findApp.app\"","extra":"{\"parent process\":\"findApp\",\"ppid\":779,\"uid\":20}"}
> #       {"eventType":"Process Execution","process":"rm","pid":853,"user":"N/A","message":"Process Exec: rm -rf /Users/user/Desktop/findApp.app","extra":"{\"parent process\":\"sh\",\"ppid\":841,\"uid\":20}"}
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.AMC-PCVARK-TechyUtils fake app outbound connection"; flow:to_server,established; content:"/trackerwcfsrv/tracker.svc/trackOffersAccepted/?"; fast_pattern:only; http_uri; content:"Mac OS"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000598; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.AMC-PCVARK-TechyUtils fake app outbound connection"; flow:to_server,established; content:"x-count="; http_uri; content:"offerpxl="; http_uri; content:"x-fetch="; http_uri; content:"affiliateid="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000599; rev:1;)
> 
> # --------------------
> # Title: Osx.Adware.MACAgent
> # Reference: https://objective-see.com/blog/blog_0x3F.html <https://objective-see.com/blog/blog_0x3F.html>
> # Tests: pcaps
> # Yara:
> #   - INDICATOR_Executable_Python_Byte_Compiled_Suspicious
> # ClamAV:
> #   - INDICATOR_Executable_Python_Byte_Compiled_Suspicious
> # Hashes:
> #   - 20385ff73d68dd39ea81191ff92940d97e0c1567f28431862d8ba1dbbe66d41f
> #   - 475de611a1062a55f2a12fb9731caab9326bad2d2ff5505c93106cebf3abe4c2
> # Note:
> #   - The "dat.db" did not contain "up", so we defer to the built-in file mode (ur)
> #     at the same directory where the "dat.db" lives.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.MACAgent variant outbound connection"; flow:to_server,established; content:"&mvr="; http_uri; content:"User-Agent: Python-urllib/"; fast_pattern:only; http_header;  pcre:"/\x26mvr=[0-9]{2}\.[0-9]{2}(\.[0-9]{1,2})?/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000600; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.MACAgent variant outbound connection"; flow:to_server,established; content:"?dom="; http_uri; content:"&mid="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000601; rev:1;)
> 
> # --------------------
> # Title: Win.Trojan.Amadey downloader
> # Reference: Research
> # Tests: pcaps
> # Yara: MALWARE_Win_Amadey_Downloader
> # ClamAV: MALWARE_Win.Amadey.Downloader
> # Hashes:
> #   - 3fb8ab8a4d1ee6c651b4731b93db2f5aa22dec5400fb73d3c1702fb6128e6bc7
> #   - 5576371e9f23a6507898c257523c80a47b9408e54f78ba5a5ce038cc13cf4236 (upx-unpacked)
> #   - 76c7f4ebcb84a1418e5ae49889558ec00f5b49e66501f6c915e33396fc3bec92 (upx-packed)
> #   - 9753ff52a40c83d08f4db6bfc989292eef5b246ce49882bda1375795efd73f39
> #   - ab3cac7d9c1cb2d78e1be8c4749cbc7332fdc926ea85a92000e2c7f52fab51b5
> #   - ec6097c4fdbe0736e416b58be0a4dd042c46a9cf7eef997b3eb72384609cbca9
> # Note:
> #   - One case involved dropping GandCrab ransomware, hitting
> #     exisitng rules SIDs 8000551 and 8000552 from "Multiple signatures 024".
> #   - One case dropped a binary hitting SID 48940.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Amadey downloader outbound connection attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"id="; http_client_body; content:"vs="; http_client_body; content:"os="; http_client_body; content:"av="; http_client_body; content:"pc="; http_client_body; content:"un="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000602; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Amadey downloader outbound connection attempt post-download"; flow:to_server,established; content:"/index.php"; http_uri; content:"Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Content-Length: 14|0D 0A|"; http_header; content:"POST"; http_method; content:!"User-Agent"; http_header; content:!"Connection"; http_header; pcre:"/[a-z0-9]{2}=[0-9]{10}\x26$/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000603; rev:1;)
> 
> # --------------------
> # Title: MSIL Stealer
> # Reference: Research
> # Tests: pcaps
> # Yara: MALWARE_MSIL_Stealer
> # ClamAV: MALWARE_MSIL.Stealer
> # Hashes:
> #   - 06c7609239d733d28fbb871b0c9459b6fe1e72df18dc0d4850ade5081b77ab80
> #   - 841c6cc82cc2c1fd38531953ffa4559798c082dbeb1852d73a24180fe889e3b4
> #   - c31757bd0ff0850199dd28d6db0bc174cd7dff38126979bfef5d8a21b361d22c
> # Note:
> #   - Existing Yara/ClamAV signatures hits:
> #        1. INDICATOR_Binary_References_Many_Browsers
> #        2. INDICATOR_Binary_Referenfces_Many_Messaging_Clients
> #        3. INDICATOR_Binary_References_Many_Builtin_Windows_Commands (shutdown, attrib, timeout)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL Stealer outbound connection"; flow:to_server,established; urilen:13; content:"/gate/log.php"; fast_pattern:only; http_uri; content:"params="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000604; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL Stealer outbound connection"; flow:to_server,established; content:"/file.php?"; http_uri; content:"hash="; fast_pattern:only; http_uri; content:"&callback="; http_uri; content:"&js="; http_uri;  metadata:ruleset community, service http; classtype:trojan-activity; sid:8000605; rev:1;)
> 
> # --------------------
> # Title: Win.Trojan.Vidar/Arkei
> # Reference: Research
> # Tests: pcaps
> # Yara: MALWARE_Win_Trojan_Nocturnal (Updated) 
> # ClamAV: MALWARE_Win.Trojan.Nocturnal (Updated)
> # Hashes:
> #   - b26324c3eddb7cd723b079275bbcd0a722297dd00acdcd428702a48a5dc9ed2f
> #   - c8007a84153ed91db6b39038c06f452b2462d6a82d156e7989669eaf96f45e39
> # Note:
> #    - SID 46895 does not tirggre since the URLs appear to have
> #      changed or became more dynamic
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Arkei/Vidar variant outbound connection ip address check"; flow:to_server,established; content:"/line/"; http_uri; content:"Content-Type: multipart/form-data|3B|"; http_header; content:"Content-Length: "; http_header; content:"|0D 0A|"; distance:2; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000606; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Arkei/Vidar variant outbound connection"; flow:to_server,established; content:"Content-Type: multipart/form-data|3B|"; http_header; content:"|3B 20|name=|22|hwid|22|"; http_client_body; content:"|3B 20|name=|22|os|22|"; http_client_body; content:"|3B 20|name=|22|platform|22|"; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000607; rev:1;)
> 
> # --------------------
> # Title: Win.Trojan.HawkEye HTTP / FTP variants
> # Reference: Research
> # Tests: pcaps
> # Yara: NA
> # ClamAV: NA
> # Hashes:
> #   - 3be631a20243c923f5d50de878d78f91acda664d3f924c03ef152f76de04c0ba (http)
> #   - 96fc6a7c48bd453a7c01f5d521107d94ca18136bcbf90e2c482bbd2a8c0981ac (http)
> #   - a20f321a50e849820b6683807f77a2c2507aefc0cc5becf9936a34faf4d18e90 (http)
> #   - d1bc1b3c8b84b0ad04adf73fac0542c4a434ca1993db8493e9ef129f409949e2 (http)
> #   - a48f9c07a61d328c4364bb9da0f7c673260fdfa5ec7ea8b4380e8e38ae888718 (ftp)
> #   - 148ba1a13890f909ecad49e304d6969521729f79aaf17cd52fdb8e133dc0fa36 (ftp)
> #   - 542d0c9b0bb3277f44b0267a471049e831a9db0c66a69834f562b38712663fcd (ftp)
> #   - 3b2850cd8a54bfdb4c52c45f541c4d97047a28b19d034bbec609389b19019094 (ftp)
> # Note: NA.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HawkEye http variant outbound connection"; flow:to_server,established; content:"Secret="; http_client_body; content:"HWID="; nocase; fast_pattern:only; http_client_body; content:"Name="; nocase; content:"OS="; nocase; http_client_body; content:"Type="; http_client_body; content:!"User-Agent"; http_header; content:!"Accept"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000608; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.HawkEye ftp variant outbound connection"; flow:to_server,established; content:"STOR HawkEyeKeylogger"; depth:21; fast_pattern; metadata:ruleset community, service ftp; classtype:trojan-activity; sid:8000609; rev:1;)
> 
> # --------------------
> # Title: Win.Trojan.RevengeRAT variant
> # Reference: Research
> # Tests: pcaps
> # Yara:
> #   - MALWARE_Win_Trojan_RevengeRAT
> #   - INDICATOR_JS_References_Local_Script_Executable
> #   - INDICATOR_JS_Referencing_Embedded_Hex_Base64_Encoded_Binary
> # ClamAV:
> #   - MALWARE_Win.Trojan.RevengeRAT
> #   - INDICATOR_JS_References_Local_Script_Executable
> #   - INDICATOR_JS_References_Embedded_Hex_Base64_Encoded_Binary
> # Hashes:
> #   - 45f81641791809e1fe09d1b6c3200c39e6fd0eb26713efe410591d17983dbf0d (zipped-js)
> #   - 8341231e5dfd89f379c732101097312fbdd55a1f4a4171f56e68c584b355c028 (zipped-js)
> #   - c3c3d825a58b7d9e4832e5edade2a0fbbd8664d46dbe53f848fd2537fb4893bf (zipped-js)
> #   - cdfb86da0aadb442640137d1b0bd0126317a0bda895284d5b056b8030b0d4604 (decompressed-js)
> # Note:
> #   - SIDs 45961 and 45962 submitted on Febraury 20, 2018 are still valid. 
> #     Didn't submit with Yara/ClamAV that time. Review community-ruleset.
> #   - Below rule is a genetic one, just in case.
> #   - Existing hits:
> #      - INDICATOR_Internet_Shortcut_References_Local_Script_Executable (persistence)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.RevengeRAT outbound message pattern detected"; flow:to_server,established; dsize:<100; content:"|2A 2D 5D|NK|5B 2D 2A|"; isdataat:!1,relative; metadata:ruleset community; classtype:trojan-activity; sid:8000610; rev:1;)
> 
> # --------------------
> # Title: Win.Trojan.AutoHotKey
> # Reference: Research
> # Tests: pcaps
> # Yara: MALWARE_Win_Trojan_AutoHotKey_AHK
> # ClamAV: MALWARE_Win.Trojan.AutoHotKey-AHK
> # Hashes:
> #   - Droppers (OOXML XLS):
> #       - 22fefdee6b5f04b8ef4b4cc0127b00a9568365c6a1c6be7a709c6a5aa5fc5490
> #       - efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12
> #   - AHK Script:
> #       - acb3181d0408c908b2a434fc004bf24fb766d4cf68bf2978bc5653022f9f20be 
> # Note: NA
> #   - AutoHotKey script (.ahk) abused with the legitimate AutoHotKey executable.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AutoHotKey-ahk outbound connection"; flow:to_server,established; urilen:<30; content:".php"; http_uri; content:"&string="; http_client_body; content:"|3B| Charset=UTF-8|0D 0A|"; http_header; content:"POST"; http_method; content:!"Accept-"; http_header; pcre:"/^\x26string=[0-9A-Z]{30}$/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000611; rev:1;)
> 
> # --------------------
> # Title: Win.Trojan.Baldr Stealer
> # Reference: https://www.youtube.com/watch?v=E2V4kB_gtcQ <https://www.youtube.com/watch?v=E2V4kB_gtcQ> 
> # Reference: https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/ <https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/>
> # Tests: pcaps
> # Yara: MALWARE_Win_Trojan_Baldr
> # ClamAV: MALWARE_Win.Trojan.Baldr
> # Hashes:
> #   - a0d4500b9aad2c96f5a1775eee1541e78fc504f017b4daaa51f48907b1a49191 (unpacked)
> #   - 06a7215e3083038c6a0c58b5752245c20323d8568d614ce448a36a4132fa147e
> #   - 12d95ffc99c9225a8a9f8bed6a0390fa7d2f4df4c5db16938584cc9bd28801b6
> #   - 2096f782cb91482647ef668b209fa2f098dcb2028aa923aafcb2903a8b91d3aa
> #   - 435bb8b28282448aa811dd74b0a4f058729e68aeeb8217dcabaa1208ca4e1cc5
> #   - 5fa915ad3471a9f0f7532ae034c93c8c5faaf8c73f7c99e7bbdd221c59b78217
> #   - 852eca75ebd886b964d8e9cbeb62bf829f9b3b9e26f50be8415ec8fd0a777321
> #   - a0d4500b9aad2c96f5a1775eee1541e78fc504f017b4daaa51f48907b1a49191
> #   - b843ef19e3ae2b2dc2b0dc52f26dbee413ff05e7465abce049504cfe12af6a8c
> #   - fc3bba2ddf6bc25ef7ff1ad69fa99785206250cdee4cd51fed11aa5510e86690
> # Note: NA
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Baldr variant outbound connection"; flow:to_server,established; content:"/gate.php"; http_uri; content:"|3B| filename=|22|Encrypted.zip|22|"; http_client_body; content:"Expect: "; http_header; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Connection"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000612; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Baldr variant outbound connection"; flow:to_server,established; content:"/gate.php HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Host: "; content:"Expect: 100-continue|0D 0A 0D 0A|"; content:"POST"; http_method; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Connection"; http_header; content:!"Referer"; http_header; content:!"Content-Dispositon"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000613; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Baldr variant outbound connection"; flow:to_server,established; content:"hwid="; http_uri; content:"&os=Windows"; fast_pattern:only; http_uri; content:"&file="; http_uri; content:"&cookie="; http_uri; content:"Expect: 100-continue|0D 0A|"; content:"PK"; depth:2; http_client_body; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000614; rev:1;)
> 
> # --------------------
> # Title: Cryptocurrency Mining (JCEMiner?)
> # Reference: Research
> # Tests: pcaps
> # Yara: NA
> # ClamAV: NA
> # Hashes: NA
> # Note:
> #   - The patterns are similar to exisitng signatures but they are
> #     still different, causing FNs.
> #   - Source binary was not acquired.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-OTHER Cryptocurrency Miner outbound connection attempt"; flow:established,to_server; content:"|7B 22|method|22 3A 22|login|22|"; content:"|22|jsonrpc|22 3A|"; content:"|22 2C 22|params|22 3A 7B 22|login|22 3A|"; content:"|22|pass|22 3A|"; content:"|22|agent|22 3A|"; metadata:ruleset community; classtype:policy-violation; sid:8000615; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-OTHER Cryptocurrency Miner outbound connection attempt"; flow:established,to_server; content:"|7B 22|method|22 3A 22|submit|22|"; content:"|22 2C 22|params|22 3A 7B 22|id|22 3A|"; content:"|22|job_id|22 3A|"; metadata:ruleset community; classtype:policy-violation; sid:8000616; rev:1;)
> 
> # --------------------
> # Title: Luminati - Residential IP and Proxy Service for Businesses
> # Reference: Research
> # Reference: https://documents.trendmicro.com/assets/white_papers/wp-illuminating-holaVPN-and-the-danger-it-poses.pdf <https://documents.trendmicro.com/assets/white_papers/wp-illuminating-holaVPN-and-the-danger-it-poses.pdf>
> # Tests: pcaps
> # Yara: NA
> # ClamAV: NA
> # Hashes: f0a7e492cf4d74ee0cc7e9dc148cba409eeed23971a907d8cbff83a650738b0d
> # Note:
> #   - Has been observed to be downloaded by other malicious binaries, example:
> #       - eb7fc232d8f1fdeb1d34a5951bccb16c2026807239e5e8c3f23230cd7ec383c5
> #   - Sample URLs:
> #       1. hxxp://51[.]255[.]87[.]66/admin/rmt/luminati.io/static/net_svc-x64-1.129.929.zip <hxxp://51[.]255[.]87[.]66/admin/rmt/luminati.io/static/net_svc-x64-1.129.929.zip>
> #       2. http://198[.]16[.]72[.]154/admin/rmt/luminati.io/static/net_updater32-1.129.29.exe <http://198[.]16[.]72[.]154/admin/rmt/luminati.io/static/net_updater32-1.129.29.exe>
> #       3. http://217[.]182[.]139[.]96/admin/rmt/luminati.io/static/lum_sdk32-1.129.29.dll <http://217[.]182[.]139[.]96/admin/rmt/luminati.io/static/lum_sdk32-1.129.29.dll>
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Iluminati proxy/anonymizer download attempt detected"; flow:to_server,established; content:"/admin/rmt/luminati.io/ <http://luminati.io/>"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000617; rev:1;)
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org <mailto:Snort-sigs at lists.snort.org>
> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>
> 
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
> 
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette>
> 
> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20190503/fd1c6e42/attachment-0001.html>


More information about the Snort-sigs mailing list