[Snort-sigs] Multiple signatures 028

Matthew Mickel mmickel at sourcefire.com
Fri May 17 11:51:11 EDT 2019


Hi, Yaser-

Thanks for your submissions.  We will test these and get back to you when we have finished.  Any PCAPs and Yara/ClamAV signatures that you can share with us are greatly appreciated.  Thanks again.  Best,

Matt Mickel

> On May 15, 2019, at 2:44 PM, Y M via Snort-sigs <snort-sigs at lists.snort.org> wrote:
> 
> Hello,
> 
> A short list of new signatures available below. PCAPs as well as Yara/ClamAV signatures are available.
> 
> Thank you.
> YM
> 
> # --------------------
> # Title: Spam campaign targets Exodus Mac Users
> # Reference: https://labsblog.f-secure.com/2018/11/02/spam-campaign-targets-exodus-mac-users/ <https://labsblog.f-secure.com/2018/11/02/spam-campaign-targets-exodus-mac-users/>
> # Tests: syntax only
> # Yara: MALWARE_Osx_Trojan_RealtimeSpy
> # ClamAV: MALWARE_Osx.Trojan.RealtimeSpy
> # Hashes:
> #   - 123c0447d0a755723025344d6263856eaf3f4be790f5cda8754cdbb36ac52b98
> #   - 26a2711c45674e3a3e6b14c6680809e9620bea57b6b83f40d70485aa4df8a5a6
> #   - 2ec250a5ec1949e5bb7979f0f425586a2ddc81c8da93e56158126cae8db81fd1
> #   - 987fd09af8096bce5bb8e662bdf2dd6a9dec32c6e6d238edfeba662dd8a998fc
> #   - ae2390d8f49084ab514a5d2d8c5fd2b15a8b8dbfc65920d8362fe84fbe7ed8dd
> #   - b1da51b6776857166562fa4abdf9ded23d2bdd2cf09cb34761529dfce327f2ec
> # Note:
> #    - Old reference but why not
> #    - No package (pslist) so execution failed, and we don't
> #      know of a method to reconstruct a package or have access to
> #      the package, so we rely on URL strings from the binary and behavior tab from VT.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.RealtimeSpy monitor app outbound connection"; flow:to_server,established; urilen:12; content:"/locrts7.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000618; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.RealtimeSpy monitor app outbound connection"; flow:to_server,established; content:"/addcomputer.php?username="; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000619; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.RealtimeSpy monitor app outbound connection"; flow:to_server,established; urilen:21; content:"/add_activity_log.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000620; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.RealtimeSpy monitor app outbound connection"; flow:to_server,established; urilen:14; content:"/upload_ss.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000621; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.RealtimeSpy monitor app outbound connection"; flow:to_server,established; content:"/stopss.php?username="; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000622; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.RealtimeSpy monitor app outbound connection"; flow:to_server,established; content:"/get_ss_comp.php?username="; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000623; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.RealtimeSpy monitor app outbound connection"; flow:to_server,established; urilen:15; content:"/add_rt_log.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000624; rev:1;)
> 
> # --------------------
> # Title: Let’s nuke Megumin Trojan
> # Reference: https://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/ <https://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/>
> # Tests: pcaps
> # Yara: MALWARE_Win_Trojan_Megumin
> # ClamAV: MALWARE_Win.Trojan.Megumin
> # Hashes:
> #   - 8777749af37a2fd290aad42eb87110d1ab7ccff4baa88bd130442f25578f3fe1
> #   - 89813ebf2da34d52c1b924b408d0b46d1188b38f035d22fab26b852ad6a6fc19
> #   - c70120ee9dd25640049fa2d08a76165948491e4cf236ec5ff204e927a0b14918
> #   - d15e1bc9096810fb4c954e5487d5a54f8c743cfd36ed0639a0b4cb044e04339f
> #   - d431e6f0d3851bbc5a956c5ca98ae43c3a99109b5832b5ac458b8def984357b8
> #   - e6c447c826ae810dec6059c797aa04474dd27f84e37e61b650158449b5229469
> #   - ed65610f2685f2b8c765ee2968c37dfce286ddcc31029ee6091c89505f341b97
> #   Triage:
> #   - 280564e498cc140d0a0e1ccb744b0130c885f4179ee68bd6c52766c3fe518c00 (unpacked/dumped)
> #   - 7f65c5836da936a81e420ef4cf1c93abb094d5edb15718871ca63affbf0c753e (unpacked/dumped) 
> # Note:
> #   - Existing Yara/ClamAV signatures hits:
> #       1. INDICATOR_Binary_References_Many_Wallets                     > Ethereum, Bitcoin, LiteCoin, ByteCoin, ReddCoin, EmerCoin, ZCash, Dash, Monero, Electron
> #       2. INDICATOR_Binary_References_Many_Builtin_Windows_Commands    > taskmgr, timeout, attrib
> #       3. INDICATOR_Binary_References_Many_Builtin_Windows_Executables > cmd.exe, attrib.exe, dllhost.exe
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Megumin outbound connection"; flow:to_server,established; urilen:8; content:"/suicide"; fast_pattern:only; http_uri; content:"Content-Type: multipart/form-data"; http_header; content:"POST"; http_method; content:!"User-Agent"; http_header; content:!"referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000625; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Megumin outbound connection"; flow:to_server,established; urilen:7; content:"/config"; fast_pattern:only; http_uri; content:"Content-Type: multipart/form-data"; http_header; content:"POST"; http_method; content:!"User-Agent"; http_header; content:!"referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000626; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Megumin outbound connection"; flow:to_server,established; urilen:7; content:"/msgbox"; fast_pattern:only; http_uri; content:"Content-Type: multipart/form-data"; http_header; content:"POST"; http_method; content:!"User-Agent"; http_header; content:!"referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000627; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Megumin outbound connection"; flow:to_server,established; content:"/addbot?hwid="; fast_pattern:only; http_uri; content:"&bit="; http_uri; content:"&win="; http_uri; content:"&cpu="; http_uri; content:"&gpu="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000628; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Megumin outbound connection"; flow:to_server,established; urilen:10; content:"/blacklist"; fast_pattern:only; http_uri; content:"Content-Type: multipart/form-data"; http_header; content:"POST"; http_method; content:!"User-Agent"; http_header; content:!"referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000629; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Megumin outbound connection"; flow:to_server,established; content:"/task?hwid="; fast_pattern:only; http_uri; content:"Content-Type: multipart/form-data"; http_header; content:"POST"; http_method; content:!"User-Agent"; http_header; content:!"referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000630; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Megumin outbound connection"; flow:to_server,established; content:"/completed?hwid="; fast_pattern:only; http_uri; content:"Content-Type: multipart/form-data"; http_header; content:"POST"; http_method; content:!"User-Agent"; http_header; content:!"referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000631; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Megumin outbound connection"; flow:to_server,established; content:"/gate?hwid="; fast_pattern:only; http_uri; content:"Content-Type: multipart/form-data"; http_header; content:"POST"; http_method; content:!"User-Agent"; http_header; content:!"referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000632; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Megumin outbound connection"; flow:to_server,established; content:"/newclip?hwid="; fast_pattern:only; http_uri; content:"&type="; http_uri; content:"&date="; http_uri; content:!"User-Agent"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000633; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Megumin outbound connection"; flow:to_server,established; content:"User-Agent: Megumin/"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000634; rev:1;)
> 
> # --------------------
> # Title: Win.Ransomware.MegaCortex / Win.Trojan.Rietspoof
> # Reference:
> #   - https://blog.avast.com/rietspoof-malware-increases-activity <https://blog.avast.com/rietspoof-malware-increases-activity>
> #   - https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/ <https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/>
> #   - https://github.com/sophoslabs/IoCs/blob/master/Ransomware-MegaCortex <https://github.com/sophoslabs/IoCs/blob/master/Ransomware-MegaCortex>
> # Tests: pcaps (f2p)
> # Yara:
> #   - MALWARE_Win_Trojan_Rietspoof
> #   - MALWARE_Win_Ransomware_MegaCortex
> # ClamAV: 
> #   - MALWARE_Win_Trojan_Rietspoof
> #   - Win.Ransomware.MegaCortex
> # Hashes:
> #   - MegaCortex:
> #       - 0858bc69e02c730a55f760f01374bdc378aaff806478d1c18f9e587d7121b56a
> #       - 11f7bb37dd425150e6b095a8d1f3a347ee83e604302a4d9bb201900e74a81d73
> #       - 598ee9ee6ad4467ddf4b4d325cb15928fd692da8d6e1c8980d2d86d97ea2f4f9
> #       - b17ff8c0d83d07fca854d669d1389e8e24718ca54ed1543fdb09e9b9b39456ef
> #       - b4a65070354d2a89e84b5ddae81a954a868a714a248a48b72c832c759d85558a
> #       - f5d39e20d406c846041343fe8fbd30069fd50886d7d3d0cce07c44008925d434
> #   - Rietspoof:
> #       - 25d7718dc30eccd1a9a2bc037a49b98c503f8064a55a009b1818ba448bcad27b
> #       - 523fcda29655bec72d941311e70e7e810cc5a040d527fb5739120e36fee2e5df
> #       - 9097f3cbedc79d1c1b91a0c3e776c19d07cb233d79e4af6f325e8d5d537348c2
> #       - acf46be54c303002d74df6c975083c706b3e1cb8a92e75516579cd0fe65ce918
> #       - f5d739b5b15530be8acafc0f4f358ec48efbe3b1a5d7debbf94bed17b2a3b940
> # Note:
> #   - Robbinhood ransomware is surperisingly similar to MegaCortex in terms
> #     of the Windows services being targeted.
> 
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Rietspoof malicious executable download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"M9h5an8f8zTjnyTwQVh6hYBdYsMqHiAz"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:8000635; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Rietspoof malicious executable download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"M9h5an8f8zTjnyTwQVh6hYBdYsMqHiAz"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000636; rev:1;)
> 
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Rietspoof malicious executable download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Content-MD5:%s|0D 0A 00 00 00 00|User-agent:Mozilla/5.0 (Windows|3B| U|3B|"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:8000637; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Rietspoof malicious executable download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Content-MD5:%s|0D 0A 00 00 00 00|User-agent:Mozilla/5.0 (Windows|3B| U|3B|"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000638; rev:1;)
> 
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.MegaCortex malicious executable download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|46 6c 75 73 68 46 69 6c 65 42 75 66 66 65 72 73|"; content:"|46 69 6e 64 43 6c 6f 73 65|"; distance:3; content:"|46 69 6e 64 46 69 72 73 74 46 69 6c 65 45 78 41|"; distance:3; content:"|46 69 6e 64 4e 65 78 74 46 69 6c 65 41|"; distance:3; content:"|53 65 74 53 74 64 48 61 6e 64 6c 65|"; distance:95; content:"|43 72 65 61 74 65 46 69 6c 65 57|"; distance:3; content:"|57 72 69 74 65 43 6f 6e 73 6f 6c 65 57|"; distance:3; content:"|48 65 61 70 53 69 7a 65|"; distance:3; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:8000639; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.MegaCortex malicious executable download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|46 6c 75 73 68 46 69 6c 65 42 75 66 66 65 72 73|"; content:"|46 69 6e 64 43 6c 6f 73 65|"; distance:3; content:"|46 69 6e 64 46 69 72 73 74 46 69 6c 65 45 78 41|"; distance:3; content:"|46 69 6e 64 4e 65 78 74 46 69 6c 65 41|"; distance:3; content:"|53 65 74 53 74 64 48 61 6e 64 6c 65|"; distance:95; content:"|43 72 65 61 74 65 46 69 6c 65 57|"; distance:3; content:"|57 72 69 74 65 43 6f 6e 73 6f 6c 65 57|"; distance:3; content:"|48 65 61 70 53 69 7a 65|"; distance:3; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000640; rev:1;)
> 
> # --------------------
> # Title: Win.Ransomware.Robbinhood
> # Reference: Research 
> # Reference: https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/ <https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/>
> # Reference: https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/ <https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/>
> # Tests: pcaps (f2p)
> # Yara: 
> #   - MALWARE_Win_Ransomware_Robbinhood
> # ClamAV: 
> #   - MALWARE_Win.Ransomware.Robbinhood
> # Hashes:
> #   - 21cb84fc7b33e8e31364ff0e58b078db8f47494a239dc3ccbea8017ff60807e3
> #   - 3bc78141ff3f742c5e942993adfbef39c2127f9682a303b5e786ed7f9a8d184b
> #   - 9977ba861016edef0c3fb38517a8a68dbf7d3c17de07266cfa515b750b0d249e
> #   - bfc39ca9a223a731fb6d9ffb29923844904cb842435cde0c640ba79818b5e728
> #   - e128d5aa0b5a9c6851e69cbf9d2c983eefd305a10cba7e0c8240c8e2f79a544f
> # Note:
> #   - Hist on exisitng Yara/ClamAV signatures:
> #       1. INDICATOR_Binary_References_Many_Builtin_Windows_Commands    > taskkill, tasklist, WMIC
> #       2. INDICATOR_Binary_References_Many_Builtin_Windows_Executables > cmd.exe, bcdedit.exe, wevtutil.exe, vssadmin.exe, WMIC.exe, sc.exe
> #   - Robbinhood ransomware is surperisingly similar to MegaCortex in terms
> #     of the Windows services being targeted.
> 
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE golang binary download attempt detect"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Go build ID: "; fast_pattern:only; flowbits:set,file.golang; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:8000641; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE golang binary download attempt detect"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Go build ID: "; fast_pattern:only; flowbits:set,file.golang; flowbits:noalert; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000642; rev:1;)
> 
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Robinhood malicious executable download attempt"; flow:to_client,established; flowbits:isset,file.golang; file_data; content:".taskkilltasklistunknown("; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:8000643; rev:1;)
> 
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Robinhood malicious executable download attempt"; flow:to_client,established; flowbits:isset,file.golang; file_data; content:".sysvssadmin.exewevtutil.exe MB released"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:8000644; rev:1;)
> 
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Robinhood malicious executable download attempt"; flow:to_client,established; flowbits:isset,file.golang; file_data; content:".enc_robbinhood"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:8000645; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Robinhood malicious executable download attempt"; flow:to_server,established; flowbits:isset,file.golang; file_data; content:".taskkilltasklistunknown("; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000646; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Robinhood malicious executable download attempt"; flow:to_server,established; flowbits:isset,file.golang; file_data; content:".sysvssadmin.exewevtutil.exe MB released"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000647; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Robinhood malicious executable download attempt"; flow:to_server,established; flowbits:isset,file.golang; file_data; content:".enc_robbinhood"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000648; rev:1;)
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org <mailto:Snort-sigs at lists.snort.org>
> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>
> 
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
> 
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette>
> 
> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20190517/74caf2b7/attachment-0001.html>


More information about the Snort-sigs mailing list