Hi,

The below rules attempt at detecting exploit documents generated by ThreadKit. While there are rules to detect the exploit attempts, the permissiveness of the RTF syntax may result in FN. The below sample hashes were worked with and pcaps are available for these. As I stumble upon more documents, I will update this thread. I added these under the MALWARE-OTHER category since the rules to do not look for the exploits, but the documents themselves.

Some of the rules can be grouped using PCRE, but I kept them separate. Some of the rules may also seem redundant, but the idea is to capture as many variants as possible.

If this sounds like a bad idea, please let me know so I won't waste cycles on them.

# --------------------
# Date: 2018-05-28
# Title: ThreadKit Documents
# Tests: pcap
# Reference: Research
# Hashes:
#   - bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c
#   - af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5
#   - 8e1c6f44b02e72b1c1c9af0ffdcee0fbe67fb8ee370bc67e4e01ec43f8b92ec9
#   - 53e8890f0d002d9611675419b3d8d0899b599c59f4557e105211d294bf92f023
#   - 2bb9d0d8166a8d330cb3c5be6fb60539fe29e05cc3acb4ac7ec3da233fb013ec

# HTTP
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding TXT file"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; content:"|5C|objdata"; distance:0; content:"5061636B61676500"; distance:0; nocase; content:"2E747874"; within:100; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000075; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding SCT file"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; content:"|5C|objdata"; distance:0; content:"5061636B61676500"; distance:0; nocase; content:"2E736374"; within:100; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000076; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding BAT file"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; content:"|5C|objdata"; distance:0; content:"5061636B61676500"; distance:0; nocase; content:"2E626174"; within:100; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000077; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding EXE file"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; content:"|5C|objdata"; distance:0; content:"5061636B61676500"; distance:0; nocase; content:"2E657865"; within:100; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000078; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER ThreadKit document - objhtml mmath object obfuscation"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0; content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:100; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000079; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER ThreadKit document - objhtml mmath object obfuscation OLE2Link"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0; content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:50; content:"OLE2Link"; within:150; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000080; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER ThreadKit document - objhtml object obfuscation OLE2Link"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0; content:"|5C|bin"; within:50; nocase; content:"OLE2Link"; within:150; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000081; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER ThreadKit document - objemb mmath object obfuscation"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objemb"; content:"|5C|objupdate"; distance:0; content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:100; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000082; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER ThreadKit document - picture object remote"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"METAFILEPICT"; content:"INCLUDEPICTURE |22|http"; distance:0; content:"MZ"; within:200; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000083; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER ThreadKit document - distinct obj structure"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|object|5C|obj"; content:"|5C|objupdate"; pcre:"/\x5cobject\x5cobj(emb|html)\x5cobjupdate\x5cv\x0a\x20/"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000084; rev:1;)

# SMTP
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding TXT file"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; content:"|5C|objdata"; distance:0; content:"5061636B61676500"; distance:0; nocase; content:"2E747874"; within:100; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000085; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding SCT file"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; content:"|5C|objdata"; distance:0; content:"5061636B61676500"; distance:0; nocase; content:"2E736374"; within:100; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000086; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding BAT file"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; content:"|5C|objdata"; distance:0; content:"5061636B61676500"; distance:0; nocase; content:"2E626174"; within:100; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000087; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding EXE file"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; content:"|5C|objdata"; distance:0; content:"5061636B61676500"; distance:0; nocase; content:"2E657865"; within:100; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000088; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER ThreadKit document - objhtml mmath object obfuscation"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0; content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:100; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000089; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER ThreadKit document - objhtml mmath object obfuscation OLE2Link"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0; content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:50; content:"OLE2Link"; within:150; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000090; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER ThreadKit document - objhtml object obfuscation OLE2Link"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0; content:"|5C|bin"; within:50; nocase; content:"OLE2Link"; within:150; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000091; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER ThreadKit document - objemb mmath object obfuscation"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objemb"; content:"|5C|objupdate"; distance:0; content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:100; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000092; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER ThreadKit document - picture object remote"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"METAFILEPICT"; content:"INCLUDEPICTURE |22|http"; distance:0; content:"MZ"; within:200; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000093; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER ThreadKit document - distinct obj structure"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|object|5C|obj"; content:"|5C|objupdate"; pcre:"/\x5cobject\x5cobj(emb|html)\x5cobjupdate\x5cv\x0a\x20/"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000094; rev:1;)

Thanks.
YM