Hi Yaser,

Thanks for these submissions. We will review each of them and get back to you when finished. The format used is great, and we were able to easily parse the different submissions. Thanks again.

Sincerely,

John Levy
Cisco Talos

On Wed, Jun 27, 2018 at 9:34 AM, Y M via Snort-sigs <snort-sigs@lists.snort.org> wrote:
Hi,

Below are a set of rules for various detection aggregated in one email. Oddly, I was not able to acquire any of the binaries/payloads, hence, the lack of pcaps. It was just weird. Each set of signatures are separated by "#----". Please let me if this format is not favorable and I will work something out.

# --------------------
# Date: 2018-06-17
# Title: CVE-2017-8570 RTF and the Sisfader RAT
# Tests: syntax only
# Confidence: low-
# Notes: Rules are based on assumptions of the custom protocol detailed in the reference

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sisfader RAT outbound connection - Register"; flow:to_server,established; content:"|FF DD EE AA|"; within:4; byte_test:1,=,4,4,relative; content:"|0F 01|"; offset:8; metadata:ruleset community; reference:url,www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/; classtype:trojan-activity; sid:8000120; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sisfader RAT outbound connection - Beacon"; flow:to_server,established; content:"|FF DD EE AA|"; within:4; byte_test:1,=,4,4,relative; content:"|F0 E1|"; offset:8; metadata:ruleset community; reference:url,www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/; classtype:trojan-activity; sid:8000121; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sisfader RAT outbound connection - Pong"; flow:to_server,established; content:"|FF DD EE AA|"; within:4; byte_test:1,=,4,4,relative; content:"|F0 E3|"; offset:8; metadata:ruleset community; reference:url,www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/; classtype:trojan-activity; sid:8000122; rev:1;)

# --------------------
# Date: 2018-06-21
# Title: Kardon Loader Looks for Beta Testers
# Tests: syntax only
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kardon loader outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/gate.php"; http_uri; content:"&os="; fast_pattern:only; http_client_body; content:"&pv="; http_client_body; content:"&ip="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/; classtype:trojan-activity; sid:8000123; rev:1;)

# --------------------
# Date: 2018-06-21
# Title: Nigelthorn Malware Abuses Chrome Extensions to Cryptomine and Steal Data
# Tests: syntax only
# Confidence: low-

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Nigelthorn browser plugin social media credentials theft attempt"; flow:to_server,established; content:"GET"; http_method; content:"/php3/"; fast_pattern:only; http_uri; content:".php?"; http_uri; content:"u="; http_uri; content:"&p="; http_header; metadata:ruleset community, service http; reference:url,blog.radware.com/security/2018/05/nigelthorn-malware-abuses-chrome-extensions/; classtype:trojan-activity; sid:8000124; rev:1;)

# --------------------
# Date: 2018-06-21
# Title: Red Alert v2.0: Misadventures in Reversing Android Bot Malware
# Tests: syntax only
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.BankerBot outbound connection"; flow:to_server,established; urilen:=5; content:"POST"; http_method; content:"/stbi"; fast_pattern:only; http_uri; content:" Android "; http_header; content:"Content-Type: application/json"; http_header; content:"eyJ"; within:3; http_client_body; metadata:ruleset community, service http; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Red-Alert-v2-0--Misadventures-in-Reversing-Android-Bot-Malware/; classtype:trojan-activity; sid:8000125; rev:1;)

# --------------------
# Date: 2018-06-22
# Title: RAT Gone Rogue: Meet ARS VBS Loader
# Tests: syntax only
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"?os="; http_uri; content:"&user="; http_uri; content:"&av="; http_uri; content:"&fw="; http_uri; content:"&hwid="; http_uri; metadata:ruleset community, service http; reference:url,www.flashpoint-intel.com/blog/meet-ars-vbs-loader/; classtype:trojan-activity; sid:8000126; rev:1;)


# --------------------
# Date: 2018-06-27
# Title: Six Years and Counting: Inside the Complex Zacinlo Ad Fraud Operation
# Tests: syntax only
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"/toolbar/"; http_uri; fast_pattern:only; http_uri; content:"User-Agent: wget"; http_header; content:"Referer:"; http_header; content:"/toolbar"; within:50; http_header; content:!"Accept-"; http_headr; content:!"Content-"; http_header; metadata:ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:8000127; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"/entry/"; http_uri; content:"&mac="; fast_pattern:only; http_uri; content:"User-Agent: wget"; http_header; content:"Referer:"; http_header; content:"/entry/"; within:50; http_header; content:!"Accept-"; http_headr; content:!"Content-"; http_header; metadata:ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:8000128; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"/interface/getFile?"; fast_pattern:only; http_uri; content:"User-Agent: wget"; http_header; content:!"Referer:"; http_header; content:"Accept-"; http_headr; metadata:ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:8000129; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"User-Agent: SmartService|0D 0A|"; fast_pattern:only; http_header; content:"/getFile?"; http_uri; metadata:ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:8000130; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; urilen:>200; content:"/api/"; fast_pattern:only; http_uri; content:"q="; http_uri; content:!"Referer:"; http_header; pcre:"/\/api\/(cpx|ss|lt)\x3fq\x3d/Ui"; metadata:ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:8000131; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"User-Agent: BypassUac|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:8000132; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"/report?s="; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B WOW64) "; http_header; content:!"Referer:"; http_header; content:"Accept"; http_header; metadata:ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:8000133; rev:1;)

# --------------------
# Date: 2018-06-27
# Title: RedAlpha: New Campaigns Discovered Targeting the Tibetan Community
# Tests: syntax only
# Confidence: low-

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dinwod/NetHelp variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:53.0) Gecko/20100101 Chrome /53.0"; fast_pattern:only; http_header; content:"/index.html"; http_uri; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf; classtype:trojan-activity; sid:8000134; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpyGate variant outbound connection"; flow:to_server,established; urilen:<100; content:"/index?"; content:"Accept: */*|0D 0A|Accept-Encoding: gzip, deflate|0D 0A|User-Agent: "; http_header; fast_pattern; content:"Connection: Keep-Alive|0D 0A|"; http_header; content:!"Referer"; http_header; content:!"Content-"; http_header; metadata:ruleset community, service http; reference:url,go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf; classtype:trojan-activity; sid:8000135; rev:1;)

# --------------------
# Date: 2018-06-27
# Title: FakeSpy Android Information-Stealing Malware Targets Japanese and Korean-Speaking Users
# Tests: syntax only
# Reference:
# Confidence: low-

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andro.Trojan.FakeSpy variant outbound connection"; flow:to_server,established; content:"/jiagu/"; http_uri; content:"/infos"; fast_pattern:only; http_uri; content:" Android "; http_header; metadata:ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/; classtype:trojan-activity; sid:8000136; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andro.Trojan.FakeSpy variant outbound connection"; flow:to_server,established; content:"/servlet/OnLine"; fast_pattern:only; http_uri; content:" Android "; http_header; metadata:ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/; classtype:trojan-activity; sid:8000137; rev:1;)

# --------------------
# Date: 2018-06-27
# Title: FakeSpy Android Information-Stealing Malware Targets Japanese and Korean-Speaking Users
# Tests: syntax only
# Reference:
# Confidence: low-
# Note: Older references show that this is via HTTPS. Newer references show this via HTTP.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.URLZone dropper variant outbound connection"; flow:to_server, established; content:"?tver="; fast_pattern:only; http_uri; content:"&vcmd="; http_uri; content:"&ipcnf="; http_uri; metadata:ruleset community, service http; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-urlzone-malware-campaigns-targeting-japan.html; reference:url,github.com/arbor/urlzone/blob/master/urlzone.py; classtype:trojan-activity; sid:8000138; rev:1;)


Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!