On Tue, Jul 3, 2018 at 9:23 AM, Y M via Snort-sigs <snort-sigs@lists.snort.org> wrote:
Hi,

Happy soon-to-be 4th of July to you all. Pcaps for the first two sets of signatures are available.

# --------------------
# Date: 2018-07-03
# Title: Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems
# Tests: pcap (partial)
# Hashes:
#    - 3227d1e39fc3bc842245ccdb16eeaadad3bcd298e811573b2e68ef2a7077f6f6
#    - 92e0d0346774127024c672cc7239dd269824a79e85b84c532128fd9663a0ce78
#    - 33665d93ab2a0262551c61ec9a3adca2c2b8dfea34e6f3f723274d88890f6ceb
#    - 019874898284935719dc74a6699fb822e20cdb8e3a96a7dc8ec4f625e3f1116e
#    - f817c9826089b49d251b8a09a0e9bf9b4b468c6e2586af60e50afe48602f0bec
# Confidence: low
# Note: The trojanized loader binaries, the standalone bianries, and the C&C domain (plus an additional domain)
#       succeffully correlates to the observed HTTP URI and Header.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HomamDownloader outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Win32)|3B|51|3B|"; fast_pattern:only; http_header; content:"/index.htm"; http_uri; content:!"Connection: "; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/; classtype:trojan-activity; sid:8000172; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HomamDownloader outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Win32)|3B|61|3B|"; fast_pattern:only; http_header; content:"/index.htm"; http_uri; content:!"Connection: "; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/; classtype:trojan-activity; sid:8000173; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HomamDownloader outbound connection - PCRE"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE "; http_header; content:"|3B| Win32)|3B|"; within:12; http_header; fast_pattern; content:"/index.htm"; http_uri; content:!"Connection: "; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/User-Agent\x3a\sMozilla\/4\.0\s\x28compatible\x3b\sMSIE\s\d\.0\x3b\sWin32\x29\x3b[0-9]{2}\x3b\w+/H"; metadata:ruleset community, service http; reference:url,researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/; classtype:trojan-activity; sid:8000174; rev:1;)

# --------------------
# Date: 2018-07-03
# Title: PUA FileTour/MediaDrug
# Tests: pcap, live traffic
# Reference: Research
# Confidence: medium+

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.MediaDrug/FileTour outbound connection"; flow:to_server,established; content:"/client.config/?"; fast_pattern:only; http_uri; content:"app="; http_uri; content:"&format="; http_uri; content:"&uid="; http_uri; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/c25cb815710871b5e984a0b002f6f57088e43c5e3f19da9e889f4b962cd4da56/detection; classtype:trojan-activity; sid:8000175; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-ADWARE Win.Adware.MediaDrug/FileTour inbound connection"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type: text/xml"; http_header; file_data; content:"<LogUrl>"; fast_pattern; nocase; content:"<csrtmm>"; nocase; content:"<advertid>"; nocase; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/c25cb815710871b5e984a0b002f6f57088e43c5e3f19da9e889f4b962cd4da56/detection; classtype:trojan-activity; sid:8000176; rev:1;)

# --------------------
# Date: 2018-07-03
# Title: MirageFox: APT15 Resurfaces With New Tools Based On Old Ones
# Tests: syntax only
# Confidence: low-- (use for threat hunting? You assume way too much...)
# Notes: All content matches were extracted from the binaries strings. Most of the remaining samples
#        , specifically, Mirage share the same URI patterns.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.RoyalAPT outbound connection"; flow:to_server,established; content:"/image_download.php?"; fast_pattern:only; http_uri; content:"uid="; http_uri; content:"part="; http_cookie; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/016948ec7743b09e41b6968b42dfade5480774df3baf915e4c8753f5f90d1734/detection; reference:url,www.malwares.com/report/file?hash=016948EC7743B09E41B6968B42DFADE5480774DF3BAF915E4C8753F5F90D1734; classtype:trojan-activity; sid:8000177; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.MirageFox outbound connection"; flow:to_server,established; content:"/search?gid="; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0"; http_header; content:"Accept: */*"; http_header; content:"POST"; http_method; content:!"Referer"; http_header; reference:url,www.virustotal.com/#/file/28d6a9a709b9ead84aece250889a1687c07e19f6993325ba5295410a478da30a/detection; reference:url,www.virustotal.com/#/file/97813e76564aa829a359c2d12c9c6b824c532de0fc15f43765cf6b106a32b9a5/detection; classtype:trojan-activity; sid:8000178; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Mirage variant outbound connection"; flow:to_server,established; content:"/net/server.asp?"; fast_pattern:only; http_uri; nocase; content:"cmd="; http_uri; nocase; content:"&adminid="; http_uri; nocase; content:"&adminkey="; http_uri; nocase; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/1534432fafb21c0479343bc2d9f3991e56c75baa41c54b3470d41055bb578f8f/detection; reference:url,www.malwares.com/report/file?hash=1534432FAFB21C0479343BC2D9F3991E56C75BAA41C54B3470D41055BB578F8F; classtype:trojan-activity; sid:8000179; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Mirage variant outbound connection"; flow:to_server,established; content:"/users/login.asp?"; fast_pattern:only; http_uri; nocase; content:"type="; http_uri; nocase; content:"&server_ver="; http_uri; nocase; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/1534432fafb21c0479343bc2d9f3991e56c75baa41c54b3470d41055bb578f8f/detection; reference:url,www.malwares.com/report/file?hash=1534432FAFB21C0479343BC2D9F3991E56C75BAA41C54B3470D41055BB578F8F; classtype:trojan-activity; sid:8000180; rev:1;)


Thanks.
YM

Hi Yaser,

Thanks for these submissions. We will review each of them and get back to you when finished.


--
Marcos Rodriguez
Cisco Talos