On Wed, Sep 12, 2018 at 1:03 PM, Y M via Snort-sigs <snort-sigs@lists.snort.org> wrote:
Hi,

Pcaps and ClamAV/Yara signatures are available for the majority of the cases below.

Thanks.
YM

# --------------------
# Date: 2018-08-29
# Title: A walk through the AcridRain Stealer
# Tests: pcap
# Yara:
#    - MALWARE_Win_Trojan_AcridRain
# ClamAV:
#    - MALWARE_Win.Trojan.AcridRain
# Hashes (triage):
#    - fb9581e5432392c7fac47b5883a381659345c08d3c26764e689f3110d5d6be53
#    - 009d46cbfb0e8796ed754a18020491b1a1e6a3dccbdc2f8843cbace9def60896
#    - 3d28392d2dc1292a95b6d8f394c982844a9da0cdd84101039cf6ca3cf9874c1c
#    - 56c73dbd50d9161476b904f542491b6f27c6a42fccd661a3032ab1e01b0ca8f5
#    - 769df72c4c32e94190403d626bd9e46ce0183d3213ecdf42c2725db9c1ae960b
#    - 7afa4e20058a95dec77629f22195a0d9af796fa2dfadf0ce73786e46654ea8b7
#    - 7b045eec693e5598b0bb83d21931e9259c8e4825c24ac3d052254e4925738b43
#    - 80217425c6fd2f588a42121ff061b085fd26510e9b9b44bfee8a3c693425ed3c
#    - 80c6632fac75e4b5769e11f1ee5603821e73a0bacff8300c7373220f20f3535a
#    - 8fffaaaae976e558ee64f1f7d2e3670c19497c5b78e9a59c3ccc37c9ae177c66
#    - b78c78477cd7f5a0571a5db6fd0062e25f8659a9d7b428b7709d8d587c11b453
#    - db8f74ebd5ddd43f07f580ee72c2e18fb3f9ab7465479b2a81c366df4509375f
#    - fdf613b16fc7025ec8f3a8833064c8feb292a7cc103f7c10f1133c9832f2d3fd

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AcridRain outbound connection"; flow:to_server,established; content:"/Upload/"; fast_pattern:only; http_uri; content:"form-data|3B| name=|22|file|22|"; http_client_body; content:"form-data|3B| name=|22|id|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000311; rev:1;)


# --------------------
# Date: 2018-09-02
# Title: Win.Trojan.Arkei (a.k.a Win.Trojan.Nocturnal?)
# Reference: Research
# Tests: pcap
# Yara:
#    - MALWARE_Win_Trojan_Nocturnal
# ClamAV:
#    - MALWARE_Win.Trojan.Nocturnal
# Hashes:
#    - 0892104dceefa48f5fac31d030432689ee151ab577f0e1e0f2d6676238a70de9
#    - 5283b968056136a34c2e89c352c02c5b4422a5aa75b261a2f7713f24ad56abc5
#    - bae982b9b1712e05f2fad90e0227bb21341eac9766a395641f07c22c3368debe
# Notes: HTTP POST traffic partially matches SID:8000096 - Win.Trojan.Nocturnal sumbitted a while back.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known malicious User-Agent - Win.Trojan.Nocturnal/Arkei"; flow:to_server,established; content:"User-Agent: Arkei/"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000322; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nocturnal/Arkei outbound connection"; flow:to_server,established; content:"/server/grubConfig"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000323; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nocturnal/Arkei outbound connection"; flow:to_server,established; content:"/server/gate"; fast_pattern:only; http_uri; content:"name=|22|hwid|22|"; http_client_body; content:"name=|22|os|22|"; http_client_body; content:"name=|22|platform|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000324; rev:1;)


# --------------------
# Date: 2018-09-02
# Title: PowerPool malware exploits ALPC LPE zero-day vulnerability
# Tests: pcap + sandbox
# Yara:
#    - MALWARE_Win_Trojan_PowerPool_Stage_1
#    - MALWARE_Win_Trojan_PowerPool_Stage_2
# ClamAV:
#    - MALWARE_Win.Trojan.PowerPool_Stage_1
#    - MALWARE_Win.Trojan.PowerPool_Stage_2
# Hashes:
#    1st_stage:
#        - 035f97af0def906fbd8f7f15fb8107a9e852a69160669e7c0781888180cd46d5
#        - 8c2e729bc086921062e214b7e4c9c4ddf324a0fa53b4ed106f1341cfe8274fe4
#        - 8c32d6f2408115476c5552a4e3e86a3cc5e7148cc0111a4b464509461f3c0d20
#        - fb05c7b6087ebaf129036639e3cd9cd199ab450d69c2faac4a51064c1505334d
#    2nd_stage:
#        - 58a50840c04cd15f439f1cc1b684e9f9fa22c0d64f44a391d9e2b1222e5cd6bd
#        - af2abf0748013a7084507f8e96f6e7c21a3f962fbbb148dcbb482a98c06940a1
# Notes:
#    1. Triage on C&C and Yara revealed additional samples.
#    2. Sandbox execution reveals C&C not mentioned in original reference.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PowerPool first stage outbound connection attempt"; flow:to_server,established; content:"/?id="; http_uri; content:"&info="; distance:16; fast_pattern; http_uri; content:!"Accept-"; http_header; content:!"Referer"; http_header; content:!"Content"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000329; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PowerPool second stage heartbeat outbound connection attempt"; flow:to_server,established; urilen:6; content:"/heart"; http_uri; fast_pattern:only; content:"User-Agent: Mozilla/4.0 (compatible|3b| )"; http_header; content:"|22|sessionid|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000330; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PowerPool second stage execute command outbound connection"; flow:to_server,established; urilen:8; content:"/cmdpool"; http_uri; fast_pattern:only; content:"User-Agent: Mozilla/4.0 (compatible|3b| )"; http_header; content:"|22|dos|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000331; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PowerPool second stage lsit directory outbound connection"; flow:to_server,established; urilen:8; content:"/cmdpool"; http_uri; fast_pattern:only; content:"User-Agent: Mozilla/4.0 (compatible|3b| )"; http_header; content:"|22|folder|22|"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000332; rev:1;)


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE outbound IP address check to l2.io"; flow:to_server,established; urilen:3; content:"/ip"; fast_pattern:only; http_uri; content:"Host: www.l2.io"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000333; rev:1;)

# --------------------
# Date: 2018-09-08
# Title: CVE-2018-5002 Exploit/Infection Chain
# Reference:
# Tests: pcap

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER CVE-2018-5002 infection chain detected"; flow:to_server,established; content:"/doc?token="; fast_pattern:only; http_uri; content:"x-flash-version"; http_header; content:!"Referer"; http_header; pcre:"/\/doc\x3ftoken\x3d[a-f0-9]{32}$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000334; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER CVE-2018-5002 infection chain detected"; flow:to_server,established; urilen:<70; content:"/stab/"; fast_pattern:only; http_uri; content:".png?x="; http_uri; content:"Referer"; http_header; content:"x-flash-version"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000335; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER CVE-2018-5002 infection chain detected"; flow:to_server,established; urilen:<45; content:"POST"; http_method; content:"/download/"; http_uri; content:"Referer"; http_header; content:"x-flash-version"; http_header; content:"Content-Type: application/x-www-form-urlencoded"; http_header; pcre:"/\/download\/[a-f0-9]{32}\/$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000336; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER CVE-2018-5002 infection chain detected"; flow:to_server,established; urilen:<40; content:"POST"; http_method; content:"/log/"; http_uri; content:"Content-Type: text/plain"; http_header; pcre:"/\/log\/[a-f0-9]{32}$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000337; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER CVE-2018-5002 infection chain detected"; flow:to_server,established; urilen:<40; content:"POST"; http_method; content:"/home/"; http_uri; content:"Content-Type: text/plain"; http_header; pcre:"/\/home\/[a-f0-9]{32}$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000338; rev:1;)

# --------------------
# Date: 2018-09-08
# Title: OilRig targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE
# Reference:
# Tests: syntax only
# Notes:
#    - Computer name maximum allowed length (CN) = 63 > (Win7/Win10)
#    - User name maximum allowed length (UN) = 20     > (Win7/Win10)
#    - Separartor (SP, \) = 1

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt"; flow:to_server,established; urilen:<90; content:"/khc?"; depth:5; http_uri; content:"|5C|"; http_uri; pcre:"/\/khc\?[A-F0-9]{3,84}$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000339; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt"; flow:to_server,established; urilen:<91; content:"/tahw?"; depth:6; http_uri; content:"|5C|"; http_uri; pcre:"/\/chk\?[A-F0-9]{3,84}$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000340; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt"; flow:to_server,established; urilen:<1100; content:"/pser?"; depth:6; http_uri; content:"|5C|"; http_uri; pcre:"/\/pser\?[A-F0-9]{3,84}(BBZ|BBY)[A-F0-9]{,1000}/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000341; rev:1;)


# --------------------
# Date: 2018-08-29
# Title: Click me if you can, Office social engineering with embedded objects
# Tests: pcap (file2pcap)
# Yara:
#     - FILE_OFFICE_RTF_Shell_Explorer_Execution
#     - FILE_OFFICE_RTF_Forms_HTML_Execution
# ClamAV:
#     - FILE_OFFICE_OLE_Shell_Explorer_Execution
#     - FILE_OFFICE_ActiveX_Forms_HTML_Execution
# Notes:
#    1. Documents were converted to RTF and they appear to achieve the same behavior when opened with Word.
#    2. First 6 signatures in this set match what is observed in the generated files.
#    3. Remaining singatures target Forms.HTML:* variants for referencing HTTP URLs instead of file URLs.
#    4. ClamAV signatures don't care if the files are RTF or other.

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF Shell.Explorer.1 CLSID referencing embedded LNK file with remote content"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"c32ab2eac130cf11a7eb0000c05bae0b"; nocase; fast_pattern:only; content:"4c00000001140200"; nocase; content:"6800740074007000"; metadata:ruleset community, service http; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000312; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF Shell.Explorer.1 CLSID referencing embedded LNK file with remote content"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"c32ab2eac130cf11a7eb0000c05bae0b"; nocase; fast_pattern:only; content:"4c00000001140200"; nocase; content:"6800740074007000"; metadata:ruleset community, service smtp; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000313; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing executable file URL"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"12d11255c65ccf118d6700aa00bdce1d"; nocase; content:"660069006c0065003a"; nocase; content:"6500780065"; metadata:ruleset community, service http; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000314; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing executable file URL"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"12d11255c65ccf118d6700aa00bdce1d"; nocase; content:"660069006c0065003a"; nocase; content:"6500780065"; metadata:ruleset community, service smtp; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000315; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing executable file URL"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"10d11255c65ccf118d6700aa00bdce1d"; nocase; content:"660069006c0065003a"; nocase; content:"6500780065"; metadata:ruleset community, service http; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000316; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing executable file URL"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"10d11255c65ccf118d6700aa00bdce1d"; nocase; content:"660069006c0065003a"; nocase; content:"6500780065"; metadata:ruleset community, service smtp; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000317; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing HTTP URL"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"12d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070"; metadata:ruleset community, service http; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000318; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF Forms.HTML:Image.1 CLSID referencing HTTP URL"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"12d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070"; metadata:ruleset community, service smtp; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000319; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing HTTP URL"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"10d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070"; metadata:ruleset community, service http; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000320; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF Forms.HTML:Submission.1 CLSID referencing HTTP URL"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"10d11255c65ccf118d6700aa00bdce1d"; nocase; content:"68007400740070"; metadata:ruleset community, service smtp; reference:url,securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html; classtype:attempted-user; sid:8000321; rev:1;)

# --------------------
# Date: 2018-09-03
# Title: Ruler is a tool for interacting with Exchange servers remotely with the the aim of
#        abusing client-side Outlook features and gain a shell remotely.
# Reference: Research
# Tests: syntax only

alert tcp any any -> $HOME_NET 80 (msg:"INDICATOR-SCAN Ruler interaction attempt"; flow:to_server,established; content:"User-Agent: ruler|0D 0A|"; fast_pattern:only; http_header; content:"/autodiscover/autodiscover.xml"; http_uri; metadata:ruleset community, service http; reference:url,attack.mitre.org/wiki/Technique/T1027; classtype:web-application-activity; sid:8000327; rev:1;)


Hi Yaser,

Thanks for these submissions, we'll get these into our testing process and get back to you as soon as possible.  We'd appreciate any pcaps you'd be willing to share.  Thanks again!

--
Marcos Rodriguez
Cisco Talos