[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Multiple signatures 016
From: Marcos Rodriguez <mrodriguez () sourcefire ! com>
Date: 2018-10-25 17:43:18
Message-ID: CAN1T9eqrwa_bkPzbQ1Ym+KZds1vi6_S9qcjjodkiX5KoU3u4Lg () mail ! gmail ! com
[Download RAW message or body]
On Thu, Oct 25, 2018 at 11:32 AM Y M via Snort-sigs
<snort-sigs@lists.snort.org> wrote:
>
> Hi,
>
> Hope all sig makers are doing great today. Pcaps and Yara/ClamAV signatures are \
> available for all of the cases below.
> Thank you.
>
> # --------------------
> # Date: 2018-10-06
> # Title: ARS Loader evolution, a new stealer (ZeroEvil) and AirNaine (TA545)
> # Reference: Triage from: \
> https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/
> # Tests: pcap
> # Yara:
> # - TOOL_PWS_LaZagne
> # ClamAV:
> # - TOOL.PWS.LaZagne
> # Hashes:
> # - cb197616e12daff971b86544eb06554583e95b137b69a4b7cbe83c7de2a38948
> # - 29eadfb89fa2af7567f34b20778c1dc2a1be2f5b8aa84f642da0291a68de32d0
> # - 1c963f531b1870f8edffcc9a9a96019c296801f69ea0a9dda555d91cf791a837
> # - 2c90585b53a28a3413099c94c38f250ca5b17f72ddf6a4e346421eb0a6bdd881
> # - 82cbdd4822630e179b685733490dc61db4761151656e1663ab91430f32ce86b6
> # - 0e1320fd39174b14b7e817491d5e95807e66226d60659a07eb0e4bdedb06bea1
> # Notes:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC \
> Win.Trojan.ARS VBS loader / ZeroEvil variant outbound connection"; \
> flow:to_server,established; content:"/logs_gate.php?plugin="; fast_pattern:only; \
> http_uri; content:"|3B| name=|22|file|22|"; http_client_body; metadata:ruleset \
> community, service http; classtype:trojan-activity; sid:8000373; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC \
> Win.Trojan.ARS VBS loader variant outbound connection"; flow:to_server,established; \
> content:"/plugin_gate.php?plugin="; fast_pattern:only; http_uri; content:"|3B| \
> name=|22|file|22|"; http_client_body; metadata:ruleset community, service http; \
> classtype:trojan-activity; sid:8000374; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC \
> Win.Trojan.ARS VBS loader variant / ZeroEvil outbound connection"; \
> flow:to_server,established; content:"/gate.php"; http_uri; content:"version="; \
> http_client_body; fast_pattern; content:!"Referer"; http_header; \
> pcre:"/version\x3d([0-9]{3}\x255F)+/P"; metadata:ruleset community, service http; \
> classtype:trojan-activity; sid:8000375; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC \
> Win.Trojan.ARS VBS loader variant outbound connection"; flow:to_server,established; \
> content:"/screenshot_gate.php?hwid="; fast_pattern:only; http_uri; metadata:ruleset \
> community, service http; classtype:trojan-activity; sid:8000376; rev:1;)
> # --------------------
> # Date: 2018-10-10
> # Title: MuddyWater
> # Reference: Triage from:
> # - https://s.tencent.com/research/report/509.html
> # - https://securelist.com/muddywater/88059/
> # Tests: pcap
> # Yara:
> # - FILE_OFFICE_OLE_Dropper_Doc
> # - TOOL_CNC_Shootback
> # - TOOL_PWS_Credstealer
> # ClamAV:
> # - FILE_OFFICE.OLE.Dropper.Doc
> # - TOOL_PWS.Credstealer
> # - TOOL_CNC.Shootback
> # - Doc.Dropper.Agent-HSB1
> # - Doc.Dropper.Agent-HSB2
> # - Doc.Dropper.Agent-HSB3
> # - Doc.Dropper.Agent-HSB4
> # Hashes:
> # - 009cc0f34f60467552ef79c3892c501043c972be55fe936efb30584975d45ec0: Composite \
> Document File V2 Document # - \
> 153117aa54492ca955b540ac0a8c21c1be98e9f7dd8636a36d73581ec1ddcf58: Composite \
> Document File V2 Document # - \
> 18479a93fc2d5acd7d71d596f27a5834b2b236b44219bb08f6ca06cf760b74f6: Composite \
> Document File V2 Document # - \
> 18cf5795c2208d330bd297c18445a9e25238dd7f28a1a6ef55e2a9239f5748cd: Composite \
> Document File V2 Document # - \
> 209fb398318a0d346b933b0c408467fce8dea36c10cd0f69ce4b342e28cee9dc: Composite \
> Document File V2 Document # - \
> 2a49d29d58d4d962bee5430e40f488bb79ebab92cf13db5bb4708f3eaf95caed: Composite \
> Document File V2 Document # - \
> 2cea0b740f338c513a6390e7951ff3371f44c7c928abf14675b49358a03a5d13: Composite \
> Document File V2 Document # - \
> 38556ba0b512636006c00b51f24ac92755bd1f1b21b4ae1812abf6bf9543221e: Composite \
> Document File V2 Document # - \
> 3da24cd3af9a383b731ce178b03c68a813ab30f4c7c8dfbc823a32816b9406fb: Composite \
> Document File V2 Document # - \
> 3eb27ecfbe5381b9cf4dcba2486e9773d9893b92c95032be784e0d2198740539: Composite \
> Document File V2 Document # - \
> 3f14a1210d1f2cdb916275bf32cb49159b6f49a54f246bdcb0e967cd0edb8e82: Composite \
> Document File V2 Document # - \
> 40ffcbf044ec951242a92a09b6a239183def2e74fc18e5975fa70e849d875a2e: Composite \
> Document File V2 Document # - \
> 41a32a19c78a542ab4d0701c31d9ef6c7f019c9bc604ab9415f4790b7ac6c591: Composite \
> Document File V2 Document # - \
> 5c7d16bd89ef37fe02cac1851e7214a01636ee4061a80bfdbde3a2d199721a79: Composite \
> Document File V2 Document # - \
> 5f2a6601d349af00a4cc101a638003af2f330879c333168cbf6a7a123dfb3928: Composite \
> Document File V2 Document # - \
> 6a68e8b12960257621cb89f979c1fbbd0f13c2338fad0f64e133deb95c99b2f9: Composite \
> Document File V2 Document # - \
> 707d2128a0c326626adef0d3a4cab78562abd82c2bd8ede8cc82f86c01f1e024: Composite \
> Document File V2 Document # - \
> 76e9988dad0278998861717c774227bf94112db548946ef617bfaa262cb5e338: Composite \
> Document File V2 Document # - \
> 818253f297fea7d8a2324ee1a233aabbaf3b0b4b9cdaa1ebd676fe00f2247388: PE32+ executable \
> (console) x86-64, for MS Windows # - \
> 9038ba1b7991ff38b802f28c0e006d12d466a8e374d2f2a83a039aabcbe76f5c: Composite \
> Document File V2 Document # - \
> 94625dd8151814dd6186735a6a6a87b2a4c71c04b8402caf314fb6f98434eaad: Composite \
> Document File V2 Document # - \
> abc269676eab9cf71f4f00195d1be02c10ea5bfb383fa1396dc108e0f6f9b9be: Composite \
> Document File V2 Document # - \
> b9c70adbc731b1b2779ab35bb0fab29ae703e2a4a7214c5e2749b02daf326a9b: Composite \
> Document File V2 Document # - \
> bbcafdb4fd7bf107d8b85934286d531536b7a0a30e5eeed07e27f0f7afcf8a77: Composite \
> Document File V2 Document # - \
> bfb4fc96c1ba657107c7c60845f6ab720634c8a9214943b5221378a37a8916cd: Composite \
> Document File V2 Document # - \
> c87799cce6d65158da97aa31a5160a0a6b6dd5a89dea312604cc66ed5e976cc9: Composite \
> Document File V2 Document # - \
> eff78c23790ee834f773569b52cddb01dc3c4dd9660f5a476af044ef6fe73894: Composite \
> Document File V2 Document # - \
> f2f573af0f76fe0f21bbe630a4bb50b1c1836eb24429bfb8c93673276f27e374: Composite \
> Document File V2 Document # - \
> f6707b5f41192353be3311fc7f48ee30465038366386b909e6cefaade70c91bc: PE32+ executable \
> (console) x86-64, for MS Windows
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC \
> Doc.Dropper.Agent outbound connection"; flow:to_server,established; \
> content:"/main.php?t="; http_uri; content:"&type=info"; http_uri; \
> fast_pattern:only; content:"&f=s"; http_uri; content:"&id="; http_uri; \
> metadata:ruleset community, service http; classtype:trojan-activity; sid:8000378; \
> rev:1;)
> # --------------------
> # Date: 2018-10-23
> # Title: Win.Trojan.Micropsia
> # Reference: Research
> # Tests: pcap + sandbox
> # Yara:
> # - MALWARE_Win_Trojan_Micropsia
> # ClamAV:
> # - MALWARE_Win.Trojan.Micropsia-1
> # - MALWARE_Win.Trojan.Micropsia-2
> # Hashes:
> # - 0180e2b601ae643e7adf1784c313dd2d10d114bd2b5692eb6e9c031a6e448ed1
> # - 027b1042621f86394fd7da27c5310e4906f41b96f6e5474875e63d39b32a9c11
> # - 0d05f333f1ce2567eb8f42f7a9098a7e044b1cccac9133d65872445608c89665
> # - 228ea63f4f03e98aae13fafc4d850f7cdd6344fa824427f7ec42f31a2ae8345d
> # - 3522805eba6bf69f801028252985bd71437875db051c2ed2c8d9f40cefc86edb
> # - 368845729255ab7fcfb5c0b6c153929d5ccb8d1f9a40cc02ca7c026b4b6813ec
> # - 370f8196b9351289796df63d927e496107d3d6af26272bddf769721beee7de91
> # - 5bab8a360d1d08e37e4e6c052f7fce13a291ad9b99f950770a647222bfc4d6b4
> # - 75329e7b79284f63c1383244b20fb0d9c4bb1e9c4feba04307f1223db30c9203
> # - 9cb5ef0b17eea1a43d5d323277e08645574c53ab1f65b0031a6fc323f52b0079
> # - b60bca59de9c7f9c796de3e5c3a1466c0929c7355f4db8c59548af357777e59b
> # - b6f8b5ba026af863e878eded79f40e5efa1dd7ce725cd0479e5f062dbf4fdd4f
> # - c4e79e151986dc5e16ce763321de90d8c214909df7210ec05e590c4375423a76
> # - dd185667015d23438a994adc9e9b30572a1e7479c05f563e0b6c71b8c6023685
> # - e326d427695efc1f1eea5f86b545d16b46b45ef3cc0151e22d8a583f391571a9
> # - e477b5e00699a9ccb3868de543c29087042fd44c631f8fcda5faaf7922382146
> # - effa0e01adad08ae4bc787678ce67510d013a06d1a10d39ec6b19e2449e25fbd
> # - f70681c7e8ab419fd0938802a823337abad936cccc0ace9ee232f2b874e561f1
> # - fb95a719c4b26bb577cea5837cac6ba9fdfcfd240bc2fc7b1d0759bf392d5191
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC \
> Win.Trojan.Micropsia variant infection report outbound connection"; \
> flow:to_server,established; content:"/api/"; http_uri; content:"Accept-Encoding: \
> UTF8|0D 0A|"; http_header; content:"-Embt-Boundary-"; fast_pattern; \
> http_client_body; content:"::Windows"; within:1000; http_client_body; \
> metadata:ruleset community, service http; classtype:trojan-activity; sid:8000379; \
> rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC \
> Win.Trojan.Micropsia variant screenshot exfiltration outbound connection"; \
> flow:to_server,established; content:"/api/"; http_uri; content:"-Embt-Boundary-"; \
> http_header; fast_pattern:only; content:"Accept: image/"; http_header; \
> content:"Accept-Encoding: UTF8|0D 0A|"; http_header; metadata:ruleset community, \
> service http; classtype:trojan-activity; sid:8000380; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC \
> Win.Trojan.Micropsia variant heartbeat outbound connection"; \
> flow:to_server,established; content:"POST"; http_method; content:"/api/"; http_uri; \
> content:"Googlebot"; http_header; fast_pattern:only; content:"-Embt-Boundary-"; \
> http_header; content:"Accept-Encoding: UTF8|0D 0A|"; http_header; \
> content:"-Embt-Boundary-"; http_client_body; metadata:ruleset community, service \
> http; classtype:trojan-activity; sid:8000381; rev:1;)
> # --------------------
> # Date: 2018-07-25, Updated: 2018-10-23
> # Title: AgentTesla SMTP Exfil.
> # Reference: Research
> # Test: pcap + sandbox
> # Yara:
> # - MALWARE_Win_Keylogger_AgentTesla
> # ClamAv:
> # - MALWARE_Win.Keylogger.AgentTesla-1
> # - MALWARE_Win.Keylogger.AgentTesla-2
> # - MALWARE_Win.Keylogger.AgentTesla-3
> # Hashes:
> # - 030228c5caa62e7727e0a664ef18fdf5663e7edbc2d2f7e5c38bf06526a5023e
> # - 0c5f9ab0d84eada4be9e6f86cf81a2b3dd0fbb708342eded078a152490ceb15e
> # - b9253b60188214a143b2b7d2b0a3b1adb1d0834b6fc231b9da7b61c9c3184e92
> # - 4827ceccbdd20c966bdaa3648f67cb82f319bcbc1766dd134c4fac3f5483179e
> # - Updated:
> # - 0676b96e49d703a5d09f4b42d108a725603f17da080fc8a7a182bf63eac0ec39
> # - 4aa0b4fb7554a5dbaca53bcdc3bc6f69fd1772d444d29c5513bc95d2b49c1c97
> # - 4aa2b0ad01e19160db78a327fa0080f13ef0b6fb514b36d64430a4f08d356385
> # - 58fe2c7eddb9e31a670eee8397031608f6f1bb30dc1b92df6565551f0118599c
> # - 5a5d5b0c3917a59751c4c8404f9711b07395f058a29187fc3a37c2db94a0cc64
> # - 64d85ae3f57011ed0b6795712ec436c1ad85c6775fb00c71a1bec6d379950484
> # - 869799260e8fe99eca1de03f9baf4de1388de7f7ef41fb70eb03c9cd56dc6e24
> # - 97b42e993ec5a3a94e684a12e231cba6a67fab8ff5aa2e4be1ba15a01f015784
> # - 98939aa778b7528b635c5336dfd9d7a3ca292de233c2866e50408af34b211921
> # - a0b515b02f3e9a6a8738ba40dc2dbb6cecc375b0a69bf44b4a33a7daafeac29a
> # - a8605e3124ea7db12ae794943e1aeeeadb9c8563a81be4060d95f9d370d9fbf9
> # - c3521771621a724196f6b89fb3ed9fd1c1567dd0157d11a2c060b41128f7cbb9
> # - c36a1a233fe7b9a4ef5418000825636bd67c6582a7215a9a82ea863374805ab9
> # - d21242ac305be4cbb3ea072ddfe56be87965ea37a1d85808cee1926018c44395
> # - e21cc93868d9a1126bc7563a56387477ac9aece7dcc7c17dbd4f0c0c1848a886
> # - f2968fc4d637bc878207c704b7984014cc9a04f468d8242576fe9bf7a4d57659
> # Notes:
> # - CVE-2017-11882 > opendir(s) > dropped binary.
> # - opendirs(s) files dumpped (see screenshots).
> # - the "test.doc" is also a CVE-2017-11882.
> # - operated by "operations[at]tms-tamkers[.]com"
> # - sid 8000207 was utterly wrong, fixed in rev:2.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC \
> Win.Keylogger.AgentTesla outbound SMTP connection"; flow:to_server,established; \
> content:"|0D 0A|Subject: "; content:"Passwords Recovered From: "; within:150; \
> fast_pattern; metadata:ruleset community, service smtp; classtype:trojan-activity; \
> sid:8000207; rev:2;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC \
> Win.Keylogger.AgentTesla outbound SMTP connection"; flow:to_server,established; \
> content:"|0D 0A|Subject: "; content:"Screen Capture From: "; within:150; \
> fast_pattern; metadata:ruleset community, service smtp; classtype:trojan-activity; \
> sid:8000382; rev:1;) _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay \
> up to date to catch the most <a href=" \
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Hi Yaser,
Thanks for these submissions, we'll get these into our testing process
and get back to you as soon as possible. We'd appreciate any pcaps
you'd be willing to share. Thanks again!
--
Marcos Rodriguez
Cisco Talos
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-sigs
Please visit http://blog.snort.org for the latest news about Snort!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up \
to date to catch the most <a href=" \
https://snort.org/downloads/#rule-downloads">emerging threats</a>!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic