[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Multiple signatures 017
From: Marcos Rodriguez <mrodriguez () sourcefire ! com>
Date: 2018-11-05 21:00:24
Message-ID: CAN1T9epuORnmxPZYW=GZ35KbhheH53+arJ1-BYc=zuE4B7BRtQ () mail ! gmail ! com
[Download RAW message or body]
On Mon, Nov 5, 2018 at 12:28 PM Y M via Snort-sigs
<snort-sigs@lists.snort.org> wrote:
>
> Hi,
>
> You folks beat me to the octopus sigs! Pcaps and Yara/ClamAV signatures for the \
> majority of the cases below are available.
> Have a good week!
> YM
>
> # --------------------
> # Date: 2018-10-27
> # Title: New TeleBots backdoor: First evidence linking Industroyer to NotPetya
> # Reference: Triage from: \
> https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/
> # Tests: syntax only
> # Yara:
> # - MALWARE_Linux_Backdoor_Exaramel
> # - MALWARE_Win_Backdoor_Exaramel
> # ClamAV:
> # - MALWARE_Linux.Backdoor.Exaramel
> # - MALWARE_Win.Backdoor.Exaramel
> # Hashes:
> # - Linux: c39b4105e1b9da1a9cccb1dace730b1c146496c591ce0927fb035d48e9cb5c0f
> # - Windows: 2f12fd3fb35f8690eea80dd48de98660c55df7f5c26b49d0cc82aaf3635b0c7a
> # Notes:
> # - C&C is over TOR/HTTPS, and domains are unique so we tag on DNS.
>
> alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC DNS request to known malicious \
> domain - Backdoor.Exaramel"; flow:to_server; byte_test:1,!&,0xF8,2; \
> content:"|08|um10eset|03|net"; fast_pattern:only; metadata:ruleset community, \
> service dns; classtype:trojan-activity; sid:8000386; rev:1;)
> alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC DNS request to known malicious \
> domain - Backdoor.Exaramel"; flow:to_server; byte_test:1,!&,0xF8,2; \
> content:"|09|esetsmart|03|org"; fast_pattern:only; metadata:ruleset community, \
> service dns; classtype:trojan-activity; sid:8000387; rev:1;)
> # --------------------
> # Date: 2018-10-27
> # Title: The wolf in sheep's clothing - undressed
> # Reference: Triage from:
> # - https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/AncelKuprins-VB2018-WolfSheep.pdf
> # - https://pastebin.com/nwyggzcG
> # Tests: syntax only
> # Yara:
> # - MALWARE_Win_Trojan_W1
> # - MALWARE_Andr_Trojan_SpyCall
> # ClamAV:
> # - MALWARE_Win.Trojan.W1
> # - MALWARE_Andr.Trojan.SpyCall
> # Hashes:
> # - Windows:
> # - 27445bfe412ae3a3e2542baba1fde2f8bf3189260c998e0abdd55b9f2465821f
> # - 4537d7d5a7f744421233288d2cb7b494cb19908f51f65b02db766a6fe02713ac
> # - 4a3206065d0183754e2c7b31c2064c290d4b9d065b9a87f4d73b05c8057a3f9b
> # - af853941660dc87d9b70abab0987fcaf01664c99555888db0d229bdd441a6ab2
> # - ff871d3ff60b46113997f55827a3bf05cbe39410fb2e25a1feac21091c673e6a
> # - Android:
> # - 279cd4ad4830939d1b8a47807236d2bbaa1560667db43cf153e385ac60389e43
> # - 9635af62370c885d988f957a1b7e2890f39cd056a6f35547459963f974fd3096
> # - 30f65c67058a26ee9e99dfe3cc10f610cb09432a38bda93b3eebead632de4956
> # - a85ee0d6c05655aa4e64984626649f7f1ac379a9397c6ee1f5d0a1d75bb3455a
> # - dd7015560c77570dd771162bae547211299f7934e77e3dd05cb390c0b0baf54e
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC \
> Andr.Trojan.SpyCall outbound connection"; flow:to_server,established; \
> content:"/mobileIpInfo"; fast_pattern:only; http_uri; content:"device_id="; \
> http_client_body; content:"&upload_datatime="; http_client_body; \
> content:!"User-Agent"; http_header; metadata:ruleset community, service http; \
> classtype:trojan-activity; sid:8000388; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC \
> Andr.Trojan.SpyCall outbound connection"; flow:to_server,established; \
> content:"/deviceStatus?"; fast_pattern:only; http_uri; content:"total_space="; \
> http_uri; content:"&battery_status="; http_uri; content:"&uuid="; http_uri; \
> content:"&space_available="; http_uri; content:!"User-Agent"; http_header; \
> metadata:ruleset community, service http; classtype:trojan-activity; sid:8000389; \
> rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC \
> Andr.Trojan.SpyCall outbound connection"; flow:to_server,established; \
> content:"/deviceInfo"; fast_pattern:only; http_uri; content:"uuid="; \
> http_client_body; content:"&data="; http_client_body; content:!"User-Agent"; \
> http_header; metadata:ruleset community, service http; classtype:trojan-activity; \
> sid:8000390; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC \
> Andr.Trojan.SpyCall outbound connection"; flow:to_server,established; \
> content:"/wifiInfo"; fast_pattern:only; http_uri; content:"data="; \
> http_client_body; content:"&device_id="; http_client_body; \
> content:"&upload_datatime="; http_client_body; content:!"User-Agent"; http_header; \
> metadata:ruleset community, service http; classtype:trojan-activity; sid:8000391; \
> rev:1;)
> # --------------------
> # Date: 2018-10-30
> # Title: VestaCP compromised in a new supply-chain attack
> # Reference: Triage from: \
> https://www.welivesecurity.com/2018/10/18/new-linux-chachaddos-malware-distributed-servers-vestacp-installed/
> # Tests: syntax only
> # Yara:
> # - MALWARE_Linux_Trojan_ChaChaDDoS
> # ClamAV:
> # - MALWARE_Linux.Trojan.ChaChaDDoS
> # Hashes:
> # - fba737436bdbf1461b3092b79fea0770302aeaed79389eb60b5c45c3bfc9f693
> # - 90c7789444442b1d660c85bf6aedeb78d5a8448cb15f9c8b1e946e24a7a2ced1
> # - 5486da1345850f9074802c1f68833bfa63835aadd7fe649f8f424e359846438f
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC \
> Linux.Trojan.ChaChaDDoS outbound connection"; flow:to_server,established; \
> content:"TE: trailers"; fast_pattern:only; http_header; content:"Connection: close, \
> TE|0D 0A|"; http_header; content:"macaddresss="; http_client_body; \
> content:"&device="; http_client_body; content:"&type="; http_client_body; \
> metadata:ruleset community, service http; classtype:trojan-activity; sid:8000393; \
> rev:1;)
> # --------------------
> # Date: 2018-11-01
> # Title: Paleontology: The Unknown Origins of Lazarus Malware
> # Reference: Triage from: \
> https://www.intezer.com/paleontology-the-unknown-origins-of-lazarus-malware/ # \
> Tests: pcaps # Yara:
> # - MALWARE_Win_Trojan_CasperTroy
> # ClamAV:
> # - MALWARE_Win.Trojan.CasperTroy
> # Hashes:
> # - 458ffcc41959599f8dab1fd4366c9a50efefa376e42971c4a436aa7fd697a396
> # - d1cf03fbcb6471d44b914c2720821582fb3dd81cb543f325b2780a5e95046395
> # - 926a2e8c2baa90d504d48c0d50ca73e0f400d565ee6e07ad6dafdd0d7b948b0e
> # - c62ec66e45098d2c41bfd7a674a5f76248cf4954225c2d3a2cfcd023daa93522
> # - ec73fe2ecc2e0425e4aeb1f01581b50c5b1f8e85475c20ea409de798e6469608
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC \
> Win.Trojan.CasperTroy outbound connection"; flow:to_server,established; \
> content:"/write_ok.php"; fast_pattern:only; content:"|3B| name=|22|image|22|"; \
> http_client_body; content:"|3B| name=|22|PHP_SESS_ID|22|"; http_client_body; \
> content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset \
> community, service http; classtype:trojan-activity; sid:8000394; rev:1;)
> # --------------------
> # Date: 2018-10-30
> # Title: Obfuscated CVE-2017-11882 RTFs
> # Reference: Research
> # Tests: pcap (f2p)
> # Yara:
> # - FILE_OFFICE_RTF_CVE_2017_11882_Obf1
> # ClamAV:
> # - FILE_OFFICE.RTF.CVE_2017_11882-Obf1
> # Hashes:
> # - 435c008f237fc813012fde304f6ebfae1bff52983a8f9883725be4a7859b7604
> # - 6a0c1e962f7776b33cf7ea434b3291a72a7656b7d8fa52f1aa919c2877c476b0
> # - 75f74810d00e2e483f55097d8ea85a5b6c8120653b208627f42e623e67bab7a2
> # - adb6c1460b90340a3939f78ddc1f9dd2c3d53c45025b9dbe6d553cda2a11bcca
> # Notes:
> # - Drops stuff from Bit.ly:
> # - hxxp://bit[.]ly/2MCgjQ3
> # - hxxp://bit[.]ly/2xwfwdO
> # - hxxp://bit[.]ly/2MDaLVp
> # - hxxp://bit[.]ly/2MCTonI
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office \
> Equation Editor RTF remote shell download/execution attempt"; \
> flow:to_server,established; flowbits:isset,file.rtf; file_data; \
> content:"|5C|objdata"; content:"6551754174496F4E2E33"; nocase; fast_pattern:only; \
> content:"4C6F61644C696272617279"; nocase; \
> content:"55524C446F776E6C6F6164546F46696C65"; nocase; distance:0; \
> content:"5368656C6C45786563757465"; nocase; distance:0; metadata:ruleset community, \
> service smtp; reference:cve,2017-11882; classtype:attempted-user; sid:8000392; \
> rev:1;)
> # --------------------
> # Date: 2018-11-01
> # Title: opendir with different malware families
> # Reference: Research
> # Tests: pcaps
> # Yara:
> # - MALWARE_Win_Keylogger_AutoIt_Dropper_PAK
> # - MALWARE_Win_Keylogger_AutoIt_Dropper_UNPAK
> # - MALWARE_Win_Keylogger_AgentTesla_Raw
> # - MALWARE_Win_Trojan_FormBook_VAR
> # ClamAV:
> # - MALWARE_Win_Keylogger_AutoIt_Dropper
> # - MALWARE_Win_Keylogger_AgentTesla_Raw
> # - MALWARE_Win_Trojan_FormBook_VAR
> # Hashes:
> # - AutoIt (Unpacked):
> # - 07668be9095b8818c8a59b4c7dc201b21c985ab831c2a1f784c0b236657e8fda
> # - 09225b1adb8e07f293d97f7015cc95322043d4cc2e1cc9b1a4d5418afe319d72
> # - 0eb1d233dd748cdbc5ee0a16812bf754de23347ea92340174ce0a06247feafa2
> # - 13c7e4150d97b4b6b23fc7875cae60ead3a06ce95750421622c6b821f5bcde7a
> # - 140e01a1984a36e027a06741caa2e542fdc9dba119ed5a927fef49fab2ba9edf
> # - 356393a7f178c8952a389c38417b7045c6522e82434d277d8f8a10b325593e0b
> # - 49bfff21144860d8d4258ef16d424ea1c1288bd6a2b5d00fd6e854589fe59443
> # - 4baf2f63d4647a5b9bae81e01c1d96644bbb23fc7b45fb516048208631aaeef9
> # - 61bb7840ffd5f1b02121dcc759ec9a3e100f37235f41cc38c5d5885bbc628378
> # - a4f10a8fbd9fa2946df515c951b1cb77f625aa39577852308e1ac1c1fe0346a0
> # - b4c735e9a9661367a894f40585f041ccecb45671802245f72f78c7fc8bfac820
> # - d39fb394aa7d4e2995b639584ae20570699fb4ee85f2ef5f069aba70cf619bfd
> # - e76f82ef5682cf9d84f2fbccad114f987e76083713f5ae22ee01f0192ac3ab2d
> # - ec334c40cf02b54e6dfdfce3b84fd8b7f531979e4ad87355ea963e348a56c905
> # - f242a9d0018d25c0b5bb1f846bfd87dca5d02538ab011d1c022973738184cd03
> # - f68b44a1006bbc5f9e9ebbf053cf01dadd1f0ef97e924e0e5fdc2babd2e41491
> # - AgentTesla:
> # - 692f007b9d03f7edc4c966180ce8bdfadc907660748c9b2f41c2050cf98117b2
> # - 7053ab67fe41285a3d14939fc48951667e22fa8f5889d479145cd2e34c52a5a1
> # - FormBook:
> # - 5fd356d494c6d628e67932a02b981c73c9d2835a95d35a7c7b9b9669ad8525c8
> # - dc752377ff7837cb30c747da01a60622aa5147cb87c91a63053c721864e109d9
> # - eb74f48ad128d469e9865cefeec2abb0c150d77bee7c0b30fb0e188f878dea97
> # Notes:
> # - Previous SIDs 8000207 and 8000382 trigger on AgentTesla traffic.
> # - Previous SID 8000225 triggers on FormBook traffic.
> # - Keylogger AutoIt dropps PWS LaZagne, Yara TOOL_PWS_LaZagne is still valid,
> # C&C over smtps.
> # - opendir and sample keylogs screenshot attached.
> # - opendir still alive and changing binaries.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE \
> suspicious AutoIt outbound connection attempt"; flow:to_server,established; \
> urilen:<20; content:"User-Agent: AutoIt|0D 0A|"; fast_pattern:only; http_header; \
> content:!"Connection"; http_header; content:!"Accept"; http_header; \
> content:!"Content"; http_header; content:!"Referer"; http_header; metadata:ruleset \
> community, service http; classtype:trojan-activity; sid:8000395; rev:1;)
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE PWS \
> LaZagne tool download attempt"; flow:to_client,established; \
> flowbits:isset,file.exe; file_data; content:"LaZagne"; fast_pattern:only; \
> metadata:ruleset community, service http; classtype:trojan-activity; sid:8000396; \
> rev:1;)
> # --------------------
> # Date: 2018-11-02
> # Title: Win.Trojan.Backnet
> # Reference: Triage from: \
> https://twitter.com/thor_scanner/status/1058345481401708545 # Tests: pcap
> # Yara:
> # - MALWARE_Win_Trojan_Backnet
> # - FILE_OFFICE_PUB_MSIEXEC_Remote
> # ClamAV:
> # - MALWARE_Win.Trojan.Backnet
> # - FILE_OFFICE.PUB.MSIEXEC_Remote
> # Hashes:
> # - Pub docs:
> # - 07668be9095b8818c8a59b4c7dc201b21c985ab831c2a1f784c0b236657e8fda
> # - 09225b1adb8e07f293d97f7015cc95322043d4cc2e1cc9b1a4d5418afe319d72
> # - 0eb1d233dd748cdbc5ee0a16812bf754de23347ea92340174ce0a06247feafa2
> # - 13c7e4150d97b4b6b23fc7875cae60ead3a06ce95750421622c6b821f5bcde7a
> # - Backnet:
> # - 4ce82644eaa1a00cdb6e2f363743553f2e4bd1eddb8bc84e45eda7c0699d9adc
> # Notes:
> # - Both SIDs are for the same detection but one does not rely on uri.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC \
> Win.Trojan.Backnet variant outbound connection"; flow:to_server,established; \
> content:"/backnet/"; nocase; fast_pattern:only; http_uri; content:"data="; \
> http_client_body; content:"host_key"; distance:0; http_client_body; \
> content:!"User-Agent"; http_header; metadata:ruleset community, service http; \
> classtype:trojan-activity; sid:8000397; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC \
> Win.Trojan.Backnet variant outbound connection"; flow:to_server,established; \
> content:"data="; http_client_body; content:"host_key"; distance:0; \
> http_client_body; content:"name"; distance:0; http_client_body; fast_pattern; \
> content:"Expect:"; http_header; content:!"User-Agent"; http_header; \
> content:!"Connection"; http_header; metadata:ruleset community, service http; \
> classtype:trojan-activity; sid:8000398; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE MSI \
> outbound connection to short URL"; flow:to_server,established; \
> flowbits:isset,file.pub|file.doc; urilen:<10; content:"User-Agent: Windows \
> Installer|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, \
> service http; classtype:trojan-activity; sid:8000399; rev:1;)
> alert tcp any any -> any 25 (msg:"FILE-OFFICE Microsoft Office Publisher file with \
> msiexec and wscript execution"; flow:to_server,established; \
> flowbits:isset,file.pub; file_data; content:"msiexec.exe"; nocase; \
> fast_pattern:only; content:"WScript.Shell"; nocase; distance:0; metadata:ruleset \
> community, service smtp; classtype:attempted-user; sid:8000400; rev:1;)
Hi Yaser,
Thanks so much for the latest batch of goodness. We'd appreciate any
pcaps, etc you'd be willing to share! Thanks again!
--
Marcos Rodriguez
Cisco Talos
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-sigs
Please visit http://blog.snort.org for the latest news about Snort!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up \
to date to catch the most <a href=" \
https://snort.org/downloads/#rule-downloads">emerging threats</a>!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic