Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ThreadKit Documents

From: John Levy <johlevy () sourcefire com>
Date: Wed, 30 May 2018 09:23:28 -0400
Hi Yaser,

Thank you for your submissions. We will review the rules for ThreadKit and
for the following: CVE-2017-8570, Win.Trojan.Dropper, Nemucod, RoyalCli,
Ammyy, Valyria, Orcus, the Muhstik botnet, the Office user-agent, the Redis
worm, and lastly BITSAdmin. We will get back to you when finished. Lastly,
do you mind sending over the relevant pcaps you have for these submissions?
Thanks again!

Sincerely,

John Levy
Cisco Talos

On Tue, May 29, 2018 at 1:37 PM, O C via Snort-sigs <
snort-sigs () lists snort org> wrote:


Hi,

The below rules attempt at detecting exploit documents generated by
ThreadKit. While there are rules to detect the exploit attempts, the
permissiveness of the RTF syntax may result in FN. The below sample hashes
were worked with and pcaps are available for these. As I stumble upon
more documents, I will update this thread. I added these under the
MALWARE-OTHER category since the rules to do not look for the exploits, but
the documents themselves.

Some of the rules can be grouped using PCRE, but I kept them separate.
Some of the rules may also seem redundant, but the idea is to capture as
many variants as possible.

If this sounds like a bad idea, please let me know so I won't waste cycles
on them.

# --------------------
# Date: 2018-05-28
# Title: ThreadKit Documents
# Tests: pcap
# Reference: Research
# Hashes:
#   - bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c
#   - af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5
#   - 8e1c6f44b02e72b1c1c9af0ffdcee0fbe67fb8ee370bc67e4e01ec43f8b92ec9
#   - 53e8890f0d002d9611675419b3d8d0899b599c59f4557e105211d294bf92f023
#   - 2bb9d0d8166a8d330cb3c5be6fb60539fe29e05cc3acb4ac7ec3da233fb013ec

# HTTP
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding TXT
file"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
content:"5061636B61676500"; distance:0; nocase; content:"2E747874";
within:100; nocase; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; classtype:attempted-user; sid:8000075;
rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding SCT
file"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
content:"5061636B61676500"; distance:0; nocase; content:"2E736374";
within:100; nocase; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; classtype:attempted-user; sid:8000076;
rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding BAT
file"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
content:"5061636B61676500"; distance:0; nocase; content:"2E626174";
within:100; nocase; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; classtype:attempted-user; sid:8000077;
rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - ActiveX Package embedding EXE
file"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
content:"5061636B61676500"; distance:0; nocase; content:"2E657865";
within:100; nocase; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; classtype:attempted-user; sid:8000078;
rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - objhtml mmath object obfuscation";
flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0;
content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:100; nocase;
metadata:ruleset community, service ftp-data, service http, service imap,
service pop3; classtype:attempted-user; sid:8000079; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - objhtml mmath object obfuscation
OLE2Link"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0;
content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:50;
content:"OLE2Link"; within:150; nocase; metadata:ruleset community, service
ftp-data, service http, service imap, service pop3;
classtype:attempted-user; sid:8000080; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - objhtml object obfuscation
OLE2Link"; flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0;
content:"|5C|bin"; within:50; nocase; content:"OLE2Link"; within:150;
metadata:ruleset community, service ftp-data, service http, service imap,
service pop3; classtype:attempted-user; sid:8000081; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - objemb mmath object obfuscation";
flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objemb"; content:"|5C|objupdate"; distance:0;
content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:100; nocase;
metadata:ruleset community, service ftp-data, service http, service imap,
service pop3; classtype:attempted-user; sid:8000082; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - picture object remote";
flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"METAFILEPICT"; content:"INCLUDEPICTURE |22|http"; distance:0;
content:"MZ"; within:200; metadata:ruleset community, service ftp-data,
service http, service imap, service pop3; classtype:attempted-user;
sid:8000083; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER ThreadKit document - distinct obj structure";
flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"|5C|object|5C|obj"; content:"|5C|objupdate";
pcre:"/\x5cobject\x5cobj(emb|html)\x5cobjupdate\x5cv\x0a\x20/";
metadata:ruleset community, service ftp-data, service http, service imap,
service pop3; classtype:attempted-user; sid:8000084; rev:1;)

# SMTP
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
ThreadKit document - ActiveX Package embedding TXT file";
flow:to_server,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
content:"5061636B61676500"; distance:0; nocase; content:"2E747874";
within:100; nocase; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; classtype:attempted-user; sid:8000085;
rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
ThreadKit document - ActiveX Package embedding SCT file";
flow:to_server,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
content:"5061636B61676500"; distance:0; nocase; content:"2E736374";
within:100; nocase; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; classtype:attempted-user; sid:8000086;
rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
ThreadKit document - ActiveX Package embedding BAT file";
flow:to_server,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
content:"5061636B61676500"; distance:0; nocase; content:"2E626174";
within:100; nocase; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; classtype:attempted-user; sid:8000087;
rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
ThreadKit document - ActiveX Package embedding EXE file";
flow:to_server,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objdata"; distance:0;
content:"5061636B61676500"; distance:0; nocase; content:"2E657865";
within:100; nocase; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; classtype:attempted-user; sid:8000088;
rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
ThreadKit document - objhtml mmath object obfuscation";
flow:to_server,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0;
content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:100; nocase;
metadata:ruleset community, service ftp-data, service http, service imap,
service pop3; classtype:attempted-user; sid:8000089; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
ThreadKit document - objhtml mmath object obfuscation OLE2Link";
flow:to_server,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0;
content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:50;
content:"OLE2Link"; within:150; nocase; metadata:ruleset community, service
ftp-data, service http, service imap, service pop3;
classtype:attempted-user; sid:8000090; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
ThreadKit document - objhtml object obfuscation OLE2Link";
flow:to_server,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objhtml"; content:"|5C|objupdate"; distance:0;
content:"|5C|bin"; within:50; nocase; content:"OLE2Link"; within:150;
metadata:ruleset community, service ftp-data, service http, service imap,
service pop3; classtype:attempted-user; sid:8000091; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
ThreadKit document - objemb mmath object obfuscation";
flow:to_server,established; flowbits:isset,file.rtf; file_data;
content:"|5C|objemb"; content:"|5C|objupdate"; distance:0;
content:"|5C|mmath"; distance:0; content:"|5C|bin"; within:100; nocase;
metadata:ruleset community, service ftp-data, service http, service imap,
service pop3; classtype:attempted-user; sid:8000092; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
ThreadKit document - picture object remote"; flow:to_server,established;
flowbits:isset,file.rtf; file_data; content:"METAFILEPICT";
content:"INCLUDEPICTURE |22|http"; distance:0; content:"MZ"; within:200;
metadata:ruleset community, service ftp-data, service http, service imap,
service pop3; classtype:attempted-user; sid:8000093; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
ThreadKit document - distinct obj structure"; flow:to_server,established;
flowbits:isset,file.rtf; file_data; content:"|5C|object|5C|obj";
content:"|5C|objupdate"; pcre:"/\x5cobject\x5cobj(emb|
html)\x5cobjupdate\x5cv\x0a\x20/"; metadata:ruleset community, service
ftp-data, service http, service imap, service pop3;
classtype:attempted-user; sid:8000094; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-
the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!



_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: