Re: Multiple signatures 004

[Marcos Rodriguez <mrodriguez () sourcefire com>]

On Thu, Jul 19, 2018 at 2:22 PM, Y M via Snort-sigs <
snort-sigs () lists snort org> wrote:

> Hi,
>
> Pcaps for some the signatures below are available.
>
> # --------------------
> # Date: 2018-07-08
> # Title: Osx.Trojan.Agent (Win.Trojan.Agent-6593123-0)
> # Tests: syntax only
> # Reference:
> #    - https://www.virustotal.com/#/file/86a588672837afdc1900ad9e78c7d0
> ae7a842bdd972dbdc5bdff2574a37f5acc/detection
> #    - https://www.malwares.com/report/file?hash=
> 86A588672837AFDC1900AD9E78C7D0AE7A842BDD972DBDC5BDFF2574A37F5ACC
> # Confidence: low
> # Notes: Domains are extracted from strings.
>
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER DNS
> request for known malware domain apple-iclods.org - Osx.Trojan.Agent";
> flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|apple-iclods|03|org|00|";
> fast_pattern:only; metadata:ruleset community, service dns; reference:url,
> www.virustotal.com/#/file/86a588672837afdc1900ad9e78c7d0
> ae7a842bdd972dbdc5bdff2574a37f5acc/detection; reference:url,www.malwares.
> com/report/file?hash=86A588672837AFDC1900AD9E78C7D0
> AE7A842BDD972DBDC5BDFF2574A37F5ACC; classtype:trojan-activity;
> sid:8000181; rev:1;)
>
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER DNS
> request for known malware domain apple-checker.org - Osx.Trojan.Agent";
> flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|apple-checker|03|org|00|";
> fast_pattern:only; metadata:ruleset community, service dns; reference:url,
> www.virustotal.com/#/file/86a588672837afdc1900ad9e78c7d0
> ae7a842bdd972dbdc5bdff2574a37f5acc/detection; reference:url,www.malwares.
> com/report/file?hash=86A588672837AFDC1900AD9E78C7D0
> AE7A842BDD972DBDC5BDFF2574A37F5ACC; classtype:trojan-activity;
> sid:8000182; rev:1;)
>
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER DNS
> request for known malware domain apple-uptoday.org - Osx.Trojan.Agent";
> flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|apple-uptoday|03|org|00|";
> fast_pattern:only; metadata:ruleset community, service dns; reference:url,
> www.virustotal.com/#/file/86a588672837afdc1900ad9e78c7d0
> ae7a842bdd972dbdc5bdff2574a37f5acc/detection; reference:url,www.malwares.
> com/report/file?hash=86A588672837AFDC1900AD9E78C7D0
> AE7A842BDD972DBDC5BDFF2574A37F5ACC; classtype:trojan-activity;
> sid:8000183; rev:1;)
>
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER DNS
> request for known malware domain apple-search.info - Osx.Trojan.Agent";
> flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|apple-search|04|info|00|";
> fast_pattern:only; metadata:ruleset community, service dns; reference:url,
> www.virustotal.com/#/file/86a588672837afdc1900ad9e78c7d0
> ae7a842bdd972dbdc5bdff2574a37f5acc/detection; reference:url,www.malwares.
> com/report/file?hash=86A588672837AFDC1900AD9E78C7D0
> AE7A842BDD972DBDC5BDFF2574A37F5ACC; classtype:trojan-activity;
> sid:8000184; rev:1;)
>
> # --------------------
> # Date: 2018-07-08
> # Title: Worm.Win32.VBNA, Trojan:Win32/Fuery, WebMonitor RAT
> # Tests: syntax only
> # Reference:
> #    - APR. Report: https://researchcenter.paloaltonetworks.com/2018/04/
> unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/
> #    - JUN. Report: https://twitter.com/sysopfb/status/1014176408996741120
> # Confidence: low
> # Notes: The signature was created back on April, but was held due to lack
> of information.
> #        Samples from April and June appear to have the same C&C patterns.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Worm.VBNA variant outbound connection"; flow:to_server,established;
> urilen:10; content:"/recv3.php"; fast_pattern:only; http_uri;
> content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Win32|3B|
> WinHttp.WinHttpRequest.5)"; http_header; content:"POST"; http_method;
> metadata:ruleset community, service http; reference:url,www.virustotal.
> com/#/file/26c2ffd2de0636707a26f6e99318cdfbbe26d558cd82a1e2e2812f43fff5
> 3da3/behavior; classtype:trojan-activity; sid:8000185; rev:2;)
>
> # --------------------
> # Date: 2018-07-18
> # Title: Win.Trojan.Presenoker
> # Tests: pcap (partial)
> # Reference:
> #    - https://twitter.com/CDA/status/1014144988454772736
> #    - https://www.virustotal.com/#/file/845a0e5720a6288794a6452adb8d3e
> 7c22f5e6e6b9d4f7481fbd30e3efba4f28/detection
> #    - https://otx.alienvault.com/pulse/5b3e11189a311930b6ad4928
> # Confidence: low
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Presenoker outbound connection"; flow:to_server,established;
> content:"/?computer-name="; fast_pattern:only; http_uri;
> content:"&username="; http_uri; metadata:ruleset community, service http;
> reference:url,www.virustotal.com/#/file/845a0e5720a6288794a6452adb8d3e
> 7c22f5e6e6b9d4f7481fbd30e3efba4f28/detection; classtype:trojan-activity;
> sid:8000186; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Presenoker outbound connection"; flow:to_server,established;
> content:"/index.php?username="; http_uri; content:"&OSname=";
> fast_pattern:only; http_uri; metadata:ruleset community, service http;
> reference:url,www.virustotal.com/#/file/845a0e5720a6288794a6452adb8d3e
> 7c22f5e6e6b9d4f7481fbd30e3efba4f28/detection; classtype:trojan-activity;
> sid:8000187; rev:1;)
>
> # --------------------
> # Date: 2018-07-18
> # Title: Win.Trojan.FalChil
> # Tests: pcap
> # Reference:
> #    - https://twitter.com/darienhuss/status/1014937916815048704
> #    - https://www.virustotal.com/#/file/d060123c21869b765b22b712a8ca47
> 266a33464095411e2b7bdf7e327d23ed07/detection
> # Confidence: low
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.FalChil outbound connection"; flow:to_server,established;
> content:"/board.asp"; fast_pattern:only; http_uri; content:"msgid=";
> http_client_body; content:"&id="; http_client_body; metadata:ruleset
> community, service http; reference:url,www.virustotal.com/#/file/
> d060123c21869b765b22b712a8ca47266a33464095411e2b7bdf7e327d23ed07/detection;
> classtype:trojan-activity; sid:8000188; rev:1;)
>
> # --------------------
> # Date: 2018-07-19
> # Title: JS.Agent.Dropper
> # Tests: pcap
> # Reference:
> #    - https://www.fireeye.com/blog/threat-research/2018/07/
> chinese-espionage-group-targets-cambodia-ahead-of-elections.html
> #    - https://www.virustotal.com/#/file/075e66b5c3c5c2ce6f9d3aea86a72f
> ed09f0eb91c03ec7dbbdb17d9d851807c8/detection
> #    - https://www.virustotal.com/#/file/c5985720c542567b906b2329036d87
> 2d0d4ab380d1ea19a38c5ec6551be380ff/detection
> # Confidence: low
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> JS.Agent.Dropper - AirBreak Downloader outbound connection";
> flow:to_server,established; urilen:10; content:"/?news"; fast_pattern:only;
> http_uri; content:"MSIE 9.0|3B| Windows NT 6.1|3B|"; http_header;
> content:!"Referer"; http_header; pcre:"/\/[a-z]{3}\/\x3fnews$/Ui";
> metadata:ruleset community, service http; reference:url,www.virustotal.
> com/#/file/075e66b5c3c5c2ce6f9d3aea86a72fed09f0eb91c03ec7dbbdb17d9d8518
> 07c8/detection; reference:url,www.virustotal.com/#/file/
> c5985720c542567b906b2329036d872d0d4ab380d1ea19a38c5ec6551be380ff/detection;
> classtype:trojan-activity; sid:8000189; rev:1;)
>
> Thanks.
> YM

Hi Yaser,

Thanks for these submissions. We will review each of them and get back to
you when finished.  We'd appreciate any pcaps you could send. Have a great
day!


-- 
Marcos Rodriguez
Cisco Talos

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!