Snort mailing list archives

Multiple signature 021

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 15 Jan 2019 17:41:15 +0000

Hi,

Here is a batch of signatures along which, PCAPs and Yara/ClamAV signatures are available. Also attaching two 
screenshots for Ditnui/Siggen2/Zenpak to go along with the notes section.

Thank you.
YM

# --------------------
# Date: 2019-01-05
# Title: Tools Trade
# Reference: Research
#   - hxxps://github[.]com/DarthTon/Blackbone
#   - hxxps://github[.]com/djhohnstein/SharpWeb
#   - hxxps://github[.]com/ptoomey3/Keychain-Dumper
#   - www[.]rootkiter[.]com/earthworm
# Tests: pcaps (f2p)
# Yara:
#   - TOOL_PWS_SharpWeb
#   - TOOL_CNC_Earthworm
#   - TOOL_PWS_KeychainDumper
#   - TOOL_PWS_Blackbone
# ClamAV:
#   - TOOL.PWS.SharpWeb
#   - TOOL.CNC.Earthworm
#   - TOOL.PWS.KeychainDumper
#   - TOOL.PWS.Blackbone
# Hashes: NA
# Notes:
#   - Maybe add SMB rules for host-to-host transfers
#     during lateral movement?

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Blackbone password memory dumper download 
attempt"; flow:to_client,established; file_data; content:"|5C 00|B|00|l|00|a|00|c|00|k|00|B|00|o|00|n|00|e|00|"; 
fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000444; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Blackbone password memory dumper download 
attempt"; flow:to_client,established; file_data; content:"BBHideVAD"; fast_pattern:only; metadata:ruleset community, 
service http; classtype:trojan-activity; sid:8000445; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Earthworm CnC tool download attempt"; 
flow:to_client,established; file_data; content:"Make_Net_CMD"; fast_pattern:only; content:"understand_and_do_it"; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000446; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE KeychainDumper Keychain dumper tool download 
attempt"; flow:to_client,established; file_data; content:"dumpKeychainEntitlements"; fast_pattern:only; 
content:"Password"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000447; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE SharpWeb browser password dumper tool download 
attempt"; flow:to_client,established; file_data; content:">k__BackingField|00|<encryptedPassword>k__BackingField"; 
fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000448; rev:1;)

# --------------------
# Date: 2019-01-08
# Title: Osx.Trojan.LamePyre
# Reference:
#   - https://blog.malwarebytes.com/detections/osx-lamepyre/
#   - https://objective-see.com/blog/blog_0x3C.html
# Tests: pcaps
# Yara:
#   - MALWARE_Osx_Trojan_LamePyre
# ClamAV:
#   - MALWARE_Osx.Trojan.LamePyre
# Hashes:
#   - a899a7d33d9ba80b6f9500585fa108178753894dfd249c2ba64c9d6a601c516b > .app
#   - 3952499a96ee1ce49b0b4a2eabaa9ea819012cf146cc95d5a0c876938bdfb65c > Application Stub
#   - 88d5e1cfdc6bf3824cb5227827ba2f790eaaad512693de6b72d29fdb1db46081 > helper
#   - 31935f731329487c87b96653f6c3936cca6cbed64f800ad24047e3bfa1434969 > systemkeep

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.LamePyre initial outbound 
connection"; flow:to_server,established; urilen:10; content:"/index.asp"; http_uri; content:"Connection: close|0D 0A|"; 
http_header; content:"Accept-Encoding: identity|0D 0A|"; http_header; content:!"Accept:"; http_header; 
content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000449; 
rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.LamePyre screenshot exfiltration 
outbound connection"; flow:to_server,established; content:"/handler.php?uid="; fast_pattern:only; http_uri; 
content:"Expect:"; http_header; content:"Content-Type: multipart/form-data"; http_header; content:!"Connection"; 
http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000450; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.LamePyre screenshot exfiltration 
outbound connection"; flow:to_server,established; content:"|3B| filename=|22|alloy.png|22|"; fast_pattern:only; 
http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000451; rev:1;)

# --------------------
# Date: 2019-01-08
# Title: Osx.Trojan.FairyTail
# Reference:
#   - https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/
#   - https://objective-see.com/blog/blog_0x3C.html
# Tests: pcaps
# Yara:
#   - MALWARE_Osx_Trojan_Genieo
#   - MALWARE_Osx_Trojan_MacSearch
# ClamAV:
#   - MALWARE_Osx.Trojan.Genieo
#   - MALWARE_Osx.Trojan.MacSearch
# Hashes:
#   - 4eaa4caea4ac543516ffc9954a901e8b8e8c623fcce48304ea74d7a74218683b > .app
#   - 850b4f620e874ed6117c7e1d15dd1c502d7e38cd4dd872753d502f39e3a5c8d8 > LinqurySearch
#   - f54bb130f750f77546aebf690ba4b89f0ddb3c27a5e297383d0a30bcaa5f9cb4 > macsearch
#   - a9a7a1c48cd1232249336749f4252c845ce68fd9e7da85b6da6ccbcdc21bcf66 > SpellingChecker

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.FairyTail initial outbound connection 
request"; flow:to_server,established; urilen:10; content:"/hello.txt"; fast_pattern:only; http_uri; 
content:"SpellingChecker/"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000452; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.FairyTale outbound connection 
attempt"; flow:to_server,established; content:"/download/"; http_uri; content:"User-Agent: LinqurySearch"; http_header; 
fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000453; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.FairyTale outbound connection 
attempt"; flow:to_server,established; content:"User-Agent: macsearch/"; fast_pattern:only; http_header; 
content:"/MaxMind.asmx/"; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000454; 
rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.FairyTale outbound connection 
attempt"; flow:to_server,established; content:"User-Agent: macsearch/"; fast_pattern:only; http_header; 
content:"StatisticsService.svc/"; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000455; rev:1;)

# --------------------
# Date: 2019-01-09
# Title: Win.Trojan.Agent
# Reference: Research
# Tests: pcaps
# Yara:
#   - MALWARE_Win_Trojan_Agent
# ClamAV:
#   - MALWARE_Win.Trojan.Agent
# Hashes:
#   - 4fd37dc5eaa90a02a53b2c2df42c21e6017a925b65cedf62c69aa757be49e144

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent outbound connection attempt"; 
flow:to_server,established; content:"/get.php HTTP/1.0"; fast_pattern:only; content:"=JWExJTNkaSUxOH"; within:20; 
http_client_body; content:!"User-Agent"; http_header; content:!"Connection"; http_header; metadata:ruleset community, 
service http; classtype:trojan-activity; sid:8000458; rev:1;)

# --------------------
# Date: 2019-01-10
# Title: Win.Trojan.Ditniu/Siggen2/Zenpak
# Reference: Research
# Tests: pcaps
# Yara:
#   - MALWARE_Win_Trojan_Ditniu
# ClamAV:
#   - MALWARE_Win.Trojan.Ditniu-VAR1
#   - MALWARE_Win.Trojan.Ditniu-VAR2
#   - MALWARE_Win.Trojan.Ditniu-VAR3
#   - MALWARE_Win.Trojan.Ditniu-Signed-Revoked
#   - MALWARE_Win.Trojan.Ditniu-Signed1
#   - MALWARE_Win.Trojan.Ditniu-Signed2
#   - MALWARE_Win.Trojan.Ditniu-Signed3
# Hashes:
#   - 3a835af7d9da2a2f033ca685bac69a9c853b218f553eec742ca1e2c474f5ce78 > NSIS Archive, sample not acquired
#   - 3969347db2908336311c9b13d3ece00fd8e28c181a5eac556036bc3d48e56dac
#   - 3d3fc2e343a08ecd24b5b4d0a040e956f276c292786eddc46d9725d7043e669e
#   - 4aea200d1080627722df30737dac955dc987f0ffc67cd7861a6440e94dd164e7 > Password-protected NSIS, Password: 
X9e5UD6AN1vQCK08DM4O
#   - 5a58e561d49ba36292bf603cf516a1cef686e17285d466e5c1979d266227f0e6
#   - 7a6477c2e7e38becf1861fe5253641dcd789b5c523b9d788114befa21b748780
#   - 7ceca4f5ca3ef254f7d6e2c0a217966a2d948b613b0ae476d34b0ece9704da4c > Extracted from 4aea200d10
#   - 7cefbff477eeb8f410a5857babf933d14494df4cb74cec5482dbf8199e64a5bf
#   - 922dd1efeb601b375bf638d1cdbb6cbd1e74d1a0aa48daf73bd59c13eacd4f45 > Extracted from b689104dfc
#   - 94e6ba63cf9d38339146b1425ff08588359056d327e94c4f26963d705d78325c
#   - 96f70e5272ab59e0d28007a6f730fbf8ccf186b6357cc945a7a45d60bfb18f9d
#   - 9c2a5540b68eebe84c446a05763869ac6ba59b76151bf697639f45c7422a8ad7
#   - 9f13dc99e0faf99e0a66e1c5cb2cc5ed950224d96f5c9c2a2cfd343d9de2ddd3 > NSIS Archive, sample not acquired
#   - b37e7c2dc32f010682ef024f9b99e962347ad3f3be2c6f1a00a08cb7a929a3fb
#   - b689104dfcb1974ab48556505fb9dc6e1a356c21fda59d5d954f85b16b19a1bc > Password-protected NSIS, Password: 
X9e5UD6AN1vQCK08DM4O
#   - c053dc67c13eddce93ae2d17d8fb1958a0ed71657e93ed540e6c0d1ea92b6129 > Extracted from efcee275d2
#   - d60e7f5f03ffcd04c3f69add8b63763294bc59d14572fd1a3bf767accd9ff1f6
#   - dfff04d811715510176326a190d576d66cec3a92d01829f5bbcc291182682e55
#   - efcee275d23b6e71589452b1cb3095ff92b10ab68cd07957b2ad6be587647b74 > Password-protected NSIS, Password: 
X9e5UD6AN1vQCK08DM4O
#   - f52c4b49bba43c68c0a5436e8c6c2c45c7b4de19729fcedf4343b430fff31bac
#   - f612e561ebca13ee093402526468b8638d1591fadbdfd31ec3fbc1c73b89d41c > NSIS Archive, sample not acquired
#   - f875662a13179e215f8f92cb174d7a3988cde71495ae2c7a412c442c676f2889
# Notes:
#   - Variants connect to a specific set of IPs with the same packet structure.
#   - All password-protected NSIS archives use the same password > X9e5UD6AN1vQCK08DM4O (screenshot attached).
#   - Binaries extracted from NSIS archive has .cab extension.
#   - Persisted binaries have similar naming conventions.
#   - Anti-debug (screenshot attached):
#     boxservice.exe, vboxtray.exe, vmusrvc.exe, vmsrvc.exe,
#     qemu-ga.exe, xenservice.exe, python.exe, ProcessHacker.exe,
#     tcpview.exe, autorunsc.exe, autorunsc.exe, idaq.exe, idaq64.exe,
#     HookExplorer.exe, ImportREC.exe, PETools.exe, LordPE.exe, SysInspector.exe

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Ditniu outbound connection attempt"; 
flow:to_server,established; dsize:14; content:"GCRG"; offset:4; depth:4; fast_pattern; content:"|00 00 02 00|"; 
distance:1; isdataat:!1,relative; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000459; 
rev:1;)

# --------------------
# Date: 2019-01-15
# Title: A Zebrocy Go Downloader
# Reference: https://securelist.com/a-zebrocy-go-downloader/89419/
# Tests: NA
# Yara: NA
# ClamAV: NA

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection 
attempt"; flow:to_server,established; content:"/software-apptication/help-support-apl/getidpolapl.php"; 
fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000460; rev:1;)

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Multiple signature 021 Y M via Snort-sigs (Jan 15)
- Re: Multiple signature 021 Matthew Mickel (Jan 15)