[Emerging-Sigs] SIGS: Multiple APT.Backdoor Sigs (APT12 Fireeye/Arbor)

Kevin Ross kevross33 at googlemail.com
Thu Sep 4 04:18:15 EDT 2014


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Hightide.APT Backdoor CnC Beacon"; flow:established,to_server;
content:"GET"; http_method; content:"/?"; http_uri; depth:2;
content:"Referer|3A| http|3A|//www.google.com/|0D 0A|"; http_header;
fast_pattern:13,18; content:"User-Agent|3A| Mozilla/5.0 (compatible|3B|
MSIE 8.0|3B| windows NT 5.1|3B| Trident/5.0)"; http_header;
pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/sm";
classtype:trojan-activity; reference:url,
www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html;
sid:198381; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Riptide.APT Backdoor CnC Beacon"; flow:established,to_server;
content:"GET"; http_method; content:"/image/"; http_uri; depth:7;
pcre:"/^\x2Fimage\x2F[^\x2F]*\x2Ejpg$/U"; content:"Referer|3A| http|3A|//
www.google.com/|0D 0A|"; http_header; fast_pattern:13,18;
content:"User-Agent|3A| Mozilla/5.0 (compatible|3B| MSIE 8.0|3B| windows NT
5.1|3B| Trident/5.0)"; http_header;
pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/sm";
classtype:trojan-activity; reference:url,
www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html;
reference:url,
www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf;
sid:198382; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Threebyte.APT Backdoor CnC Beacon"; flow:established,to_server;
content:"GET"; http_method; content:!"Referer|3A|"; http_header;
content:"/UID"; fast_pattern; http_uri; depth:4; content:".jsp?"; http_uri;
content:"HTTP/1.1 User-Agent|3A| Mozilla/5.0 (compatible|3B| MSIE 8.0|3B|
windows NT 5.1|3B| Trident/5.0)|0D 0A|Host|3A| "; content:|0D
0A|Connection|3A| Keep-Alive|0D 0A 0D 0A|"; classtype:trojan-activity;
reference:url,
www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html;
sid:198383; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Waterspout.APT Backdoor CnC Beacon"; flow:established,to_server;
content:".php?"; http_uri; content:"_id="; fast_pattern; http_uri;
distance:3; within:4; content:"= HTTP/1.1|0D 0A|Accept|3A| image/jpeg,
application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg,
application/x-ms-xbap, */*|0D 0A|User-Agent|3A| Mozilla/4.0 (compatible|3B|
MSIE 8.0|3B| Windows NT 6.1|3B| Trident/4.0|3B| SLCC2|3B| .NET CLR
2.0.50727|3B| .NET CLR 3.5.30729|3B| .NET CLR 3.0.30729|3B| .NET4.0C|3B|
.NET4.0E)|0D 0A|Host|3A 20|";
pcre:"/^\x2F[^\x2F]*\x2F\d{5}\x2F[a-z]{4}\x2Ephp\x3F[a-z]{3}\x5Fid\x3D[a-z]\x3D$/Ui";
classtype:trojan-activity; reference:url,
www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html;
sid:198384; rev:1;)

alert tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Etumbot.APT Backdoor CnC Beacon"; flow:established,to_server;
content:"GET"; http_uri; content:"/history/"; http_uri; depth:9;
fast_pattern; content:".asp"; http_uri;
pcre:"/^\x2Fhistory\x2F[^\x2F]*\x2Easp$/U"; content:"Referer|3A| http|3A|//
www.google.com/|0D 0A|"; http_header; content:"User-Agent|3A| Mozilla/5.0
(compatible|3B| MSIE 8.0|3B| windows NT 5.1|3B| Trident/5.0)"; http_header;
pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/sm";
classtype:trojan-activity; reference:url,
www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf;
sid:198385; rev:1;)

Kind Regards,
Kevin Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140904/74553397/attachment.html>


More information about the Emerging-sigs mailing list