[Emerging-Sigs] Clipper/Stealer

Attack Detection attackdetectionteam at gmail.com
Sun Aug 4 11:44:49 HDT 2019


Hey. There is a proposal to turn off signatures with these numbers and
instead add fairly relevant ones using the same magic in detection.

sid:2024772 Malicious SSL connection (Upatre Downloader CnC)
sid:2024773
sid:2024774
sid:2024775
sid:2024776
sid:2024777
sid:2024778

#################### MASAD Clipper/Stealer

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "ET TROJAN [PTsecurity]
Telegram SSL certificate"; flow:established,from_server;content:
"|550403|"; depth: 3000;content: "|10|api.telegram.org0"; distance: 1;
within: 18; flowbits: noalert; flowbits: set, FB936485_;metadata:
id_936485,; metadata: created_at 2019_04_28, updated_at 2019_07_25;
classtype: trojan-activity; sid: 11004664; rev: 1;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "ET TROJAN [PTsecurity]
MASAD/QULAB Clipper/Stealer pkt checker #0"; flow: established, to_server;
content: "|1703|"; depth:2; content: "|00F0|"; distance:1; within:2;
fast_pattern;dsize: 245; stream_size: server, >,5568; stream_size: server,
<,6798; stream_size: client, >,399; stream_size: client, <,18691; flowbits:
noalert; flowbits: isset, FB936485_; flowbits: unset, FB936485_; flowbits:
set, FB936485_0; metadata: autosign, id_936485,; metadata: created_at
2019_04_28, updated_at 2019_07_25; classtype: trojan-activity; sid:
11004665; rev: 1;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "ET TROJAN [PTsecurity]
MASAD/QULAB Clipper/Stealer pkt checker #1"; flow: established,
to_client;content: "|1703|"; depth:2;byte_test: 2, >=,512, 1, relative;
byte_test: 2, <=,528, 1, relative;stream_size: server, >,6085;stream_size:
server, <,6798;stream_size: client, >,399;stream_size: client, <,18691;
flowbits: noalert; flowbits: isset, FB936485_0;flowbits: unset,
FB936485_0;flowbits: set, FB936485_1;metadata: autosign, id_936485,;
metadata: created_at 2019_04_28, updated_at 2019_07_25; classtype:
trojan-activity; sid: 11004666; rev: 1;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "ET TROJAN [PTsecurity]
MASAD/QULAB Clipper/Stealer pkt checker #2"; flow: established, to_server;
content: "|1703|"; depth:2; content: "|01D0|"; distance:1; within:2;
fast_pattern;dsize: 469; stream_size: server, >,6085; stream_size: server,
<,6798; stream_size: client, >,868; stream_size: client, <,18691; flowbits:
noalert; flowbits: isset, FB936485_1; flowbits: unset, FB936485_1;
flowbits: set, FB936485_2; metadata: autosign, id_936485,; metadata:
created_at 2019_04_28, updated_at 2019_07_25; classtype: trojan-activity;
sid: 11004667; rev: 1;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "ET TROJAN [PTsecurity]
MASAD/QULAB Clipper/Stealer Exfiltration by Telegram"; flow: established,
to_server; content: "|1703|"; depth:2; content: "|4020|"; distance:1;
within:2; fast_pattern; stream_size: server, >,6085; stream_size: server,
<,23214; stream_size: client, >,2074; stream_size: client, <,35107;
flowbits: isset, FB936485_2; flowbits: unset, FB936485_2; metadata:
autosign, id_936485,; metadata: created_at 2019_04_28, updated_at
2019_07_25; classtype: trojan-activity; sid: 11004668; rev: 1;)


https://content.any.run/tasks/140bb7b3-3b50-4d62-8eb4-2159bc9387c8/download/pcap
https://content.any.run/tasks/be048e4f-829c-435c-ad70-3a4ad7a50843/download/pcap
https://content.any.run/tasks/164150a6-a5c8-4161-8bc0-0f52fddb6c9b/download/pcap
https://content.any.run/tasks/50eb049e-d719-43c5-8d64-c0b364fd36b0/download/pcap
https://content.any.run/tasks/d9528eb5-b858-4a39-a747-c3a5b5d7d556/download/pcap
https://content.any.run/tasks/1f8d3b8e-9289-475e-9713-0b2b26110541/download/pcap
https://content.any.run/tasks/ce914869-37d3-468c-ba9f-a79d0cf80c65/download/pcap
https://content.any.run/tasks/21797a2a-dbdb-460a-bbd9-ac48dd796584/download/pcap
https://content.any.run/tasks/2eb7f565-9f41-46cf-a15b-f9e0ae12a03f/download/pcap

Best regards,
John.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190804/041d3751/attachment.html>


More information about the Emerging-sigs mailing list