[Emerging-Sigs] Fwd: Dreambot C2 SSL Sigs

Travis Green travis.green at protectwise.com
Thu Dec 12 08:21:02 HST 2019


Hey all, in the process of investigating Dreambot infections, I found some
undetected SSL certs:

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE Malicious
SSL Cert (Dreambot CnC)"; flow:from_server,established; tls_cert_subject;
content:"CN=solomontoosas.xyz"; nocase; fast_pattern; isdataat:!1,relative;
tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt
Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd;
reference:url,twitter.com/w3ndige/status/1199375393297448961;
classtype:trojan-activity; sid:1003934; rev:1;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE Malicious
SSL Cert (Dreambot CnC)"; flow:from_server,established; tls_cert_subject;
content:"CN=colordrawyx.xyz"; nocase; fast_pattern; isdataat:!1,relative;
tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt
Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd;
reference:url,twitter.com/w3ndige/status/1199375393297448961;
classtype:trojan-activity; sid:1003935; rev:1;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE Malicious
SSL Cert (Dreambot CnC)"; flow:from_server,established; tls_cert_subject;
content:"CN=colordrawyx.xyz"; nocase; fast_pattern; isdataat:!1,relative;
tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt
Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd;
reference:url,twitter.com/w3ndige/status/1199375393297448961;
classtype:trojan-activity; sid:1003936; rev:1;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE Malicious
SSL Cert (Dreambot CnC)"; flow:from_server,established; tls_cert_subject;
content:"CN=potronisl.xyz"; nocase; fast_pattern; isdataat:!1,relative;
tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt
Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd;
reference:url,twitter.com/w3ndige/status/1199375393297448961;
classtype:trojan-activity; sid:1003937; rev:1;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE Malicious
SSL Cert (Dreambot CnC)"; flow:from_server,established; tls_cert_subject;
content:"CN=pontromosals.xyz"; nocase; fast_pattern; isdataat:!1,relative;
tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt
Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd;
reference:url,twitter.com/w3ndige/status/1199375393297448961;
classtype:trojan-activity; sid:1003938; rev:1;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE Malicious
SSL Cert (Dreambot CnC)"; flow:from_server,established; tls_cert_subject;
content:"CN=pontrolimon.xyz"; nocase; fast_pattern; isdataat:!1,relative;
tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt
Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd;
reference:url,twitter.com/w3ndige/status/1199375393297448961;
classtype:trojan-activity; sid:1003939; rev:1;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE Malicious
SSL Cert (Dreambot CnC)"; flow:from_server,established; tls_cert_subject;
content:"CN=motylino.xyz"; nocase; fast_pattern; isdataat:!1,relative;
tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt
Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd;
reference:url,twitter.com/w3ndige/status/1199375393297448961;
classtype:trojan-activity; sid:1003940; rev:1;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE Malicious
SSL Cert (Dreambot CnC)"; flow:from_server,established; tls_cert_subject;
content:"CN=motorlafd.xyz"; nocase; fast_pattern; isdataat:!1,relative;
tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt
Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd;
reference:url,twitter.com/w3ndige/status/1199375393297448961;
classtype:trojan-activity; sid:1003941; rev:1;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE Malicious
SSL Cert (Dreambot CnC)"; flow:from_server,established; tls_cert_subject;
content:"CN=mantoropols.xyz"; nocase; fast_pattern; isdataat:!1,relative;
tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt
Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd;
reference:url,twitter.com/w3ndige/status/1199375393297448961;
classtype:trojan-activity; sid:1003942; rev:1;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE Malicious
SSL Cert (Dreambot CnC)"; flow:from_server,established; tls_cert_subject;
content:"CN=janfioooslls.xyz"; nocase; fast_pattern; isdataat:!1,relative;
tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt
Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd;
reference:url,twitter.com/w3ndige/status/1199375393297448961;
classtype:trojan-activity; sid:1003943; rev:1;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE Malicious
SSL Cert (Dreambot CnC)"; flow:from_server,established; tls_cert_subject;
content:"CN=golitrops.xyz"; nocase; fast_pattern; isdataat:!1,relative;
tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt
Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd;
reference:url,twitter.com/w3ndige/status/1199375393297448961;
classtype:trojan-activity; sid:1003944; rev:1;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE Malicious
SSL Cert (Dreambot CnC)"; flow:from_server,established; tls_cert_subject;
content:"CN=giltipolsfols.xyz"; nocase; fast_pattern; isdataat:!1,relative;
tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt
Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd;
reference:url,twitter.com/w3ndige/status/1199375393297448961;
classtype:trojan-activity; sid:1003945; rev:1;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE Malicious
SSL Cert (Dreambot CnC)"; flow:from_server,established; tls_cert_subject;
content:"CN=finogorosod.xyz"; nocase; fast_pattern; isdataat:!1,relative;
tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt
Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd;
reference:url,twitter.com/w3ndige/status/1199375393297448961;
classtype:trojan-activity; sid:1003946; rev:1;)

Ran them for a couple of days with no FP.
-T
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191212/a6484139/attachment-0001.html>


More information about the Emerging-sigs mailing list