[Emerging-Sigs] Fwd: Dreambot C2 SSL Sigs

Jack Mott jmott at emergingthreats.net
Thu Dec 12 11:01:33 HST 2019


Hi Travis,

Thanks for passing these our way! We will get these in for today's release.

Best,

Jack

On Thu, Dec 12, 2019 at 11:25 AM Travis Green via Emerging-sigs <
emerging-sigs at lists.emergingthreats.net> wrote:

> Hey all, in the process of investigating Dreambot infections, I found some
> undetected SSL certs:
>
> alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE
> Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established;
> tls_cert_subject; content:"CN=solomontoosas.xyz"; nocase; fast_pattern;
> isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt,
> CN=Let|27|s Encrypt Authority X3";
> reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,
> twitter.com/w3ndige/status/1199375393297448961;
> classtype:trojan-activity; sid:1003934; rev:1;)
>
> alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE
> Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established;
> tls_cert_subject; content:"CN=colordrawyx.xyz"; nocase; fast_pattern;
> isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt,
> CN=Let|27|s Encrypt Authority X3";
> reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,
> twitter.com/w3ndige/status/1199375393297448961;
> classtype:trojan-activity; sid:1003935; rev:1;)
>
> alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE
> Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established;
> tls_cert_subject; content:"CN=colordrawyx.xyz"; nocase; fast_pattern;
> isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt,
> CN=Let|27|s Encrypt Authority X3";
> reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,
> twitter.com/w3ndige/status/1199375393297448961;
> classtype:trojan-activity; sid:1003936; rev:1;)
>
> alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE
> Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established;
> tls_cert_subject; content:"CN=potronisl.xyz"; nocase; fast_pattern;
> isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt,
> CN=Let|27|s Encrypt Authority X3";
> reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,
> twitter.com/w3ndige/status/1199375393297448961;
> classtype:trojan-activity; sid:1003937; rev:1;)
>
> alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE
> Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established;
> tls_cert_subject; content:"CN=pontromosals.xyz"; nocase; fast_pattern;
> isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt,
> CN=Let|27|s Encrypt Authority X3";
> reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,
> twitter.com/w3ndige/status/1199375393297448961;
> classtype:trojan-activity; sid:1003938; rev:1;)
>
> alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE
> Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established;
> tls_cert_subject; content:"CN=pontrolimon.xyz"; nocase; fast_pattern;
> isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt,
> CN=Let|27|s Encrypt Authority X3";
> reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,
> twitter.com/w3ndige/status/1199375393297448961;
> classtype:trojan-activity; sid:1003939; rev:1;)
>
> alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE
> Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established;
> tls_cert_subject; content:"CN=motylino.xyz"; nocase; fast_pattern;
> isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt,
> CN=Let|27|s Encrypt Authority X3";
> reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,
> twitter.com/w3ndige/status/1199375393297448961;
> classtype:trojan-activity; sid:1003940; rev:1;)
>
> alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE
> Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established;
> tls_cert_subject; content:"CN=motorlafd.xyz"; nocase; fast_pattern;
> isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt,
> CN=Let|27|s Encrypt Authority X3";
> reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,
> twitter.com/w3ndige/status/1199375393297448961;
> classtype:trojan-activity; sid:1003941; rev:1;)
>
> alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE
> Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established;
> tls_cert_subject; content:"CN=mantoropols.xyz"; nocase; fast_pattern;
> isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt,
> CN=Let|27|s Encrypt Authority X3";
> reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,
> twitter.com/w3ndige/status/1199375393297448961;
> classtype:trojan-activity; sid:1003942; rev:1;)
>
> alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE
> Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established;
> tls_cert_subject; content:"CN=janfioooslls.xyz"; nocase; fast_pattern;
> isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt,
> CN=Let|27|s Encrypt Authority X3";
> reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,
> twitter.com/w3ndige/status/1199375393297448961;
> classtype:trojan-activity; sid:1003943; rev:1;)
>
> alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE
> Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established;
> tls_cert_subject; content:"CN=golitrops.xyz"; nocase; fast_pattern;
> isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt,
> CN=Let|27|s Encrypt Authority X3";
> reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,
> twitter.com/w3ndige/status/1199375393297448961;
> classtype:trojan-activity; sid:1003944; rev:1;)
>
> alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE
> Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established;
> tls_cert_subject; content:"CN=giltipolsfols.xyz"; nocase; fast_pattern;
> isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt,
> CN=Let|27|s Encrypt Authority X3";
> reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,
> twitter.com/w3ndige/status/1199375393297448961;
> classtype:trojan-activity; sid:1003945; rev:1;)
>
> alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG MALWARE
> Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established;
> tls_cert_subject; content:"CN=finogorosod.xyz"; nocase; fast_pattern;
> isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let|27|s Encrypt,
> CN=Let|27|s Encrypt Authority X3";
> reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,
> twitter.com/w3ndige/status/1199375393297448961;
> classtype:trojan-activity; sid:1003946; rev:1;)
>
> Ran them for a couple of days with no FP.
> -T
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191212/59d42051/attachment.html>


More information about the Emerging-sigs mailing list