Snort Signatures for LuckyCat APT Campaign

Trend Micro blog published a paper titled Luckycat Redux, which looked into the activities of the Luckycat APT campaign.  As per the report, LuckyCat campaign targeted diverse set of industries including Aerospace, Shipping, Energy, Military, Engineering and Tibetan Activist using variety of malwares.  Trend was able to track back the sources of the attack in China.

Below are their key findings:

  • Targeted emails that are contextually relevant (i.e., emails containing a decoy document of radiation dose measurement results sent some time after the Great East Japan Earthquake)
  • Exploited CVE-2010-3333 (aka, Rich Text Format [RTF] Stack Buffer Overflow Vulnerability) in several instances, although Adobe Reader and Flash Player vulnerabilities were also exploited Used TROJ_WIMMIE or VBS_WIMMIE—malware that take advantage of the Windows Management Instrumentation (WMI), making the backdoor component undetectable through file scanning
  • The WIMMIE malware, once inside the network, connects to a command-and-control (C&C) server via HTTP over port 80
  • Attackers heavily used free web-hosting services to host their C&C servers under a diverse set of domain names but also used virtual private servers (VPSs) for more stable operations.

Based on their detection logic, I have developed a simple SNORT signature to detect C&C server connection attempt.

1
2
3
4
5
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Potential LuckyCat Checkin to C&C server."; flow: established, to_server; content:"POST"; nocase; http_method; content:"count.php?m=c&n="; http_uri; nocase; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; classtype:misc-activity; sid:1000032;rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Potential LuckyCat Checkin to C&C server."; flow: established, to_server; content:"POST"; nocase; http_method; content:"count.php?m=w&n="; http_uri; nocase; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; classtype:misc-activity; sid:1000033;rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Potential LuckyCat Checkin to C&C server."; flow: established, to_server; content:"POST"; nocase; http_method; content:"count.php?m=d&n="; http_uri; nocase; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; classtype:misc-activity; sid:1000034;rev:1;)

 

Please note that, these signatures can be improved using PCRE and I will update them as soon as I get it optimized. Till then..

 

Stay Safe!!

 

Reference:

 

Rating 2.50 out of 5

Leave a Reply

This entry was posted on Friday, March 30th, 2012 at 5:37 am and is filed under Information Security, Snort Signature. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Get Adobe Flash playerPlugin by wpburn.com wordpress themes