topic Re: Moriagent malware in General Topics

Moriagent malware

Jafar_Hussain — Wed, 08 Jul 2020 17:53:50 GMT

Dear Team,

I don't have much idea about Moriagent malware, i got an instruction i need to create a rule or block this malware

How to stop MortiAgent Malware using snort rule?

I want to stop the MoriAgent malware by applying /using snort rule.

How to configure this in Palo alto ?

Below are snort rule.

1. The below SNORT rule can be used to detect the MoriAgent Beacon.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:" MoriAgent Beacon
HTTP Request"; content:"/Index.php?i="; depth:200; content:"&t="; within:64;
content:"HTTP/1.1"; within:64; content:"Content-Type: application/json"; within:32;
content:"Content-Length: 0"; within:90; threshold:type limit,track by_src,count
1,seconds 120; sid:1000001; rev:001;)

Can anyone help me to understand what I need to do, I searched about this but didn't get much information.

Re: Moriagent malware

BPry — Wed, 08 Jul 2020 19:42:01 GMT

@Jafar_Hussain,

Check the Threat Vault at the link below for Morti and there's already two antivirus signatures for MortiAgent and a WildFire signature. If you don't find that suitable defense you'll need to look into creating your own custom threat signature.

Custom Threat Signature

Threat Vault

Re: Moriagent malware

Jafar_Hussain — Wed, 08 Jul 2020 20:40:52 GMT

@BPry

Thanks for the information.

I was unable to find MortiAgent in the PAN threat vault

It is mandatory to create a custom signature for Mortiagent malware.

I have gone through the documents which you provided. if i will create a customer signature what is the threat id we need to use.

Re: Moriagent malware

BPry — Thu, 09 Jul 2020 04:19:59 GMT

@Jafar_Hussain,

The threat ID you select doesn't matter, as long as it's within the available range. Some people make enough to actually create a format for numbering their custom IDs, others don't follow one and simply increment with each entry.

Re: Moriagent malware

Jafar_Hussain — Thu, 09 Jul 2020 05:12:50 GMT

@BPry

Thank you for the information, i will check this.

Re: Moriagent malware

OtakarKlier — Thu, 09 Jul 2020 19:46:46 GMT

Hello,

Make sure your PAN objects are setup for AntiVirus, AntiSpyware, URL Filtering, WildFire, and DNS Sink hole. Then make sure they are applied to all inbound/outbound policies so the traffic is inspected. Also make sure your PAN has the latest Dynamic signatures.

Having the PAN setup for this is a great way to dynamically block malicious traffic. Along with your other products, i.e. desktop antivirus, etc.

Regards,

Re: Moriagent malware

Jafar_Hussain — Fri, 10 Jul 2020 06:58:38 GMT

@OtakarKlier

Thank you for your reply. i have found two signature of mortiagent malware below is the snap:-

Apart from this. it is a mandatory to create a custom signature?

Re: Moriagent malware

OtakarKlier — Fri, 10 Jul 2020 15:22:15 GMT

Hello,

If you have all the other security features turned on and dynamic updates working and up to date. I would say you are good, however check the endpoint AV and make sure its working and maybe even run a full scan.

Regards,

Re: Moriagent malware

Jafar_Hussain — Fri, 10 Jul 2020 17:29:43 GMT

@OtakarKlier

Thank you for the valuable information.

Re: Moriagent malware

Jafar_Hussain — Tue, 14 Jul 2020 10:59:32 GMT

@OtakarKlier @BPry

I got the instruction from the gov. i need to create a custom signature for Mortiagent. They have sent some files.

In the files, there is some IOC's:-

1 - Host base indicator( Which is mentioned some MD5 and SHA values)

2 - Network base indicator( Which is mentioned in some IP address list).

To create a custom signature which pattern and references i need to choose ? below is the snort rule:-

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:" MoriAgent Beacon HTTP Request"; content:"/Index.php?i="; depth:200; content:"&t="; within:64; content:"HTTP/1.1"; within:64; content:"Content-Type: application/json"; within:32; content:"Content-Length: 0"; within:90; threshold:type limit,track by_src,count

1,seconds 120; sid:1000001; rev:001;)

- For the IP address, i need to create an EDL to block all the IP's?

Thank you in advance.

Re: Moriagent malware

OtakarKlier — Wed, 15 Jul 2020 15:14:50 GMT

Hello,

If its a 'White' IOC notice, I wouldnt worry about it but I guess a EDL or a special policy with a block for those IP's would do.

Regards,

Re: Moriagent malware

Jafar_Hussain — Wed, 15 Jul 2020 17:31:40 GMT

@OtakarKlier

Thanks. i have found the pattern of the signature.

(/Index.php?i= and &t and HTTP/1.1 and Content-Type: application/json)

In the custom signature which condition i need to follow "And" condition "OR" condition. and for the qualifier which information i need to add.