Weekly Detection Rule (YARA and Snort) Information – Week 3, July 2024
The following is the information on Yara and Snort rules (week 3, July 2024) collected and shared by the AhnLab TIP service.
- 14 YARA Rules
| Detection name | Description | Source |
| PK_Coinbase_haxornomercy | Phishing Kit impersonating Coinbase | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Netflix_access | Phishing Kit impersonating Netflix | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_RedstoneFCU_forge | Phishing Kit impersonating Redstone Federal Credit Union | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_TelekomDE_result | Phishing Kit impersonating Telekom Deutschland GmbH/T-Online | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_TexomaCU_prohqcker | Phishing Kit impersonating Texoma Community Credit Union | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Interac_bore3da | Phishing Kit impersonating Interac, several payment systems | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Ionos_02d0 | Phishing Kit impersonating Ionos webmail | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_LibertyFreightDelivery_express | Phishing Kit impersonating Liberty Freight Delivery company | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_PNC_lom | Phishing Kit impersonating PNC online bank | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_VystarCU_mrweebee | Phishing Kit impersonating VYSTAR CU | https://github.com/t4d/PhishingKit-Yara-Rules |
| APT_MAL_APT27_Rshell_Jul24 | YARA rule to detect RSHELL of APT27 | https://github.com/Neo23x0/signature-base |
| SUSP_BAT_OBFUSC_Jul24_1 | Detects indicators of obfuscation in Windows Batch files | https://github.com/Neo23x0/signature-base |
| SUSP_BAT_OBFUSC_Jul24_2 | Detects indicators of obfuscation in Windows Batch files | https://github.com/Neo23x0/signature-base |
| SUSP_BAT_OBFUSC_Jul24_3 | Detects indicators of obfuscation in Windows Batch files | https://github.com/Neo23x0/signature-base |
- 8 Snort Rules
| Detection name | Source |
| ET INFO Server Responded with Vulnerable OpenSSH Version (CVE-2024-6409) | https://rules.emergingthreatspro.com/open/ |
| ET EXPLOIT Splunk Unauthenticated Path Traversal Attempt Inbound (CVE-2024-36991) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN ZharkBot User-Agent Observed | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN ZharkBot CnC Exfil in HTTP URI | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN [ANY.RUN] MetaStealer v.5 (MC-NMF TLS Server Certificate) | https://rules.emergingthreatspro.com/open/ |
| ET EXPLOIT Rejetto HTTP File Server Unauthenticated RCE Attempt (CVE-2024-23692) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Imposter Interpol Stealer CnC Checkin | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN IP Scanner Tool Update Request (GET) | https://rules.emergingthreatspro.com/open/ |
Detailed rule files are attached.
