Weekly Detection Rule (YARA and Snort) Information – Week 1, July 2024
The following is the information on Yara and Snort rules (week 1, July 2024) collected and shared by the AhnLab TIP service.
- 10 YARA Rules
| Detection name | Description | Source |
| PK_BRI_sadapan | Detects a phishing kit impersonating Bank Rakyat Indonesia (bank) | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_GlobalSources_sogo | Detects a phishing kit impersonating GlobalSources (B2B media company) | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_NBTbank_packaging | Detects a phishing kit impersonating NBTbank (US financial institution) | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_SocieteGenerale_prestoworld | Detects a phishing kit impersonating Societe Generale (French financial group) | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_TruityCU_prohqcker | Detects a phishing kit impersonating TruityCU (financial server) | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Ameli_querty | Detects a phishing kit impersonating Ameli.fr (health insurance) | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_BROU_syn4pse | Detects a phishing kit impersonating BROU (financial service) | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_BSI_saldo | Detects a phishing kit impersonating Bank Syariah Indonesia (bank) | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_DLExpressGlobal_tracker | Detects a phishing kit impersonating DL Express(logistics company) | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Evri_sigmadevs | Detects a phishing kit impersonating Evri (logistics company) | https://github.com/t4d/PhishingKit-Yara-Rules |
- 29 Snort Rules
| Detection name | Description | Source |
| ET TROJAN Mint Stealer CnC Checkin | Detects Mint Stealer C2 connection packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Mint Stealer CnC Server Response | Detects Mint Stealer C2 server response packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Mint Stealer Data Exfiltration Attempt | Detects Mint Stealer data exfiltration attempt packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Mint Stealer Data Exfiltration Server Response | Detects Mint Stealer data exfiltration server response packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Mint Stealer Injection Request | Detects Mint Stealer injection request packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Mint Stealer Injection Server Response | Detects Mint Stealer injection server response packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Generic DDoS Kit Checkin (POST) M1 | Detects DDos Kit connection packet | https://rules.emergingthreatspro.com/open/ |
| ET CURRENT_EVENTS MyGovAU Credential Phish Landing Page 2024-06-24 | Detects MyGovAu Phishing landing page packet | https://rules.emergingthreatspro.com/open/ |
| ET CURRENT_EVENTS Successful Generic Credential Phishing 2024-06-24 | Detects Credential Phishing packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN WordPress Social Warfare Plugin Attempted Admin User Creation | Detects packet attempting WordPress Social Warfare plug-in Admin account creation | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN WordPress Social Warfare Plugin Exploit C2 Connect Request (POST) | Detects exploit packet attempting WordPress Social Warfare plug-in C2 connection | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN WordPress Social Warfare Plugin Exploit Payload URI in GET Request | Detects WordPress Social Warfare plug-in Exploit packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS ShowDoc File Upload Vulnerability | Detects ShowDoc file upload vulnerability packet | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Fanwei eMobile File Upload Vulnerability | Detects Fanwei Emobile file upload vulnerability packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN WordPress Social Warfare Plugin Exploit Payload Impression Request | Detects WordPress Social Warfare plug-in Exploit packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN WordPress Social Warfare Plugin Exploit CMS Users Exfil M1 | Detects WordPress Social Warfare plug-in Exploit packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN WordPress Social Warfare Plugin Exploit CMS Users Exfil M2 | Detects WordPress Social Warfare plug-in Exploit packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN WordPress Social Warfare Plugin Exploit CMS Users Exfil M3 | Detects WordPress Social Warfare plug-in Exploit packet | https://rules.emergingthreatspro.com/open/ |
| ET EXPLOIT MoveIT Transfer SFTP Authentication Bypass Attempt Inbound M0 (CVE-2024-5806) | Detects packet attempting MoveT Transfer SFTP authentication bypass | https://rules.emergingthreatspro.com/open/ |
| ET EXPLOIT MoveIT Transfer SFTP Authentication Bypass Attempt Inbound M1 (CVE-2024-5806) | Detects packet attempting MoveT Transfer SFTP authentication bypass | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Polyfill Malicious Redirect Attempt M1 | Detects packet attempting Polyfill malicious redirection | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Polyfill Malicious Redirect Attempt M2 | Detects packet attempting Polyfill malicious redirection | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Polyfill Malicious Redirect Attempt M3 | Detects packet attempting Polyfill malicious redirection | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M1 | Detects Sniffthem/Tnaket User-Agent checking packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M2 | Detects Sniffthem/Tnaket User-Agent checking packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Possible Sniffthem/Tnaket User-Agent Observed M3 | Detects Sniffthem/Tnaket User-Agent checking packet | https://rules.emergingthreatspro.com/open/ |
| ET EXPLOIT Kingdee Cloud Star Deserialization Vulnerability | Detects Kingdee Cloud Star vulnerability Exploit packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Koadic RC4 Encrypted Payload Inbound M1 | Detects Koadic RC4 encryption payload incoming packet | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Koadic RC4 Encrypted Payload Inbound M2 | Detects Koadic RC4 encryption payload incoming packet | https://rules.emergingthreatspro.com/open/ |
Detailed rule files are attached.
