Weekly Detection Rule (YARA and Snort) Information – Week 1, August 2024
The following is the information on Yara and Snort rules (week 1, August 2024) collected and shared by the AhnLab TIP service.
- 26 YARA Rules
| Detection name | Description | Source |
|---|---|---|
| PK_A1_webmail | Phishing Kit impersonating A1.net webmail | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_CitiBank_imgamerzchoices | Phishing Kit impersonating Citi Bank | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_ING_alexronyy | Phishing Kit impersonating ING bank | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_NAB_otp | Phishing Kit impersonating National Australia Bank (NAB) | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_TaiwanPost_alfabrabus | Phishing Kit impersonating Taiwan POST | https://github.com/t4d/PhishingKit-Yara-Rules |
| MAL_Go_Modbus_Jul24_1 | Detects characteristics reported by Dragos for FrostyGoop ICS malware | https://github.com/Neo23x0/signature-base |
| MAL_APT_NK_Andariel_ScheduledTask_Loader | Detects a scheduled task loader used by Andariel | https://github.com/Neo23x0/signature-base |
| MAL_APT_NK_Andariel_KaosRAT_Yamabot | Detects the KaosRAT variant | https://github.com/Neo23x0/signature-base |
| MAL_APT_NK_TriFaux_EasyRAT_JUPITER | Detects a variant of the EasyRAT malware family | https://github.com/Neo23x0/signature-base |
| MAL_APT_NK_Andariel_CutieDrop_MagicRAT | Detects the MagicRAT variant used by Andariel | https://github.com/Neo23x0/signature-base |
| MAL_APT_NK_Andariel_HHSD_FileTransferTool | Detects a variant of the HHSD File Transfer Tool | https://github.com/Neo23x0/signature-base |
| MAL_APT_NK_Andariel_Atharvan_3RAT | Detects a variant of the Atharvan 3RAT malware family | https://github.com/Neo23x0/signature-base |
| MAL_APT_NK_Andariel_LilithRAT_Variant | Detects a variant of the Lilith RAT malware family | https://github.com/Neo23x0/signature-base |
| MAL_APT_NK_Andariel_SocksTroy_Strings_OpCodes | Detects a variant of the SocksTroy malware family | https://github.com/Neo23x0/signature-base |
| MAL_APT_NK_Andariel_Agni | Detects samples of the Agni malware family | https://github.com/Neo23x0/signature-base |
| MAL_APT_NK_Andariel_GoLang_Validalpha_Handshake | Detects a variant of the GoLang Validalpha malware | https://github.com/Neo23x0/signature-base |
| MAL_APT_NK_Andariel_GoLang_Validalpha_Tasks | Detects a variant of the GoLang Validalpha malware | https://github.com/Neo23x0/signature-base |
| MAL_APT_NK_Andariel_GoLang_Validalpha_BlackString | Detects a variant of the GoLang Validalpha malware based on a file path found in the samples | https://github.com/Neo23x0/signature-base |
| MAL_APT_NK_Andariel_ELF_Backdoor_Fipps | Detects a Linux backdoor named Fipps used by Andariel | https://github.com/Neo23x0/signature-base |
| MAL_APT_NK_Andariel_BindShell | Detects a BindShell used by Andariel | https://github.com/Neo23x0/signature-base |
| MAL_APT_NK_Andariel_Grease2 | Detects the Grease2 malware family used by Andariel | https://github.com/Neo23x0/signature-base |
| MAL_APT_NK_Andariel_NoPineapple_Dtrack_Unpacked | Detects the Dtrack variant used by Andariel | https://github.com/Neo23x0/signature-base |
| MAL_APT_NK_Andariel_DTrack_Unpacked | Detects DTrack variant used by Andariel | https://github.com/Neo23x0/signature-base |
| MAL_APT_NK_Andariel_TigerRAT_Crowdsourced_Rule | Detects the Tiger RAT variant used by Andariel | https://github.com/Neo23x0/signature-base |
| MAL_APT_NK_WIN_Tiger_RAT_Auto | Detects the Tiger RAT variant used by Andariel | https://github.com/Neo23x0/signature-base |
| MAL_APT_NK_WIN_DTrack_Auto | Detects DTrack variant used by Andariel | https://github.com/Neo23x0/signature-base |
- 13 Snort Rules
| Detection name | Source |
|---|---|
| ET TROJAN UNK_HamsaHatef Related URI | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Daolpu Stealer Data Exfiltration Attempt | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Lumma Stealer CnC Host Checkin | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN APT Related URI in HTTP Request | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Openmediavault Crontab Manipulation Remote Code Execution/Privilege Escalation (CVE-2013-3652) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN ASYNC RAT Payload Inbound | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Observed Malicious SSL Cert (Pantegana Botnet RAT) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Win32/Rhadamanthys CnC Activity (GET) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN JaskaGO Infrastructure Observed Inbound | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN JaskaGO CnC Activity (GET) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN JaskaGO CnC Server Response | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN PrivateLoader CnC Activity (GET) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN PrivateLoader CnC Activity (POST) | https://rules.emergingthreatspro.com/open/ |
