Weekly Detection Rule (YARA and Snort) Information – Week 4, September 2024
The following is the information on Yara and Snort rules (week 4, September 2024) collected and shared by the AhnLab TIP service.
- 5 YARA Rule
| Detection name | Description | Source |
|---|---|---|
| PK_Bit_dnjwan | Phishing Kit impersonating bitpay.co.il | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_GovCA_krepto | Phishing Kit impersonating Canadian Government (CRA) | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Square_RD971_2 | Phishing Kit impersonating Square | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_SwissPass_zoro | Phishing Kit impersonating SwissPass.ch | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_USPS_vensuxv | Phishing Kit impersonating USPS | https://github.com/t4d/PhishingKit-Yara-Rules |
- 24 Snort Rules
| Detection name | Source |
|---|---|
| ET TROJAN PS1/ExfiltracaoBot CnC Checkin | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN PS1/ExfiltracaoBot CnC Command Inbound (ZIP_FILE) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN PS1/ExfiltracaoBot CnC Response (INFO_RECEIVED) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Win32/Mesquito Loader Related Activity (GET) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Zyxel NAS CGI Command Injection (CVE-2024-29972) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Zyxel NAS Unauthorized Command Injection in setCookie Parameter (CVE-2024-29973) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Zyxel NAS CGI Remote Code Execution via Configuration Upload (CVE-2024-29974) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Zyxel NAS Privilege Escalation and Information Disclosure (CVE-2024-29976) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Progress WhatsUp Gold GetFileWithoutZip Unauthenticated Remote Code Execution Attempt M1 – Payload Delivery (CVE-2024-4885) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Progress WhatsUp Gold SetAdminPassword Privilege Escalation (CVE-2024-5009) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Progress WhatsUp Gold GetFileWithoutZip Unauthenticated Remote Code Execution Attempt M2 – Outbound Admin Session Attempt (CVE-2024-4885) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Progress WhatsUp Gold Pre-Auth WriteDataFile Directory Traversal RCE (CVE-2024-4883) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN PeakLight/Emmenhtal Loader Payload Request | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Progress WhatsUp Gold GetFileWithoutZip Unauthenticated Remote Code Execution Attempt M3 – Payload Retrieval Attempt (CVE-2024-4885) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Hoverfly Arbitrary File Read via Traversal Attempt Inbound (CVE-2024-45388) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Progress WhatsUp Gold Pre-Auth Password Encrypt Primitive (CVE-2024-6670) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Progress WhatsUp Gold HasErrors SQL Injection Authentication Bypass (CVE-2024-6670) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Ivanti Cloud Service Appliance Authenticated Command Injection (CVE-2024-8190) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS WebIQ 2.15.9 Directory Traversal Attempt (CVE-2024-8752) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Zabbix Server Blind SQL Injection via clientip Parameter (CVE-2024-22120) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Unknown Info Stealer URI Structure | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS WordPress LiteSpeed Cache Plugin debug.log Access Attempt (CVE-2024-44000) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Cisco Smart Licensing Utility customer-cslu-lib-log.log Access Attempt (CVE-2024-20440) | https://rules.emergingthreatspro.com/open/ |
| ET CURRENT_EVENTS Suspected Generic Credential Phish Landing Page (2024-09-20) | https://rules.emergingthreatspro.com/open/ |
