Malware Networks

Weekly Detection Rule (YARA and Snort) Information – Week 2, November 2024

  • Nov 13 2024
Weekly Detection Rule (YARA and Snort) Information – Week 2, November 2024

The following is the information on Yara and Snort rules (week 2, November 2024) collected and shared by the AhnLab TIP service.

  • 3 YARA Rules
Detection name Description Source
MAL_Sophos_XG_Pygmy_Goat_AES_Key Detects Pygmy Goat – a native x86-32 ELF shared object that was discovered on Sophos XG firewall devices, providing backdoor access to the device. This detection rule is based on the Pygmy Goat AES key built on the stack or in data https://github.com/Neo23x0/signature-base
MAL_Sophos_XG_Pygmy_Goat_Magic_Strings Detects Pygmy Goat – a native x86-32 ELF shared object that was discovered on Sophos XG firewall devices, providing backdoor access to the device. This detection rule is based on the magic byte sequences used in C2 communications. https://github.com/Neo23x0/signature-base
MAL_EarthWorm_Socks_Proxy_ID_Generation Detects EarthWorm – a reverse socks proxy used by the threat group that deployed Pygmy Goat malware on Sophos XG firewall devices. The detection is based on the pool num generation x86 assembly. https://github.com/Neo23x0/signature-base
  • 22 Snort Rules
Detection name Source
ET EXPLOIT PTZOptics PT30X Authentication Bypass Attempt Inbound (CVE-2024-8956) https://rules.emergingthreatspro.com/open/
ET EXPLOIT PTZOptics PT30X Successful Authentication Bypass (CVE-2024-8956) https://rules.emergingthreatspro.com/open/
ET TROJAN [NCSC] Pygmy Goat SSH Banner https://rules.emergingthreatspro.com/open/
ET TROJAN [NCSC] Pygmy Goat SSH ed25519 Key https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS D-Link DIR820 ping.ccp Command Injection Attempt (CVE-2023-25280) https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS Tenda AX3 Command Injection Attempt (CVE-2023-27240) https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS APsystems ECU-R Command Inject Attempt (CVE-2022-45699) https://rules.emergingthreatspro.com/open/
ET CURRENT_EVENTS Google Redirect to Generic Credential Phish Landing Page 2024-11-05 https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS Microsoft Sharepoint BDCM File Creation (CVE-2023-24955) https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS Microsoft Sharepoint BDCM Execution (CVE-2023-24955) https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS Microsoft Sharepoint BDCM File Creation (CVE-2024-38094) https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS Microsoft Sharepoint BDCM Execution (CVE-2024-38094) https://rules.emergingthreatspro.com/open/
ET TROJAN HTTP Request to Remcos Payload M2 https://rules.emergingthreatspro.com/open/
ET CURRENT_EVENTS DadSec Credential Phish Landing Page 2024-11-07 https://rules.emergingthreatspro.com/open/
ET CURRENT_EVENTS Generic Credential Phish Landing Page with Explicit Cloudflare Turnstile Rendering 2024-11-07 https://rules.emergingthreatspro.com/open/
ET CURRENT_EVENTS Generic Credential Phish Landing Page with Implicit Cloudflare Turnstile Rendering 2024-11-07 https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS D-Link DWL-2600AP Command Injection Attempt (CVE-2019-20499, CVE-2019-20500, CVE-2019-20501) https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS Tenda HG9 Router Command Injection Attempt (CVE-2022-30023) https://rules.emergingthreatspro.com/open/
ET CURRENT_EVENTS DadSec Credential Phish Landing Page 2024-11-06 https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS D-Link NAS OS Command Injection in cgi_user_add Function (CVE-2024-10914) https://rules.emergingthreatspro.com/open/
ET CURRENT_EVENTS MAMBA Credential Phish Landing Page 2024-11-08 https://rules.emergingthreatspro.com/open/

2024-11_ASEC_Notes_2.yar

2024-11_ASEC_Notes_2_snort.rules
Previous Post

Next Post