Malware Networks

Weekly Detection Rule (YARA and Snort) Information – Week 4, January 2025

Jan 22 2025

Weekly Detection Rule (YARA and Snort) Information – Week 4, January 2025

The following is the information on Yara and Snort rules (week 4, January 2025) collected and shared by the AhnLab TIP service.

7 YARA Rules

Detection name	Description	Source
PK_SumUp_pseller	Phishing Kit impersonating SumUp	https://github.com/t4d/PhishingKit-Yara-Rules
PK_SwissPass_z3ci_2	Phishing Kit impersonating SwissPass.ch	https://github.com/t4d/PhishingKit-Yara-Rules
PK_PayPal_0x	Phishing Kit impersonating Paypal	https://github.com/t4d/PhishingKit-Yara-Rules
PK_IndonesiaBaikId_malay	Phishing Kit impersonating Indonesia Baik id	https://github.com/t4d/PhishingKit-Yara-Rules
PK_ATandT_yb	Phishing Kit impersonating ATandT	https://github.com/t4d/PhishingKit-Yara-Rules
APT_IN_TA397_wmRAT	track wmRAT based on socket usage, odd error handling, and reused strings	https://github.com/Neo23x0/signature-base
SUSP_RAR_NTFS_ADS	Detects RAR archive with NTFS alternate data stream	https://github.com/Neo23x0/signature-base

14 Snort Rules

Detection name	Source
ET WEB_SPECIFIC_APPS Aviatrix Controller Unauthenticated OS Command Injection (CVE-2024-50603) M1	https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS Aviatrix Controller Unauthenticated OS Command Injection (CVE-2024-50603) M2	https://rules.emergingthreatspro.com/open/
ET TROJAN Obfuscated Clickfix Javascript Payload Inbound	https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS Squid Proxy user_name and auth Reflected Cross-Site Scripting (CVE-2019-13345)	https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS phpGACL acl_admin action Parameter Reflected Cross-Site Scripting (CVE-2020-13562)	https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS Fortinet Authentication Bypass via Node.js Websocket (CVE-2024-55591)	https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS phpGACL assign_group group_id Parameter Reflected Cross-Site Scripting (CVE-2020-13563)	https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS phpGACL acl_admin acl_id Parameter Reflected Cross-Site Scripting (CVE-2020-13564)	https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS WordPress Limit Login Attempts Plugin Stored Cross Site Scripting (CVE-2023-1861)	https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS Apache ActiveMQ Web Console message jsp Cross-Site Scripting (CVE-2020-13947) M1	https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS Apache ActiveMQ Web Console message jsp Cross-Site Scripting (CVE-2020-13947) M2	https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS Apache Superset Markdown Component Stored Cross-Site Scripting (CVE-2021-27907) M1	https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS Apache Superset Markdown Component Stored Cross-Site Scripting (CVE-2021-27907) M2	https://rules.emergingthreatspro.com/open/
ET TROJAN Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2	https://rules.emergingthreatspro.com/open/

2025-01_ASEC_Notes_4.yar

2025-01_ASEC_Notes_4_snort.rules

Previous Post

Android Malware & Security Issue 3st Week of January, 2025

Next Post

Ransom & Dark Web Issues Week 4, January 2025