Weekly Detection Rule (YARA and Snort) Information – Week 5, January 2025
The following is the information on Yara and Snort rules (week 5, January 2025) collected and shared by the AhnLab TIP service.
- 8 YARA Rules
|
Detection name |
Description |
Source |
|---|---|---|
| PK_DHL_Tracking | Phishing Kit impersonating DHL | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_ESL_sigmadev | Phishing Kit impersonating ESL Federal Credit Union | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Nexi_mobile | Phishing Kit impersonating Nexi (Nexi Pay) | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_PeapackBank_gate | Phishing Kit impersonating Peapack-Gladstone bank | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_WellsFargo_RD265 | Phishing Kit impersonating Wells Fargo | https://github.com/t4d/PhishingKit-Yara-Rules |
| SUSP_LNX_ByteEncoder_Jan25 | Detects Linux binaries that encode bytes by splitting them into upper and lower nibbles and mapping them to custom lookup tables, seen being used by SEASPY and Bluez backdoors | https://github.com/Neo23x0/signature-base |
| SUSP_LNX_StackString_Technique_Jan25 | Detects suspicious Linux binaries using stack-based string manipulation techniques, which are often used to generate PTY (pseudo-terminal) device names for stealth or persistence, seen being used by SEASPY and Bluez backdoors | https://github.com/Neo23x0/signature-base |
| SUSP_LNK_Suspicious_Folders_Jan25 | Detects link files (.LNK) with suspicious folders mentioned in the target path | https://github.com/Neo23x0/signature-base |
- 11 Snort Rules
|
Detection name |
Source |
|---|---|
| ET USER_AGENTS FastHTTP User-Agent Observed Outbound (fasthttp) | https://rules.emergingthreatspro.com/open/ |
| ET DOS Possible Brute Force Attack Using FastHTTP | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Progress WhatsUp Gold SnmpExtendedActiveMonitor Path Traversal Vulnerability (CVE-2024-12105) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Nuuo NVRmini/NVRsolo handle_import_user.php Unauthenticated Remote Code Execution Attempt (CVE-2022-23227) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Axis Communications Security Camera Command Injection Attempt (CVE-2018-10660) M1 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Axis Communications Security Camera Command Injection Attempt (CVE-2018-10660, CVE-2018-10661, CVE-2018-10662) M2 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Fake Microsoft Teams CnC Payload Request (GET) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Fake Microsoft Teams VBS Payload Inbound | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Lazarus APT Electron CnC Activity (GET) M1 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Lazarus APT Electron CnC Activity (GET) M2 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Lazarus APT Electron CnC Activity (GET) M3 | https://rules.emergingthreatspro.com/open/ |
