Weekly Detection Rule (YARA and Snort) Information – Week 2, February 2025
The following is the information on Yara and Snort rules (week 2, February 2025) collected and shared by the AhnLab TIP service.
- 2 YARA Rules
|
Detection name |
Description |
Source |
|---|---|---|
| PK_Binance_nuxt | Phishing Kit impersonating Binance | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_MondialRelay_traffyque | Phishing Kit impersonating Mondial Relay | https://github.com/t4d/PhishingKit-Yara-Rules |
- 20 Snort Rules
|
Detection name |
Source |
|---|---|
| ET POLICY Contec Health CMS8000 Patient Monitor Insecure Default HL7 Protocol Server IP (CVE-2025-0626) | https://rules.emergingthreatspro.com/open/ |
| ET POLICY Contec Health CMS8000 Patient Monitor Insecure Default CMS Protocol Server IP (CVE-2025-0626) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS YETI Platform Server-Side Template Injection (CVE-2024-45607) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS SimpleHelp Support Server Unauthenticated Path Traversal (serverconfig.xml) (CVE-2024-57727) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Ivanti Endpoint Manager Unauthorized XML External Entity (CVE-2024-37397) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS QNAP Viostor server.cgi SPECIFIC_SERVER Parameter Command Injection Attempt (CVE-2023-47565) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS HPE Insights Remote Support XML External Entity Injection (CVE-2024-53675) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Ivanti Avalanche SmartDeviceServer XML External Entity Injection (CVE-2024-38653) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS FXC AE1021 Series Router ntp.general.hostname Authenticated Command Injection Attempt (CVE-2023-49897) | https://rules.emergingthreatspro.com/open/ |
| ET CURRENT_EVENTS Tycoon2FA Phishing Kit Style Evasion | https://rules.emergingthreatspro.com/open/ |
| ET POLICY Plaintext SSH Private Key Outbound over HTTP | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS DrayTek Gateway Web Management Interface OS Command Injection (CVE-2024-12987) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Ivanti EPM Cloud Services Appliance Backdoor Access Attempt (CVE-2021-44529) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Ivanti EPM Cloud Services Appliance Backdoor Response (CVE-2021-44529) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS D-Link DIR-605 getcfg.php Authentication Bypass Attempt (CVE-2021-40655) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Possible Roundcube XSS via Malicious XML Attachment (CVE-2020-13965) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Onestart AI Host Profile Checkin (POST) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Onestart AI Program Version Checkin (POST) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Winos4.0 Framework CnC Checkin (x32.) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Winos4.0 Framework CnC Login Message CnC Server Response | https://rules.emergingthreatspro.com/open/ |
