Malware Networks

Weekly Detection Rule (YARA and Snort) Information – Week 3, February 2025

Feb 19 2025

Weekly Detection Rule (YARA and Snort) Information – Week 3, February 2025

The following is the information on Yara and Snort rules (week 3, February 2025) collected and shared by the AhnLab TIP service.

5 YARA Rules

Detection name	Description	Source
MAL_BACKORDER_LOADER_WIN_Go_Jan23	Detects the BACKORDER loader compiled in GO which download and executes a second stage payload from a remote server.	https://github.com/Neo23x0/signature-base
MAL_PHISH_ShellCode_Enc_Payload_Feb25	Detects unknown of phishing-delivered malware	https://github.com/Neo23x0/signature-base
MAL_PHISH_Final_Payload_Feb25	Detects possible final payload of phishing-delivered malware, where embedded shellcode is used to decrypt and execute the payload after user-supplied password input.	https://github.com/Neo23x0/signature-base
SUSP_Sysinternals_Desktops_Anomaly_Feb25	Detects anomalies in Sysinternals Desktops binaries	https://github.com/Neo23x0/signature-base
SUSP_PE_Compromised_Certificate_Feb25	Detects suspicious PE files signed with a certificate used in a widespread phishing attack in February 2025	https://github.com/Neo23x0/signature-base

13 Snort Rules

Detection name	Source
ET WEB_SPECIFIC_APPS Microsoft Purview Authorized Server-Side Request Forgery (CVE-2025-21385)	https://rules.emergingthreatspro.com/open/
ET EXPLOIT Microsoft Windows Themes Spoofing (CVE-2024-38030)	https://rules.emergingthreatspro.com/open/
ET EXPLOIT Microsoft Windows Themes Spoofing (CVE-2024-21320)	https://rules.emergingthreatspro.com/open/
ET TROJAN ReverseLoader Style Payload Request (GET)	https://rules.emergingthreatspro.com/open/
ET TROJAN Snake Keylogger Exfil via SMTP (VIP Recovery)	https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS SonicOS SSLVPN Authentication Bypass HTTP Cookie (swap) (CVE-2024-53704)	https://rules.emergingthreatspro.com/open/
ET TROJAN Build Your Own Botnet CnC Exfil (POST)	https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Management Web Interface Authentication Bypass (CVE-2025-0108)	https://rules.emergingthreatspro.com/open/
ET EXPLOIT Zyxel DSL CPE Management Interface Default Credentials (supervisor) (CVE-2025-0890)	https://rules.emergingthreatspro.com/open/
ET EXPLOIT Zyxel DSL CPE Management Interface Default Credentials (admin) (CVE-2025-0890)	https://rules.emergingthreatspro.com/open/
ET EXPLOIT Zyxel DSL CPE Management Interface Default Credentials (zyuser) (CVE-2025-0890)	https://rules.emergingthreatspro.com/open/
ET TROJAN TA582 CnC Checkin	https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS Zyxel DSL CPE Authenticated HTTP Command Injection (CVE-2024-40890)	https://rules.emergingthreatspro.com/open/

2025-02_ASEC_Notes_3.yar

2025-02_ASEC_Notes_3_snort.rules

Previous Post

Rhadamanthys Infostealer Being Distributed Through MSC Extension

Next Post

Ransom & Dark Web Issues Week 3, February 2025