Weekly Detection Rule (YARA and Snort) Information – Week 2, March 2025
The following is the information on Yara and Snort rules (week 2, March 2025) collected and shared by the AhnLab TIP service.
- 5 YARA Rules
|
Detection name |
Description |
Source |
|---|---|---|
| PK_Generic_RD127 | Phishing Kit – RD127 – Generic email credentials stealer | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_LIDL_ninja | Phishing Kit impersonating LIDL | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_MTBank_yochi2 | Phishing Kit impersonating M&T Bank | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_SpareBank_perso | Phishing Kit impersonating SpareBank1 | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_TrustWallet_next | Phishing Kit impersonating Trust Wallet | https://github.com/t4d/PhishingKit-Yara-Rules |
- 23 Snort Rules
|
Detection name |
Source |
|---|---|
| ET WEB_SPECIFIC_APPS Naviko Unauthenticated Arbitrary File Read (CVE-2024-48248) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000 M3 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Screenshot Exfiltration via Discord Webhook (POST) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN BeaverTail CnC Activity (POST) M1 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN BeaverTail CnC Activity (POST) M2 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN InvisibleFerret CnC Activity (GET) M4 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Win32/SocGholish GhostWeaver Backdoor Activity (PowerShell BOINC Download Request) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN InvisibleFerret CnC Activity (GET) M5 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN InvisibleFerret CnC Activity (GET) M6 | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Hitachi Vantara Pentaho Business Analytics Server Authorization Bypass and Remote Code Execution Attempt (CVE-2022-43769, 2022-43939) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN InvisibleFerret CnC Activity (POST) M1 | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN OtterCookie Host Profile Exfil | https://rules.emergingthreatspro.com/open/ |
|
ET TROJAN OtterCookie CnC Command Inbound (whour) |
https://rules.emergingthreatspro.com/open/ |
|
ET TROJAN OtterCookie File Exfiltration |
https://rules.emergingthreatspro.com/open/ |
|
ET TROJAN OtterCookie Victim Command Execution Confirmation To CnC Server |
https://rules.emergingthreatspro.com/open/ |
|
ET TROJAN OtterCookie Payload Request |
https://rules.emergingthreatspro.com/open/ |
|
ET TROJAN AsyncRAT Installer Payload Request |
https://rules.emergingthreatspro.com/open/ |
|
ET TROJAN AsyncRAT Victim Checkin |
https://rules.emergingthreatspro.com/open/ |
|
ET WEB_SPECIFIC_APPS Cisco ASA/FTD Memory Leak Attempt (CVE-2020-3259) |
https://rules.emergingthreatspro.com/open/ |
|
ET ATTACK_RESPONSE ClickFix MSHTA Command Inbound |
https://rules.emergingthreatspro.com/open/ |
|
ET TROJAN Observed POST to ClickFix Style URI M1 |
https://rules.emergingthreatspro.com/open/ |
|
ET ATTACK_RESPONSE ClickFix CnC Response (Click Logged Successfully) |
https://rules.emergingthreatspro.com/open/ |
|
ET TROJAN Observed GET to ClickFix Style URI M1 |
https://rules.emergingthreatspro.com/open/ |
