Weekly Detection Rule (YARA and Snort) Information – Week 4, March 2025
The following is the information on Yara and Snort rules (week 4, March 2025) collected and shared by the AhnLab TIP service.
- 10 YARA Rules
|
Detection name |
Description |
Source |
|---|---|---|
| PK_Alibaba_whizkossy | Phishing Kit impersonating Alibaba | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Caixa_db | Phishing Kit impersonating Caixa Bank | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_MBHBank_takare | Phishing Kit impersonating MBH Bank from Hungary | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Telstra_mengunjungi2 | Phishing Kit impersonating Telstra | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Visa_mygift | Phishing Kit impersonating Visa | https://github.com/t4d/PhishingKit-Yara-Rules |
| PK_Kraken_pacman | Phishing Kit impersonating Kraken | https://github.com/t4d/PhishingKit-Yara-Rules |
| Octowave_Loader_Supporting_File_03_2025 | Detects supporting file used by Octowave loader containing hardcoded values | https://github.com/Neo23x0/signature-base |
| SUSP_SVG_JS_Payload_Mar25 | Detects a suspicious SVG file that contains a JavaScript payload. This rule is a generic rule that might generate false positives. A match should be further investigated. | https://github.com/Neo23x0/signature-base |
| Octowave_Loader_03_2025 | Detects opcodes found in Octowave Loader DLLs and WAV steganography files | https://github.com/Neo23x0/signature-base |
| EXT_EXPL_ZTH_LNK_EXPLOIT_A | This YARA file detects padded LNK files designed to exploit ZDI-CAN-25373. | https://github.com/Neo23x0/signature-base |
- 15 Snort Rules
|
Detection name |
Source |
|---|---|
| ET TROJAN Generic Rust Stealer Exfiltration (POST) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Wazuh Server Serialized Unhandled Exception Payload (CVE-2025-24016) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Unknown Stealer Victim Profile Exfiltration (POST) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Unknown Stealer Victim Desktop Screenshot Exfiltration (POST) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS xml-crypto / Node.js SAML Authentication Bypass Forged DigestValue Comment (CVE-2025-29775) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS xml-crypto SAML Authentication Bypass Multiple SignedInfo References (CVE-2025-29774) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Ncast DVR Command Injection Attempt (CVE-2024-0305) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Ncast DVR Hardcoded Credentials Login Attempt | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Edimax IC-7100 Command Injection Attempt (CVE-2025-1316) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Amadey CnC Response | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN RustyStealer CnC Checkin (POST) | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN RustyStealer CnC Exfil (POST) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS PandoraFMS OS Command Injection in Chromium-path (CVE-2024-12971) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS PandoraFMS OS Command Injection in goTTY QuickShell (CVE-2024-12992) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SERVER MegaRAC Redfish Authentication Bypass via X-Server-Addr Header (CVE-2024-54085) | https://rules.emergingthreatspro.com/open/ |
