Weekly Detection Rule (YARA and Snort) Information – Week 4, November 2024
The following is the information on Yara and Snort rules (week 4, November 2024) collected and shared by the AhnLab TIP service. 5 YARA Rules Detection name Description Source PK_Amazon_hitman Phishing Kit impersonating Amazon https://github.com/t4d/PhishingKit-Yara-Rules PK_Nedbank_sql Phishing Kit impersonating Nedbank https://github.com/t4d/PhishingKit-Yara-Rules PK_Barclays_offshore Phishing Kit impersonating Barclays https://github.com/t4d/PhishingKit-Yara-Rules PK_OneDrive_awake Phishing Kit
2024 MSC Malware Trend Report
With the decrease in distribution of MS Office document-type malware, the distribution of malware in various formats such as LNK and CHM is on the rise. In the second quarter of this year, malware in the MSC (snap-ins/Management Saved Console) file format used in Microsoft Management Console (MMC) was identified.
Warning Against Malware in SVG Format Distributed via Phishing Emails
AhnLab SEcurity Intelligence Center (ASEC) has recently identified multiple instances of malware being distributed in Scalable Vector Graphics (SVG) format. An SVG file is an XML-based file format that represents scalable vector graphics. SVG files are primarily used for icons, charts, and graphs, and they support the use of CSS
Weekly Detection Rule (YARA and Snort) Information – Week 3, November 2024
The following is the information on Yara and Snort rules (week 3, November 2024) collected and shared by the AhnLab TIP service. 1 YARA Rules Detection name Description Source MAL_ELF_Xlogin_Nov24_1 Detects xlogin backdoor samples https://github.com/Neo23x0/signature-base 4 Snort Rules Detection name Source ET WEB_SPECIFIC_APPS Symphony PHP Symfony Profiler Environment Manipulation (CVE-2024-50340)
Report on DDoSia Malware Launching DDoS Attacks Against Korean Institutions
The Russian hacktivist group NoName057 (16) has been active since March 2022, and their goal is to launch DDoS attacks against targets with anti-Russian views. In November 2024, NoName05, along with the pro-Russian hacktivist groups Cyber Army of Russia Reborn and Alixsec, launched DDoS attacks against the websites of major
XLoader Executed Through JAR Signing Tool (jarsigner.exe)
Recently, AhnLab SEcurity intelligence Center (ASEC) identified the distribution of XLoader malware using the DLL side-loading technique. The DLL side-loading attack technique saves a normal application and a malicious DLL in the same folder path to enable the malicious DLL to also be executed when the application is run. The
Weekly Detection Rule (YARA and Snort) Information – Week 2, November 2024
The following is the information on Yara and Snort rules (week 2, November 2024) collected and shared by the AhnLab TIP service. 3 YARA Rules Detection name Description Source MAL_Sophos_XG_Pygmy_Goat_AES_Key Detects Pygmy Goat – a native x86-32 ELF shared object that was discovered on Sophos XG firewall devices, providing backdoor
Change of Recovery Disruption Techniques in Ransomware
Overview Ransomware attacks are still on the rise in 2024. Threat actors continue to launch ransomware attacks because victims infected with ransomware often pay a ransom to recover their data, allowing the attackers to gain profit significantly. Threat actors maintain their anonymity by demanding ransom payments through cryptocurrency, making
Distribution of LummaC2 Infostealer Based on Legitimate Programs
LummaC2 is an Infostealer actively being distributed while being disguised as illegal software such as cracks, and its distribution and creation methods are changing continuously. It has recently been distributed by being inserted into legitimate programs, so caution is needed. Figure 1. Malware distribution page examples When LummaC2
Weekly Detection Rule (YARA and Snort) Information – Week 1, November 2024
The following is the information on Yara and Snort rules (week 1, November 2024) collected and shared by the AhnLab TIP service. 0 YARA Rules 12 Snort Rules Detection name Source ET WEB_SPECIFIC_APPS PFsense Stored Cross-Site Scripting (CVE-2024-46538) https://rules.emergingthreatspro.com/open/ ET ATTACK_RESPONSE Observed ClickFix Powershell Delivery Page (Portuguese) https://rules.emergingthreatspro.com/open/ ET ATTACK_RESPONSE
