Weekly Detection Rule (YARA and Snort) Information – Week 1, July 2024
The following is the information on Yara and Snort rules (week 1, July 2024) collected and shared by the AhnLab TIP service. 10 YARA Rules Detection name Description Source PK_BRI_sadapan Detects a phishing kit impersonating Bank Rakyat Indonesia (bank) https://github.com/t4d/PhishingKit-Yara-Rules PK_GlobalSources_sogo Detects a phishing kit impersonating GlobalSources (B2B media company)
Attack Cases Against HTTP File Server (HFS) (CVE-2024-23692)
HTTP File Server (HFS) is a program that provides a simple type of web service. Because it can provide web services with just an executable file without having to build a web server, it is often used for sharing files, allowing users to connect to the address through web browsers
Kimsuky Group’s New Backdoor (HappyDoor)
Table of Contents Overview Distribution Method and Changes Distribution Method Changes of HappyDoor Detailed Analysis Summary Characteristics Registry Data Packet Data Packet Structure and Server Operation Method Features Information Theft Backdoor Conclusion This report is a summarized version of “Analysis Report of Kimsuky Group’s HappyDoor Malware” introduced in AhnLab Threat
Weekly Detection Rule (YARA and Snort) Information – Week 4, June 2024
The following is the information on Yara and Snort rules (week 4, June 2024) collected and shared by the AhnLab TIP service. 8 YARA Rules Detection name Description Source malware_cobaltstrike_workersdevloader Detects a CobaltStrike loader https://github.com/JPCERTCC/jpcert-yara Kimsuky_downloader_vbs Detects Kimsuky VBS file downloader Powershell https://github.com/JPCERTCC/jpcert-yara Kimsuky_PokDoc_ps1 Detects Kimsuky device information collection Powershell
Xctdoor Malware Used in Attacks Against Korean Companies (Andariel)
AhnLab SEcurity intelligence Center (ASEC) recently discovered a case where an unidentified threat actor exploited a Korean ERP solution to carry out an attack. After infiltrating the system, the threat actor is believed to have attacked the update server of a specific Korean ERP solution to take control of systems
DBatLoader Distributed via CMD Files
AhnLab SEcurity intelligence Center (ASEC) has recently discovered malware being distributed through CMD files and identified it as a downloader called DBatLoader (ModiLoader) that had been distributed before via phishing emails in RAR file format containing an EXE file. The file contained “FF, FE” which means “UTF-16LE”, so when the
Phishing Emails Distributed to Singaporean Companies
Recent phishing email cases targeting Singaporean companies over the past month are as follows. The targeted companies include those in the manufacturing and media sectors. These phishing emails typically encourage recipients to execute attached malware files or click on URLs. This process can lead to the theft of user information,
New InnoSetup Malware Created Upon Each Download Attempt
AhnLab SEcurity intelligence Center (ASEC) has discovered the distribution of a new type of malware that is disguised as cracks and commercial tools. Unlike past malware which performed malicious behaviors immediately upon being executed, this malware displays an installer UI and malicious behaviors are executed upon clicking buttons during the
Weekly Detection Rule (YARA and Snort) Information – Week 3, June 2024
The following is the information on Yara and Snort rules (week 3, June 2024) collected and shared by the AhnLab TIP service. 10 YARA Rules Detection name Description Source PK_DBS_baglan Detects a phishing kit impersonating DBS bank https://github.com/t4d/PhishingKit-Yara-Rules PK_NatWest_admin Detects a phishing kit impersonating NatWest bank https://github.com/t4d/PhishingKit-Yara-Rules PK_Postbank_buff Detects a
Analysis of CoinMiner Attacks Targeting Korean Web Servers
Since web servers are externally exposed to provide web services to all available users, they have been major targets for threat actors since the past. AhnLab SEcurity Intelligence Center (ASEC) is monitoring attacks against vulnerable web servers that have unpatched vulnerabilities or are being poorly managed, and is sharing the
