Full Report
The following is the information on Yara and Snort rules (week 1, February 2025) collected and shared by the AhnLab TIP service. 14 YARA Rules Detection name Description Source PK_Ameli_sunrise22 Phishing Kit impersonating Ameli.fr/Carte vitale https://github.com/t4d/PhishingKit-Yara-Rules PK_Aramex_panel Phishing Kit impersonating Aramex https://github.com/t4d/PhishingKit-Yara-Rules PK_Doctolib_js Phishing Kit impersonating Doctolib https://github.com/t4d/PhishingKit-Yara-Rules PK_Email_CN Phishing Kit stealing email credentials from […]
Analysis Summary
This summary focuses on the malware families and vulnerabilities detailed within the provided context from Emerging Threats rules.
# Tool/Technique: Nosviak C2 Variant
## Overview
This refers to a variant of the Nosviak Remote Access Trojan (RAT) or malware family, detected via its Command and Control (C2) communication advertisements embedded within HTML elements, and also via detection of its characteristic SSH Server Banner.
## Technical Details
- Type: Malware family (Trojan/C2)
- Platform: Undetermined, but likely Windows (as it's often associated with Windows malware families)
- Capabilities: Establishing command and control communication channels.
- First Seen: Information not provided in the context.
## MITRE ATT&CK Mapping
*Due to the nature of C2 specific detection (advertised services/banners), the mapping primarily relates to C2 communication.*
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Implied by HTML advertisement)
## Functionality
### Core Capabilities
- C2 Communication: Establishing links with the control server.
- Service Advertisement: Broadcasting C2 presence or configuration details via standard web elements (HTML).
- SSH Banner Identification: Its C2 configuration is identifiable via its unique SSH server banner fingerprint.
### Advanced Features
- Specific detection methods point to unique methods of exposing C2 configuration or operational status (HTML elements and SSH banners).
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Detection relies on traffic matching the observed advertisement method or banner string.
- Behavioral Indicators: Serving specific content in HTML or responding with a targeted SSH banner string.
## Associated Threat Actors
- Specific actors are not named in the provided context, but Nosviak variants are typically associated with various financially motivated or espionage groups.
## Detection Methods
- Signature-based detection: Emerging Threats rules designed to match the specific HTML advertisement patterns (`ET TROJAN Nosviak C2 Variant Advertised Services in HTML Elements`) or SSH banner strings (`ET TROJAN Nosviak C2 SSH Server Banner`).
- Behavioral detection: Analyzing outgoing/incoming traffic for C2 patterns associated with this family.
- YARA rules: N/A
## Mitigation Strategies
- Network filtering: Block outbound/inbound connections attempting to reach known C2 infrastructure for this family.
- Patching/Hardenimg: If the initial infection vector (which utilizes this C2) is known, ensure those systems are patched.
- Monitoring Web Services: Inspecting outgoing HTML content and SSH banners for anomalies.
## Related Tools/Techniques
- Cindy C2 (SSH Banner detection)
- Moonly C2 (SSH Banner detection)
- RCNC C2 (SSH Banner detection)
- Sentinel C2 (SSH Banner detection)
***
# Tool/Technique: Cindy C2 Variant
## Overview
This refers to a malware family variant, detected through its characteristic SSH Server Banner when it establishes a C2 connection.
## Technical Details
- Type: Malware family (Trojan/C2)
- Platform: Undetermined
- Capabilities: Establishing command and control communication.
- First Seen: Information not provided in the context.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.004 - Cryptographic Protocol (Implied if SSH is used for encrypted C2)
## Functionality
### Core Capabilities
- C2 Communication: Utilizing SSH for command and control.
### Advanced Features
- SSH Banner Fingerprinting: The C2 mechanism is identifiable by a unique banner response on port 22 or the port it uses for C2.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Detection relies on traffic matching the observed SSH banner string.
- Behavioral Indicators: Responding with the specific SSH banner string.
## Associated Threat Actors
- Information not provided in the context.
## Detection Methods
- Signature-based detection: Emerging Threats rule detecting the specific SSH banner (`ET TROJAN Cindy C2 SSH Server Banner`).
- Behavioral detection: Monitoring SSH connections exhibiting this specific banner string.
- YARA rules: N/A
## Mitigation Strategies
- Firewall rules: Restrict inbound SSH access only to trusted administrators/IPs.
- Disable unnecessary SSH services if applicable to the compromised host.
## Related Tools/Techniques
- Other C2s utilizing SSH banner detection (Nosviak, Moonly, RCNC, Sentinel).
***
*(Due to the density of C2 threats in the context, the remaining C2s (Moonly, RCNC, Sentinel) will be summarized concisely, focusing on the common detection vector: SSH Banner fingerprinting.)*
# Tool/Technique: Moonly C2 Variant
## Overview
Malware variant detected via its unique SSH Server Banner, indicative of an active Command and Control channel.
## Technical Details
- Type: Malware family (Trojan/C2)
- Platform: Undetermined
- Capabilities: Establishing command and control communication using SSH.
- First Seen: Information not provided in the context.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
## Indicators of Compromise
- Network Indicators: Detection relies on traffic matching the specific SSH banner string (`ET TROJAN Moonly C2 SSH Server Banner`).
## Detection Methods
- Signature-based detection: Rule matching the specific SSH banner.
## Mitigation Strategies
- Strict control over ports 22/SSH access.
## Related Tools/Techniques
- Other C2s utilizing SSH banner detection.
***
# Tool/Technique: RCNC C2 Variant
## Overview
Malware variant detected via its unique SSH Server Banner, indicative of an active Command and Control channel.
## Technical Details
- Type: Malware family (Trojan/C2)
- Platform: Undetermined
- Capabilities: Establishing command and control communication using SSH.
- First Seen: Information not provided in the context.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
## Indicators of Compromise
- Network Indicators: Detection relies on traffic matching the specific SSH banner string (`ET TROJAN RCNC C2 SSH Server Banner`).
## Detection Methods
- Signature-based detection: Rule matching the specific SSH banner.
## Mitigation Strategies
- Strict control over ports 22/SSH access.
## Related Tools/Techniques
- Other C2s utilizing SSH banner detection.
***
# Tool/Technique: Sentinel C2 Variant
## Overview
Malware variant detected via its unique SSH Server Banner, indicative of an active Command and Control channel.
## Technical Details
- Type: Malware family (Trojan/C2)
- Platform: Undetermined
- Capabilities: Establishing command and control communication using SSH.
- First Seen: Information not provided in the context.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
## Indicators of Compromise
- Network Indicators: Detection relies on traffic matching the specific SSH banner string (`ET TROJAN Sentinel C2 SSH Server Banner`).
## Detection Methods
- Signature-based detection: Rule matching the specific SSH banner.
## Mitigation Strategies
- Strict control over ports 22/SSH access.
## Related Tools/Techniques
- Other C2s utilizing SSH banner detection.
***
# Tool/Technique: CVE-2024-43468 (Microsoft Configuration Manager Unauthenticated SQL Injection)
## Overview
A vulnerability in Microsoft Configuration Manager allowing unauthenticated SQL Injection.
## Technical Details
- Type: Vulnerability (Exploitation Attempt)
- Platform: Microsoft Configuration Manager
- Capabilities: Remote execution of arbitrary SQL commands against the underlying database without authentication.
- First Seen: Associated with CVE-2024-43468.
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1078.004 - Cloud Accounts (If CM is managed as a service)
## Functionality
### Core Capabilities
- Injecting malicious SQL queries.
### Advanced Features
- Exploitation is unauthenticated, making it highly critical for remote compromise.
## Indicators of Compromise
- Network Indicators: HTTP/HTTPS traffic containing suspicious SQL keywords or syntax directed at Configuration Manager endpoints.
- Behavioral Indicators: Server-side processing of web requests resulting in database errors or unexpected activity.
## Associated Threat Actors
- Information not provided in the context.
## Detection Methods
- Signature-based detection: `ET WEB_SPECIFIC_APPS Microsoft Configuration Manager Unauthenticated SQL Injection (CVE-2024-43468)`.
## Mitigation Strategies
- Patching: Apply Microsoft security updates for CVE-2024-43468 immediately.
- Network Segmentation: Limit direct internet access to Configuration Manager interfaces.
## Related Tools/Techniques
- SQL Injection attacks in general.
***
# Tool/Technique: CVE-2024-54887 (TP-Link TL-WR940N RCE)
## Overview
A vulnerability in certain hardware versions (v3/v4) of the TP-Link TL-WR940N router allowing Authenticated Remote Code Execution.
## Technical Details
- Type: Vulnerability (Exploitation Attempt)
- Platform: TP-Link TL-WR940N Hardware v3/v4 (Networking Device/Firmware)
- Capabilities: Executing arbitrary commands on the router after successful authentication.
- First Seen: Associated with CVE-2024-54887.
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1204.002 - User Execution: Malicious File (If associated files are uploaded)
## Functionality
### Core Capabilities
- Arbitrary command execution following successful login.
## Indicators of Compromise
- Network Indicators: Traffic directed at the router interface attempting to leverage the specific endpoint leading to RCE.
## Detection Methods
- Signature-based detection: `ET WEB_SPECIFIC_APPS TP-Link TL-WR940N Hardware v3/v4 Authenticated Remote Code Execution (CVE-2024-54887)`.
## Mitigation Strategies
- Firmware Update: Update the router firmware to the version that patches CVE-2024-54887.
- Credential Management: Ensure default or weak credentials are not used.
## Related Tools/Techniques
- Exploits targeting embedded device firmware.
***
# Tool/Technique: CVE-2019-11001 (Reolink IP Camera TestEmail Command Injection)
## Overview
A vulnerability in Reolink RLC Series IP Cameras where the `TestEmail` function allows authenticated command injection.
## Technical Details
- Type: Vulnerability (Exploitation Attempt)
- Platform: Reolink RLC Series IP Cameras
- Capabilities: Injecting and executing commands on the camera firmware with user privileges after authentication.
- First Seen: Associated with CVE-2019-11001.
## MITRE ATT&CK Mapping
- T1204.002 - User Execution: Malicious File (If credentials are stolen) or T1190 - Exploit Public-Facing Application.
## Detection Methods
- Signature-based detection: `ET WEB_SPECIFIC_APPS Reolink RLC Series IP Camera TestEmail Authenticated Command Injection Attempt (CVE-2019-11001)`.
## Mitigation Strategies
- Patching/firmware updates for the affected Reolink models.
***
# Tool/Technique: CVE-2024-50379 (Apache Tomcat TOCTOU Race Condition)
## Overview
A Time-of-check Time-of-use (TOCTOU) race condition vulnerability during JSP compilation in Apache Tomcat, potentially allowing limited unauthorized file access or manipulation during the compilation step.
## Technical Details
- Type: Vulnerability (Exploitation Attempt)
- Platform: Apache Tomcat
- Capabilities: Exploiting a timing window during JSPs compilation.
- First Seen: Associated with CVE-2024-50379.
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1498.008 - Resource Exhaustion: Denial of Service (Potential impact)
## Detection Methods
- Signature-based detection: `ET WEB_SPECIFIC_APPS Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition during JSP Compilation (CVE-2024-50379)`.
## Mitigation Strategies
- Update Apache Tomcat to a fixed version.
***
# Tool/Technique: CVE-2024-46982 (Next.js Caching Bypass)
## Overview
A vulnerability in Next.js related to caching mechanisms where manipulation of the `x-now-route-matches` HTTP header can force incorrect caching behavior, leading to server response discrepancies.
## Technical Details
- Type: Vulnerability (Exploitation Attempt)
- Platform: Next.js applications
- Capabilities: Forcing cached or incorrect server responses.
- First Seen: Associated with CVE-2024-46982.
## MITRE ATT&CK Mapping
- T1189 - Drive-by Compromise (If used to serve malicious content via manipulated caching)
- T1071.001 - Web Protocols
## Detection Methods
- Signature-based detection: Rules covering header manipulation (`ET WEB_SPECIFIC_APPS Next.js Forced Caching via x-now-route-matches HTTP Header (CVE-2024-46982)` and server response checks).
## Mitigation Strategies
- Update Next.js versions.
***
# Tool/Technique: CVE-2021-4041x Series (Reolink Command Injection)
## Overview
Multiple command injection vulnerabilities (CVE-2021-40410, CVE-2021-40411, CVE-2021-40412) in Reolink RLC series cameras related to functions like `SetLocalLink`, `SetDevName`, allowing authenticated command execution.
## Technical Details
- Type: Vulnerability (Exploitation Attempt)
- Platform: Reolink RLC Series IP Cameras
- Capabilities: Authenticated command execution via specific API calls.
## Detection Methods
- Signature-based detection: Rules targeting attempts to use these specific calls to inject commands.
## Mitigation Strategies
- Apply Reolink firmware patches addressing these CVEs.
***
# Tool/Technique: CVE-2024-51378 (CyberPanel Command Injection)
## Overview
Command injection vulnerability in the `statusfile` parameter within the CyberPanel's `getresetstatus` function.
## Technical Details
- Type: Vulnerability (Exploitation Attempt)
- Platform: CyberPanel (Web Hosting Control Panel)
- Capabilities: Remote command execution.
## Detection Methods
- Signature-based detection: `ET WEB_SPECIFIC_APPS CyberPanel getresetstatus statusfile Parameter Command Injection Attempt (CVE-2024-51378)`.
## Mitigation Strategies
- Update CyberPanel installation.
***
# Tool/Technique: CVE-2024-11680 (ProjectSend Authentication Bypass/RCE)
## Overview
A critical vulnerability in ProjectSend allowing authentication bypass and potential Remote Code Execution via multiple mechanisms (title defacement, account creation, PHP file upload).
## Technical Details
- Type: Vulnerability (Exploitation Attempt)
- Platform: ProjectSend application
- Capabilities: Bypassing login, creating accounts, and uploading shell files (`M3 – PHP File Upload Attempt`).
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1550.001 - Bypass Authentication: Credentials
## Detection Methods
- Signature-based detection: Multiple rules cover the three distinct stages detected (`M1`, `M2`, `M3`) of exploitation.
## Mitigation Strategies
- Immediately patch or update ProjectSend. Restrict access to admin functions.
***
# Tool/Technique: CVE-2024-53691 (QNAP QTS/QuTS File Operations)
## Overview
A vulnerability in QNAP QTS/QuTS allowing malicious file operations (Upload, Unpack, Decrypt) potentially leading to remote code execution or unauthorized data access/modification.
## Technical Details
- Type: Vulnerability (Exploitation Attempt)
- Platform: QNAP QTS/QuTS Operating System
- Capabilities: Unauthorized file manipulation on the NAS device.
## Detection Methods
- Signature-based detection: Rules specifically targeting requests attempting `File Upload`, `Unpack File`, or `Decrypt File` operations related to this vulnerability.
## Mitigation Strategies
- Apply QNAP security updates for QTS/QuTS.
***
# Tool/Technique: CVE-2024-52012 (Apache Solr Path Traversal)
## Overview
A relative path traversal vulnerability impacting the ConfigSet API in Apache Solr (versions v1 and v2) during file uploads, allowing attackers to write configuration files outside the intended upload directory.
## Technical Details
- Type: Vulnerability (Exploitation Attempt)
- Platform: Apache Solr
- Capabilities: Arbitrary file write via path traversal during ConfigSet upload.
## MITRE ATT&CK Mapping
- T1204.002 - User Execution: Malicious File (If used to deploy web shells)
## Detection Methods
- Signature-based detection: Rules matching path traversal sequences (`../`) within ConfigSet API uploads.
## Mitigation Strategies
- Update Apache Solr to a mitigated version.
***
# Tool/Technique: CVE-2024-41710 (Mitel 6800 Command Injection)
## Overview
Command injection vulnerability within the 802.1x support functionality of Mitel 6800 series VoIP phones.
## Technical Details
- Type: Vulnerability (Exploitation Attempt)
- Platform: Mitel 6800 VoIP Phones (802.1x configurations)
- Capabilities: Remote command execution on the phone device.
## Detection Methods
- Signature-based detection: Rule targeting the specific injection attempt within the 802.1x configuration handling.
## Mitigation Strategies
- Update Mitel firmware. Isolate VoIP management networks.
***
# Tool/Technique: CVE-2024-53704 (SonicOS SSLVPN Authentication Bypass)
## Overview
A vulnerability in SonicOS SSLVPN allowing an attacker to bypass standard authentication mechanisms.
## Technical Details
- Type: Vulnerability (Exploitation Attempt)
- Platform: SonicWall devices running SonicOS with SSLVPN enabled.
- Capabilities: Unauthenticated access to VPN resources or internal network segments.
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1078.003 - Remote Access Software (SSLVPN context)
## Detection Methods
- Signature-based detection: Identifying traffic patterns associated with the bypass attempt on the SSLVPN endpoint.
## Mitigation Strategies
- Apply SonicWall patches for SonicOS immediately. Disable SSLVPN if not strictly necessary.
***
# Tool/Technique: CVE-2023-48365 (Qlik Sense HTTP Request Tunneling)
## Overview
A vulnerability in Qlik Sense Enterprise related to HTTP Request Tunneling which could allow for information disclosure or remote manipulation.
## Technical Details
- Type: Vulnerability (Exploitation Attempt)
- Platform: Qlik Sense Enterprise
- Capabilities: Tunneling arbitrary requests through the application interface.
## Detection Methods
- Signature-based detection: Rule detecting specific HTTP headers or traffic patterns indicative of tunneling attempts against Qlik Sense.
## Mitigation Strategies
- Update Qlik Sense Enterprise installations.
***
# Malware Family: Koi Loader/Stealer
## Overview
A type of loader/stealer malware detected communicating with its Command and Control (C2) infrastructure, specifically noted for beaconing or configuration download attempts.
## Technical Details
- Type: Malware Family (Loader/Stealer)
- Platform: Likely Windows (Common for loaders/stealers)
- Capabilities: Initial access, payload delivery, information theft (stealing credentials/data).
- First Seen: Contextually recent relative to the rule development.
## MITRE ATT&CK Mapping
- TA0005 - Defense Evasion
- TA0002 - Execution
- TA0010 - Exfiltration
## Functionality
### Core Capabilities
- C2 Checkin: Establishing communication via GET requests (`ET TROJAN Win32/Koi Stealer CnC Checkin (GET)`).
- Payload Delivery: Receiving secondary stages or configuration data (`ET ATTACK\_RESPONSE Koi Loader/Stealer Payload Inbound`).
### Advanced Features
- Information stealing capabilities implied by the "Stealer" designation.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Network Indicators: Traffic matches patterns for initial checkins or configuration retrieval from Koi C2 infrastructure.
- Behavioral Indicators: Executable behavior associated with loading subsequent malware.
## Associated Threat Actors
- Information not provided in the context.
## Detection Methods
- Signature-based detection: Rules specifically matching C2 traffic patterns for Koi (`Win32/Koi Stealer CnC Checkin (GET)`, `Payload Inbound`).
## Mitigation Strategies
- Endpoint protection solutions capable of detecting known malware payloads associated with Koi loaders.
- Network level blocking of known C2 domains/IPs once identified.
## Related Tools/Techniques
- Other malware loaders/downloaders.
***
# Malware Family: CoinMiner (Italian variant)
## Overview
Cryptocurrency mining malware variant specifically flagged for exfiltrating configuration data over IRC (Internet Relay Chat) and noted as targeting Italian language environments.
## Technical Details
- Type: Malware Family (CoinMiner/Cryptominer)
- Platform: Likely Windows
- Capabilities: Utilizing victim CPU/GPU resources for cryptocurrency mining.
- First Seen: Information not provided in the context.
## MITRE ATT&CK Mapping
- TA0004 - Privilege Escalation
- TA0008 - Lateral Movement (Potential, often seen with miners)
- TA0010 - Exfiltration (Config data via IRC)
## Functionality
### Core Capabilities
- Resource abuse for mining operations.
- Configuration exfiltration using IRC protocol.
## Indicators of Compromise
- Network Indicators: Outbound traffic on IRC ports (typically TCP 6667) communicating configuration data.
## Detection Methods
- Signature-based detection: `ET TROJAN CoinMiner Exfiltration via IRC Config Inbound (Italian)`.
## Mitigation Strategies
- Application whitelisting to prevent unauthorized executables from running.
- Monitoring unusual outbound IRC traffic.
## Related Tools/Techniques
- Other cryptocurrency mining malware.