Full Report
The following is the information on Yara and Snort rules (week 1, January 2025) collected and shared by the AhnLab TIP service. 0 YARA Rules 5 Snort Rules Detection name Source ET TROJAN Observed ClickFix Powershell Delivery Page Inbound https://rules.emergingthreatspro.com/open/ ET TROJAN Win32/Unk.Coinminer Checkin https://rules.emergingthreatspro.com/open/ ET TROJAN W32/BitCoinMiner.MultiThreat Getblocktemplate Protocol Server Coinbasetxn Begin Mining Response […]
Analysis Summary
This document summarizes the detection rule information released by AhnLab TIP for the first week of January 2025, focusing on newly published Snort rules relating to observed malware activities.
# Tool/Technique: ClickFix Powershell Delivery Page Inbound
## Overview
Detection for potentially malicious PowerShell delivery pages associated with the ClickFix Trojan.
## Technical Details
- Type: Technique/Malware Delivery
- Platform: Windows (Implied by "Powershell")
- Capabilities: Detecting network traffic related to the communication channel used by the ClickFix delivery mechanism.
- First Seen: Week 1, January 2025 (Detection release date)
## MITRE ATT&CK Mapping
This summary infers the likely mapping based on the description ("Delivery Page Inbound"):
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
## Functionality
### Core Capabilities
- Detecting inbound network connections or HTTP communications characteristic of a page used to deliver the ClickFix payload via PowerShell.
### Advanced Features
- Specific detection logic is tied to the behavior of the ClickFix delivery infrastructure.
## Indicators of Compromise
- File Hashes: N/A (Network Rule)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Related to the delivery server hosting the PowerShell script.
- Behavioral Indicators: Outbound connection initiating contact with the delivery mechanism.
## Associated Threat Actors
- ClickFix Trojan (Specific actor not detailed in high level summary).
## Detection Methods
- Signature-based detection: Based on the Snort rule provided by Emerging Threats.
- Behavioral detection: Network traffic analysis.
- YARA rules: N/A (Snort rule focus)
## Mitigation Strategies
- Network filtering/blocking of traffic to known delivery infrastructure.
- Application control to restrict unauthorized PowerShell execution from network sources.
## Related Tools/Techniques
- PowerShell execution techniques.
---
# Tool/Technique: Win32/Unk.Coinminer Checkin
## Overview
Detection for network activity related to unknown Win32 coinminer malware checking in, likely to a Command and Control (C2) server.
## Technical Details
- Type: Malware Family (Coinminer)
- Platform: Windows (Win32)
- Capabilities: Identifying C2 communication ("Checkin") used by an unidentified variant of a coin-mining malware.
- First Seen: Week 1, January 2025 (Detection release date)
## MITRE ATT&CK Mapping
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Implied C2 traffic)
## Functionality
### Core Capabilities
- Identifying network beaconing or initial contact traffic from an infected host to the coinminer's C2 server.
### Advanced Features
- Traffic is specifically associated with cryptocurrency mining operations (implied by "Coinminer").
## Indicators of Compromise
- File Hashes: N/A (Network Rule)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: C2 servers or domains involved in the coinminer check-in process.
- Behavioral Indicators: Outbound connection pattern resembling malware beaconing.
## Associated Threat Actors
- Threat actors deploying unidentified Windows-based crypto-miners.
## Detection Methods
- Signature-based detection: Snort rule targeting the specific communication pattern.
- Behavioral detection: Network monitoring for unusual outbound connections matching the signature.
- YARA rules: N/A
## Mitigation Strategies
- Blocking outbound connections to known C2 infrastructure.
- Monitoring for processes consuming excessive CPU/GPU resources indicative of mining activity.
## Related Tools/Techniques
- Other known coin-mining malware variants.
---
# Tool/Technique: BitCoinMiner.MultiThreat C2 Communication (Getblocktemplate and Stratum)
## Overview
Detection rules targeting specific protocols used by a multi-threat BitCoinMiner variant for establishing communication and receiving mining instructions from its C2 server.
## Technical Details
- Type: Malware Family (Coinminer)
- Platform: Unknown (Network protocols are cross-platform)
- Capabilities: Monitoring for distinct protocol responses/commands used in cryptocurrency mining networks: `Getblocktemplate` protocol server response, and `Mining.Notify` initial connection server response using the Stratum protocol.
- First Seen: Week 1, January 2025 (Detection release date)
## MITRE ATT&CK Mapping
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (If Stratum runs over TCP/HTTP)
- T1567 - Exfiltration Over Web Service (Indirectly related, as mining operations often communicate over these ports)
## Functionality
### Core Capabilities
- **Protocol Identification:** Detecting the server response to the miner's attempt to initiate mining via `Getblocktemplate`.
- **C2 Handshake Confirmation:** Detecting the server’s initial response (`Mining.Notify`) during the Stratum protocol handshake, confirming the malware is engaging with a recognized mining pool/proxy.
### Advanced Features
- Utilizes deep packet inspection to identify cryptographic mining communication protocols (Bitcoin/Stratum).
## Indicators of Compromise
- File Hashes: N/A (Network Rule)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Specific C2 servers or mining pools communicating via these protocols.
- Behavioral Indicators: Presence of `Getblocktemplate` or `Mining.Notify` messages in network streams targeted by the rule.
## Associated Threat Actors
- Threat actors deploying multi-faceted Bitcoin miners that leverage standard mining protocols.
## Detection Methods
- Signature-based detection: Snort rules specifically matching the protocol content/responses.
- Behavioral detection: Monitoring for outbound traffic utilizing ports commonly associated with mining pools (e.g., 3333, 4444, 8888).
- YARA rules: N/A
## Mitigation Strategies
- Network segmentation and firewall policies restricting outbound connections to known cryptocurrency mining pool IPs/ports unless explicitly required.
- Deploying specialized network IDS/IPS to inspect traffic for known mining protocols.
## Related Tools/Techniques
- Other cryptocurrency mining malware families.
---
# Tool/Technique: PrimeCoinMiner.Protominer
## Overview
Detection for activity associated with a malware identified as `PrimeCoinMiner.Protominer`.
## Technical Details
- Type: Malware Family (Coinminer)
- Platform: Unknown
- Capabilities: Signature detection for the specific network characteristics or file structure associated with this Protominer variant targeting PrimeCoin or similar algorithms.
- First Seen: Week 1, January 2025 (Detection release date)
## MITRE ATT&CK Mapping
- T1595.002 - Search Engine Active Scanning (If used for initial compromise)
- T1219 - Remote Access Software (If bundled with remote tools)
*(Note: Mapping is generic as the specific technique used by this miner is not detailed.)*
## Functionality
### Core Capabilities
- Signature matching against artifacts or network activity related to the Protominer.
### Advanced Features
- Specific identification of the PrimeCoin mining payload or infrastructure.
## Indicators of Compromise
- File Hashes: N/A (Network Rule)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: C2 or pool communication identifiers related to Protominer.
- Behavioral Indicators: Mining process establishment.
## Associated Threat Actors
- Threat actors utilizing the PrimeCoinMiner.Protominer toolset.
## Detection Methods
- Signature-based detection via Emerging Threats Snort rule.
- Network flow analysis.
- YARA rules: N/A
## Mitigation Strategies
- Standard patch management and endpoint security deployment.
- Restricting unknown binaries from executing privileged commands.
## Related Tools/Techniques
- Other generic cryptocurrency mining malware.