Full Report
The following is the information on Yara and Snort rules (week 1, March 2025) collected and shared by the AhnLab TIP service. 1 YARA Rules Detection name Description Source sig_27244_metasploit_hta_stager file UsySLX1n.hta https://github.com/The-DFIR-Report/Yara-Rules 23 Snort Rules Detection name Source ET WEB_SPECIFIC_APPS Paessler PRTG Notification Command Injection Attempt (CVE-2018-9276) https://rules.emergingthreatspro.com/open/ ET EXPLOIT Exim SQLite (DBM) Injection […]
Analysis Summary
This summary focuses on the tools, malware, and specific threats detected by Yara and Snort rules shared by AhnLab TIP in the first week of March 2025.
# Tool/Technique: Metasploit HTA Stager
## Overview
A detection signature points to the presence of an HTML Application (HTA) file being used as a stager, commonly associated with the Metasploit Framework.
## Technical Details
- Type: Tool/Delivery Mechanism (Stager)
- Platform: Windows (HTA execution)
- Capabilities: Initial delivery and execution of subsequent payloads.
- First Seen: March 2025 (Based on rule compilation period)
## MITRE ATT&CK Mapping
* T1204 - User Execution
- T1204.002 - Malicious File
## Functionality
### Core Capabilities
- Serving as an initial access payload via an HTML Application file structure.
- Likely retrieves and executes a secondary stage payload (e.g., shellcode or reflective DLL).
### Advanced Features
- Uses built-in Windows capabilities (HTA execution via mshta.exe) to bypass some rudimentary application control mechanisms.
## Indicators of Compromise
- File Hashes: N/A (Only rule name provided)
- File Names: `file UsySLX1n.hta`
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Execution of `.hta` files from unexpected locations.
## Associated Threat Actors
- Metasploit users (General penetration testers or threat actors using the framework).
## Detection Methods
- Signature-based detection: YARA rule `sig_27244_metasploit_hta_stager`.
- Behavioral detection: Monitoring the execution chain initiated by HTA files.
## Mitigation Strategies
- Restrict the execution of HTA files via application whitelisting policies.
- Disable the `mshta.exe` utility if not strictly required for business operations.
## Related Tools/Techniques
- Other Metasploit payload delivery mechanisms.
***
# Tool/Technique: Divulge Stealer
## Overview
Detection signatures indicate activity related to the Divulge Stealer malware family, specifically targeting Command and Control (CnC) check-ins and data exfiltration attempts.
## Technical Details
- Type: Malware Family (Infostealer)
- Platform: Unknown (Typically Windows)
- Capabilities: Information theft, network check-ins, and data exfiltration over the network.
- First Seen: March 2025 (Rule availability)
## MITRE ATT&CK Mapping
* T1057 - Process Discovery (Implied by Stealer function)
* T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- Establishing communication with C2 infrastructure.
- Sending stolen data off the compromised host.
### Advanced Features
- N/A (Specific advanced features not detailed in the context)
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic patterns matching "Divulge Stealer CnC Checkin" and "Divulge Stealer Data Exfiltration Attempt".
- Behavioral Indicators: Network connections associated with known stealer C2 profiles.
## Associated Threat Actors
- Threat actors utilizing Divulge Stealer.
## Detection Methods
- Signature-based detection: Snort rules `ET TROJAN Divulge Stealer CnC Checkin` and `ET TROJAN Divulge Stealer Data Exfiltration Attempt`.
## Mitigation Strategies
- Network filtering of suspicious outbound traffic.
- Endpoint protection capable of detecting known malware behavior patterns.
## Related Tools/Techniques
- Other commodity infostealers.
***
# Tool/Technique: PolarEdge Botnet/Webshell
## Overview
Multiple Snort rules point to the detection of activity related to the "PolarEdge" threat, involving malicious SSL certificates, webshell installation, and associated network communication.
## Technical Details
- Type: Botnet/Webshell Malware
- Platform: Web Servers (Likely targeting vulnerable web applications)
- Capabilities: Establishing persistence (webshells), leveraging compromised certificates, and maintaining command and control.
- First Seen: March 2025 (Rule availability)
## MITRE ATT&CK Mapping
* T1505.003 - Server Software Component: Web Shell
* T1071.001 - Application Layer Protocol: Web Protocols (for C2)
## Functionality
### Core Capabilities
- Installation and execution of PolarEdge Webshells.
- Utilizing malicious SSL certificates for potentially obfuscated C2 traffic.
- Establishing persistent backdoors via TLS sessions.
### Advanced Features
- Use of custom SSL certificates to potentially evade certificate pinning or trust-based security measures.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic matching `PolarEdge CnC Checkin`. Alerts for `PolarEdge Webshell Installation attempt` and `PolarEdge TLS Backdoor Installation Attempt`.
- Behavioral Indicators: Detection of malicious SSL certificates (`Observed Malicious SSL Cert`).
## Associated Threat Actors
- Threat actors deploying the PolarEdge malware.
## Detection Methods
- Signature-based detection: Numerous Snort rules covering installation, C2, and certificate usage.
## Mitigation Strategies
- Patching all web application servers immediately, particularly for vulnerabilities that allow webshell installation.
- Inspecting SSL/TLS trust stores for unauthorized, suspicious certificates.
## Related Tools/Techniques
- Other webshell families.
***
# Tool/Technique: Command Injection Vulnerabilities (CVEs)
## Overview
Multiple high-severity command injection vulnerabilities affecting enterprise software are noted, indicating active exploitation attempts.
## Technical Details
- Type: Vulnerability Exploitation Technique
- Platform: Specific Vendor Software (PRTG, Exim, ServiceNow, Cisco RV Series)
- Capabilities: Remote Code Execution (RCE) or arbitrary command execution on underlying systems through improperly sanitized user input.
- First Seen: Based on CVE dates (2018, 2023, 2024, 2025)
## MITRE ATT&CK Mapping
* T1190 - Exploit Public-Facing Application
- T1190.002 - Exploit via Web Request
## Functionality
### Core Capabilities
- Inputting malicious command strings into vulnerable application fields (e.g., notification settings, database interfaces, web API parameters).
### Advanced Features
- Various exploit attempts targeting specific versions of Paessler PRTG, Exim, ServiceNow, and Cisco Small Business Routers.
## Indicators of Compromise
- Network Indicators: Traffic matching specific CVE exploit patterns for:
- CVE-2018-9276 (Paessler PRTG)
- CVE-2025-26794 (Exim SQLite (DBM) Injection)
- CVE-2024-5217, 2024-4879 (ServiceNow)
- CVE-2023-20118, 2023-20128 (Cisco RV Series)
- Network Indicators: Traffic matching RCE attempts against MITRE Caldera (CVE-2025-27364).
## Associated Threat Actors
- Actors scanning for or exploiting known vulnerabilities in these platforms.
## Detection Methods
- Signature-based detection: Snort rules like `ET WEB_SPECIFIC_APPS [...] Command Injection Attempt`.
## Mitigation Strategies
- **Patch Immediately:** Apply vendor security updates for all affected software (PRTG, Exim, ServiceNow, Cisco RV Series).
- Input validation and sanitization on all web application interfaces.
- Network segmentation to limit the impact of RCE if a public-facing application is compromised.
## Related Tools/Techniques
- General command injection payloads.
***
# Tool/Technique: Darcula Credential Phishing
## Overview
Signatures indicate detection of a credential harvesting operation utilizing the "Darcula" phishing kit, targeting victims through socket responses and distinct landing pages.
## Technical Details
- Type: Phishing Campaign Infrastructure
- Platform: Web/Network
- Capabilities: Collecting user credentials via fake websites communicated over network sockets.
- First Seen: February 27, 2025 (Based on timestamp in rule names)
## MITRE ATT&CK Mapping
* T1566.001 - Phishing: Spearphishing Attachment (If link delivered via email)
* T1566.002 - Phishing: Spearphishing Link
## Functionality
### Core Capabilities
- Serving phishing landing pages (M1, M2).
- Capturing victim submissions via network socket communication.
### Advanced Features
- Use of distinct, dated naming conventions suggests an active, tracked campaign infrastructure.
## Indicators of Compromise
- Network Indicators: Traffic associated with `Darcula Credential Phish Socket Response` and specific `Landing Page` traffic observed on 2025-02-27.
## Associated Threat Actors
- Threat actors deploying Document Credential Phishing kits.
## Detection Methods
- Signature-based detection: Snort rules prefixed with `ET CURRENT_EVENTS Darcula Credential Phish`.
## Mitigation Strategies
- User awareness training regarding credential submission.
- Email gateway inspection for links pointing to known phishing domains associated with this infrastructure.
## Related Tools/Techniques
- Other credential harvesting tools.