Full Report
The following is the information on Yara and Snort rules (week 1, November 2024) collected and shared by the AhnLab TIP service. 0 YARA Rules 12 Snort Rules Detection name Source ET WEB_SPECIFIC_APPS PFsense Stored Cross-Site Scripting (CVE-2024-46538) https://rules.emergingthreatspro.com/open/ ET ATTACK_RESPONSE Observed ClickFix Powershell Delivery Page (Portuguese) https://rules.emergingthreatspro.com/open/ ET ATTACK_RESPONSE Observed ClickFix Powershell Delivery Page […] 게시물 Weekly Detection Rule (YARA and Snort) Information – Week 1, November 2024이 ASEC에 처음 등장했습니다.
Analysis Summary
Based on the provided context, which details a list of Snort rules released in the first week of November 2024 by AhnLab TIP, the summary must be structured around the specific threats and detections listed. Since the context focuses on detection rules rather than comprehensive malware reports, the individual entries will be treated as detected techniques or associated malware/vulnerabilities.
Here is the summary structured as requested:
***
# Tool/Technique: ET WEB_SPECIFIC_APPS Pfsense Stored Cross-Site Scripting (CVE-2024-46538)
## Overview
A detection rule targeting exploitation attempts related to a Stored Cross-Site Scripting (XSS) vulnerability identified in Pfsense software, referenced by CVE-2024-46538.
## Technical Details
- Type: Technique (Vulnerability Exploitation Detection)
- Platform: Web Applications (likely Pfsense appliance)
- Capabilities: Detection of network traffic indicative of exploiting CVE-2024-46538.
- First Seen: November 2024 (based on the reporting week)
## MITRE ATT&CK Mapping
No specific mapping is explicitly provided in the context, but exploitation of XSS generically maps to:
- [T1190 - Exploit Public-Facing Application]
## Functionality
### Core Capabilities
- Identifying malicious input patterns targeting the Pfsense application interface.
### Advanced Features
- N/A (This is a network detection rule signature).
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic matching the XSS exploit payload for CVE-2024-46538.
- Behavioral Indicators: N/A
## Associated Threat Actors
- Unknown (General vulnerability targeting)
## Detection Methods
- Signature-based detection (Snort Rule: `ET WEB_SPECIFIC_APPS Pfsense Stored Cross-Site Scripting (CVE-2024-46538)`)
## Mitigation Strategies
- Patching Pfsense installations to address CVE-2024-46538.
- Implementing Web Application Firewalls (WAF) to filter XSS payloads.
## Related Tools/Techniques
- Cross-Site Scripting (XSS)
***
# Tool/Technique: ClickFix Powershell Delivery Page
## Overview
Detection rules designed to observe network activity associated with the delivery mechanism of malware utilizing PowerShell through a page related to "ClickFix," observed predominantly in Portuguese language contexts.
## Technical Details
- Type: Technique (Delivery Mechanism Detection)
- Platform: Windows (PowerShell Execution)
- Capabilities: Detecting POST requests and inbound traffic directed toward a known ClickFix delivery page hosting malicious content.
- First Seen: November 2024 (based on the reporting week)
## MITRE ATT&CK Mapping
- [TA0002 - Execution]
- [T1059.001 - Command and Scripting Interpreter: PowerShell]
- [TA0011 - Command and Control] (If subsequent C2 traffic is observed)
## Functionality
### Core Capabilities
- Signaling the observation of inbound and POST requests associated with the delivery of PowerShell payloads hosted on the ClickFix delivery page.
### Advanced Features
- Contextual detection recognizing Portuguese language indicators on the delivery page.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic patterns matching GET/POST requests to the specific ClickFix delivery URL(s).
- Behavioral Indicators: Execution or staging of PowerShell scripts referencing known ClickFix naming conventions.
## Associated Threat Actors
- Unknown (The context suggests usage by actors leveraging this specific delivery infrastructure).
## Detection Methods
- Signature-based detection (Snort Rules: `ET ATTACK_RESPONSE Observed ClickFix Powershell Delivery Page (Portuguese)` and `ET ATTACK_RESPONSE Observed ClickFix Powershell Delivery Page Inbound`)
## Mitigation Strategies
- Network filtering egress/ingress traffic to known associated domains.
- AppLocker or Windows Defender Application Control (WDAC) policies restricting unapproved PowerShell execution.
## Related Tools/Techniques
- PowerShell Usage
- Phishing/Malicious Content Delivery
***
# Tool/Technique: IBM Aspera Faspex Pre-Auth RCE Attempt (CVE-2022-47986)
## Overview
A detection rule targeting attempted exploitation of a critical Post-Authentication Remote Code Execution (RCE) vulnerability in IBM Aspera Faspex, tracked as CVE-2022-47986.
## Technical Details
- Type: Technique (Vulnerability Exploitation Detection)
- Platform: Network Services (IBM Aspera Faspex)
- Capabilities: Identifying network traffic attempting to leverage CVE-2022-47986 for pre-authentication code execution.
- First Seen: Prior to November 2024 (the CVE is older, but the exploit attempts were recently detected).
## MITRE ATT&CK Mapping
- [TA0002 - Execution]
- [T1190 - Exploit Public-Facing Application]
## Functionality
### Core Capabilities
- Blocking or alerting on attempts to trigger the RCE flaw in Faspex appliances across the network.
### Advanced Features
- N/A
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Specific HTTP requests or payloads associated with CVE-2022-47986 exploits.
- Behavioral Indicators: N/A
## Associated Threat Actors
- Unknown (This particular CVE was widely exploited by various groups previously).
## Detection Methods
- Signature-based detection (Snort Rule: `ET WEB_SPECIFIC_APPS IBM Aspera Faspex Pre-Auth RCE Attempt (CVE-2022-47986)`)
## Mitigation Strategies
- Immediate patching/updating of IBM Aspera Faspex software.
## Related Tools/Techniques
- Remote Code Execution (RCE)
***
# Tool/Technique: Ivanti Cloud Service Appliance Authenticated Command Injection (CVE-2024-9380)
## Overview
A detection rule monitoring for activity leveraging the command injection vulnerability (CVE-2024-9380) in Ivanti Cloud Service Appliance (CSA), which requires prior authentication.
## Technical Details
- Type: Technique (Vulnerability Exploitation Detection)
- Platform: Network Services (Ivanti CSA)
- Capabilities: Detecting authenticated user attempts to inject and execute arbitrary commands via the flaw.
- First Seen: November 2024 (based on the reporting week)
## MITRE ATT&CK Mapping
- [TA0002 - Execution]
- [T1190 - Exploit Public-Facing Application]
- [T1080 - Input Capture] (If used for subsequent credential harvesting)
## Functionality
### Core Capabilities
- Alerting on command injection patterns against vulnerable Ivanti CSA instances.
### Advanced Features
- N/A
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Malicious command injection strings within authenticated HTTP requests.
- Behavioral Indicators: N/A
## Associated Threat Actors
- Unknown
## Detection Methods
- Signature-based detection (Snort Rule: `ET WEB_SPECIFIC_APPS Ivanti Cloud Service Appliance Authenticated Command Injection (CVE-2024-9380)`)
## Mitigation Strategies
- Applying vendor patches for Ivanti CSA addressing CVE-2024-9380.
## Related Tools/Techniques
- Command Injection
***
# Tool/Technique: Android/TrickMo.Banker
## Overview
A malware family variant detected targeting Android devices, specifically identified as a Banker Trojan responsible for credential theft, detected via network requests related to configuration retrieval and command/control (C2).
## Technical Details
- Type: Malware Family (Mobile/Banker Trojan)
- Platform: Android
- Capabilities: Stealing banking credentials, C2 communication for configuration updates and command relay.
- First Seen: Unknown prior to Nov 2024, but actively detected in this period.
## MITRE ATT&CK Mapping
- [TA0010 - Collection]
- [T1552.001 - Unsecured Credentials: Credentials in Files] (Likely data exfiltration)
- [TA0011 - Command and Control]
- [T1105 - Ingress Tool Transfer] (Config retrieval)
## Functionality
### Core Capabilities
- Sending POST requests to C2 servers.
- Receiving configuration data via GET requests.
- Communicating transaction/status updates.
### Advanced Features
- Banking Trojan functionality targeting financial apps on Android.
## Indicators of Compromise
- File Hashes: N/A (Not provided)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Specific GET requests for configuration and POST requests related to exfiltration/updates identified by the Snort rules.
- Behavioral Indicators: The specific sequence of GET and POST requests documented in the rules.
## Associated Threat Actors
- Unknown (Attributed to the TrickMo family)
## Detection Methods
- Signature-based detection (Snort Rules: `ET MOBILE_MALWARE Android/TrickMo.Banker POST Request`, `GET Config Request`, and `Config Response`)
## Mitigation Strategies
- Restricting sideloading of applications on Android devices.
- Utilizing mobile security software capable of detecting banking Trojans.
## Related Tools/Techniques
- Other Android banking malware families.
***
# Tool/Technique: Cyberpanel upgrademysqlstatus Command Injection Attempt (CVE-2024-51567)
## Overview
Detection rule flagging attempts to exploit a command injection vulnerability (CVE-2024-51567) found within the `upgrademysqlstatus` function of the Cyberpanel control panel.
## Technical Details
- Type: Technique (Vulnerability Exploitation Detection)
- Platform: Web Applications (Cyberpanel)
- Capabilities: Detecting network requests containing commands intended for successful injection into the Cyberpanel interface.
- First Seen: November 2024 (based on the reporting week)
## MITRE ATT&CK Mapping
- [TA0002 - Execution]
- [T1190 - Exploit Public-Facing Application]
## Functionality
### Core Capabilities
- Identifying exploit payloads targeting the CVE-2024-51567 flaw.
### Advanced Features
- N/A
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Command injection strings targeting the `upgrademysqlstatus` endpoint.
- Behavioral Indicators: N/A
## Associated Threat Actors
- Unknown
## Detection Methods
- Signature-based detection (Snort Rule: `ET WEB_SPECIFIC_APPS Cyberpanel upgrademysqlstatus Command Injection Attempt (CVE-2024-51567)`)
## Mitigation Strategies
- Applying the necessary patches or updates for Cyberpanel to resolve CVE-2024-51567.
## Related Tools/Techniques
- Command Injection
***
# Tool/Technique: UAC-0050 CnC Activity
## Overview
A rule designed to detect Command and Control (C2) communication indicative of a threat variant designated as UAC-0050, likely a Trojan accessing remote resources.
## Technical Details
- Type: Malware/Trojan (Network Communication)
- Platform: Windows (Inferred by typical Trojan usage, "Win32" mentioned below)
- Capabilities: Establishing outbound connections for remote command reception.
- First Seen: Prior to November 2024.
## MITRE ATT&CK Mapping
- [TA0011 - Command and Control]
- [T1071.001 - Application Layer Protocol: Web Protocols]
## Functionality
### Core Capabilities
- Detecting characteristic outbound network traffic associated with UAC-0050 C2 servers.
### Advanced Features
- N/A
## Indicators of Compromise
- File Hashes: N/A (Not provided)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic patterns matching known UAC-0050 C2 infrastructure.
- Behavioral Indicators: N/A
## Associated Threat Actors
- Unknown (Associated with the designation UAC-0050)
## Detection Methods
- Signature-based detection (Snort Rule: `ET TROJAN Observed UAC-0050 CnC Activity`)
## Mitigation Strategies
- Blocking identified C2 network indicators at the perimeter firewall.
- Isolating compromised endpoints exhibiting this behavior.
## Related Tools/Techniques
- Generic Trojan C2 communication.
***
# Tool/Technique: Win32/BlackShadow Activity (M1)
## Overview
Detection targeting activity associated with the malware family "BlackShadow," specifically a GET request pattern labeled M1. BlackShadow is often tracked as an infostealer or backdoor.
## Technical Details
- Type: Malware Family (Trojan/Infostealer)
- Platform: Windows (Win32)
- Capabilities: Performing reconnaissance or beaconing via HTTP GET requests.
- First Seen: Prior to November 2024.
## MITRE ATT&CK Mapping
- [TA0011 - Command and Control]
- [T1071.001 - Application Layer Protocol: Web Protocols]
## Functionality
### Core Capabilities
- Recognizing the standard outbound GET requests used by the BlackShadow malware variant.
### Advanced Features
- N/A
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Specific GET request formatting used by BlackShadow M1.
- Behavioral Indicators: N/A
## Associated Threat Actors
- BlackShadow operators.
## Detection Methods
- Signature-based detection (Snort Rule: `ET TROJAN Win32/BlackShadow Activity (GET) M1`)
## Mitigation Strategies
- Blocking C2 traffic.
- Scanning systems for BlackShadow executables.
## Related Tools/Techniques
- Other Windows Infostealers.
***
# Tool/Technique: BlackShadow Raphael Company Impersonation Form Submission
## Overview
A detection rule specifically targeting BlackShadow activity where the malware or an associated script is attempting to submit a form impersonating or targeting a company named "Raphael."
## Technical Details
- Type: Malware Activity (Specific Impersonation/Targeting)
- Platform: Web-facing systems/endpoints interacting with specific forms.
- Capabilities: Detecting the submission payload associated with this targeted operation.
- First Seen: November 2024 (or related activity detected in this period).
## MITRE ATT&CK Mapping
- [TA0001 - Initial Access] / [TA0007 - Credential Access]
- [T1566.002 - Phishing: Spearphishing Link] (If the form submission is phishing-related)
## Functionality
### Core Capabilities
- Identifying HTTP POST requests containing data typical of a BlackShadow submission targeting the "Raphael Company" context.
### Advanced Features
- Contextual targeting detection.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Specific POST payload parameters related to the Raphael company interaction.
- Behavioral Indicators: N/A
## Associated Threat Actors
- BlackShadow operators, specifically targeting entities related to "Raphael Company."
## Detection Methods
- Signature-based detection (Snort Rule: `ET CURRENT_EVENTS BlackShadow Raphael Company Impersonation Form Submission`)
## Mitigation Strategies
- Analyzing logs for any successful form submissions matching this pattern.
- Reviewing the target application for compromise.
## Related Tools/Techniques
- BlackShadow activity.