Full Report
The following is the information on Yara and Snort rules (week 2, December 2024) collected and shared by the AhnLab TIP service. 8 YARA Rules Detection name Description Source VeeamHax exe – file VeeamHax.exe https://github.com/The-DFIR-Report/Yara-Rules PK_Elster_darknet Phishing Kit impersonating Elster tax office (DE) https://github.com/t4d/PhishingKit-Yara-Rules PK_Nickel_memoryerror Phishing Kit impersonating Nickel https://github.com/t4d/PhishingKit-Yara-Rules PK_Telegram_gambar Phishing Kit impersonating Telegram […] 게시물 Weekly Detection Rule (YARA and Snort) Information – Week 2, December 2024이 ASEC에 처음 등장했습니다.
Analysis Summary
This summary is based on the provided context, which details YARA and Snort rules released in the second week of December 2024 by the AhnLab TIP service. Since the context only lists detection rules and their targets, the summary focuses on the malware/phishing kits and vulnerabilities being detected.
***
# Tool/Technique: VeeamHax.exe (Detection Rule)
## Overview
A file signature detected by a YARA rule named "VeeamHax," targeting an executable file named `VeeamHax.exe`. This likely pertains to a specific threat or customized tool.
## Technical Details
- Type: Malware Signature (Implied by context, targeting an executable)
- Platform: Windows (Implied by *.exe file extension)
- Capabilities: Unknown (Only the detection name is provided)
- First Seen: Unknown
## MITRE ATT&CK Mapping
* TBD (No specific technique information available from the rule name alone)
## Functionality
### Core Capabilities
- Detection via YARA rule pattern matching against the file `VeeamHax.exe`.
### Advanced Features
- N/A
## Indicators of Compromise
- File Hashes: N/A
- File Names: `VeeamHax.exe`
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: N/A
## Associated Threat Actors
- Unknown
## Detection Methods
- Signature-based detection: YARA Rule (`VeeamHax`)
## Mitigation Strategies
- Blocking execution of suspicious or unknown executables.
## Related Tools/Techniques
- Other malware families detected by YARA rules listed.
***
# Tool/Technique: Phishing Kits (Various)
## Overview
A collection of five types of Phishing Kits detected by YARA rules, designed to impersonate legitimate services (Elster, Nickel, Telegram, Ledger, PayPal) for credential harvesting.
## Technical Details
- Type: Phishing Kits/Frameworks
- Platform: Web/Server environment hosting the pages
- Capabilities: Credential harvesting, brand impersonation.
- First Seen: Unknown
## MITRE ATT&CK Mapping
* TA0001 - Initial Access
* T1566 - Phishing
* T1566.001 - Spearphishing Attachment (If delivered via attachment) / T1566.002 - Spearphishing Link (Most likely for web-based kits)
## Functionality
### Core Capabilities (General Phishing Kit Function)
- Presenting a counterfeit login or data entry page to trick victims.
- Collecting submitted victim data (credentials, sensitive information).
### Advanced Features
- **Target Specificity:** Kits are tailored to specific brands (e.g., Elster tax office for German users, Telegram for Malaysian users).
## Indicators of Compromise
- File Hashes: N/A
- File Names: (Files comprising the kit, e.g., PHP scripts, HTML pages)
- Registry Keys: N/A
- Network Indicators: Phishing domains/URLs associated with deployment.
- Behavioral Indicators: Serving login forms for targeted brands.
## Associated Threat Actors
- Actors deploying these specific phishing campaigns.
## Detection Methods
- Signature-based detection: YARA Rules (`PK_Elster_darknet`, `PK_Nickel_memoryerror`, `PK_Telegram_gambar`, `PK_Ledger_shadowroot`, `PK_PayPal_system`)
## Mitigation Strategies
- User education on recognizing phishing attempts.
- Network filtering for known phishing domains.
## Related Tools/Techniques
- Web application compromise used for hosting.
***
# Tool/Technique: Brooxml (File Manipulation)
## Overview
Detection mechanisms targeting malicious manipulation of Microsoft OOXML (Office Open XML) files, sometimes involving prepended data or header manipulation, often associated with phishing pathways.
## Technical Details
- Type: Malicious File Structure/Technique (Detected by YARA)
- Platform: File System (MS Office documents: DOCX, XLSX, PPTX)
- Capabilities: Hiding malicious content or enabling exploitation via file format flaws.
- First Seen: Unknown
## MITRE ATT&CK Mapping
* TA0001 - Initial Access
* T1566 - Phishing
* T1566.001 - Spearphishing Attachment
## Functionality
### Core Capabilities
- Detecting malformed or specifically structured OOXML files.
- Rule `Brooxml_Phishing` specifically targets OOXML files leading to AiTM (Adversary-in-the-Middle) phishing.
### Advanced Features
- Detecting header manipulation in OOXML and potentially PDF files when linked to AiTM phishing.
## Indicators of Compromise
- File Hashes: N/A
- File Names: *.docx, *.xlsx, *.pptx, *.pdf (when associated with the mechanism)
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Execution path initiated by opening the manipulated document.
## Associated Threat Actors
- Actors using document-based initial access/phishing.
## Detection Methods
- Signature-based detection: YARA Rules (`Brooxml_Hunting`, `Brooxml_Phishing`)
## Mitigation Strategies
- Disabling or restricting macro execution in Office documents.
- Application whitelisting.
## Related Tools/Techniques
- File format specific exploits.
***
# Tool/Technique: PowerShell Byte Operations Command
## Overview
A network detection rule observing inbound traffic containing Base64 encoded PowerShell commands that perform byte operations. This is a common obfuscation and execution technique used by various malware families.
## Technical Details
- Type: Technique/Behavior
- Platform: Windows (PowerShell execution)
- Capabilities: In-memory execution, obfuscation, payload delivery.
- First Seen: Unknown
## MITRE ATT&CK Mapping
* TA0002 - Execution
* T1059 - Command and Scripting Interpreter
* T1059.001 - PowerShell
* TA0005 - Defense Evasion
* T1027 - Obfuscated Files or Information
## Functionality
### Core Capabilities
- Use of Base64 encoding for obfuscation.
- Execution of operations at the byte level, typical for avoiding string-based detection.
### Advanced Features
- Inbound traffic analysis catching the malicious command before or during execution.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Inbound connection containing Base64 encoded PowerShell commands.
- Behavioral Indicators: PowerShell script running with byte manipulation (`ET ATTACK\_RESPONSE Base64 Encoded Powershell Performing Byte Operations Inbound`).
## Associated Threat Actors
- Wide range of threat actors utilizing PowerShell for execution.
## Detection Methods
- Signature-based detection: Snort Rule (`ET ATTACK\_RESPONSE Base64 Encoded Powershell Performing Byte Operations Inbound`)
## Mitigation Strategies
- PowerShell logging and transcription enabled.
- Application Control (e.g., AppLocker, WDAC) restricting unauthorized PowerShell scripts.
## Related Tools/Techniques
- General PowerShell usage by adversaries.
***
# Tool/Technique: Mitel MiCollab Vulnerabilities (CVE-2024-35286, CVE-2024-41713)
## Overview
Two vulnerabilities identified in Mitel MiCollab software detected via Snort rules: Pre-Authentication SQL Injection (CVE-2024-35286) and Unauthenticated Path Traversal (CVE-2024-41713).
## Technical Details
- Type: Vulnerability / Exploit Attempt
- Platform: Mitel MiCollab application/servers
- Capabilities: Remote code execution potential, data access, or file system compromise.
- First Seen: Associated with CVE disclosures in 2024.
## MITRE ATT&CK Mapping
* TA0001 - Initial Access
* T1190 - Exploit Public-Facing Application
## Functionality
### Core Capabilities
- Attacks target the application interface directly. SQLi allows database manipulation/information disclosure. Path Traversal allows accessing arbitrary files.
### Advanced Features
- Both listed exploits are pre-authentication or unauthenticated, indicating high severity remote access vectors.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic matching known exploit patterns for these CVEs.
- Behavioral Indicators: Failed SQL query attempts, attempts to access sensitive paths (`../`).
## Associated Threat Actors
- Actors targeting VoIP/collaboration infrastructure.
## Detection Methods
- Signature-based detection: Snort Rules (`ET WEB\_SPECIFIC\_APPS Mitel MiCollab Pre-Authentication SQLi (CVE-2024-35286)`, `ET WEB\_SPECIFIC\_APPS Mitel MiCollab Unauthenticated Path Traversal (CVE-2024-41713)`)
## Mitigation Strategies
- Immediately applying vendor patches for CVE-2024-35286 and CVE-2024-41713.
- Restricting external access to Mitel MiCollab interfaces if possible.
## Related Tools/Techniques
- Other SQL Injection (`T1190`) and Path Traversal (`T1078`) techniques.
***
# Tool/Technique: Zabbix Server SQLi (CVE-2024-42327)
## Overview
An exploit attempt targeting a specific SQL Injection vulnerability in the Zabbix Server API's `user.get` method (CVE-2024-42327).
## Technical Details
- Type: Vulnerability / Exploit Attempt
- Platform: Zabbix Monitoring Server
- Capabilities: Unauthorized information retrieval or account manipulation via the API.
- First Seen: Associated with CVE disclosure in 2024.
## MITRE ATT&CK Mapping
* TA0006 - Credential Access / TA0001 - Initial Access
* T1190 - Exploit Public-Facing Application
## Functionality
### Core Capabilities
- Exploitation targets the Zabbix API endpoint `user.get`.
- Enables actors to potentially enumerate or steal user hashes/credentials.
### Advanced Features
- Specific targeting of an authenticated (or pseudo-authenticated context within the API logic) endpoint.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic targeting the Zabbix API with SQL injection syntax related to `user.get`.
- Behavioral Indicators: Unexpected API responses or unusual access to user data tables.
## Associated Threat Actors
- Actors targeting IT infrastructure and monitoring systems.
## Detection Methods
- Signature-based detection: Snort Rule (`ET WEB\_SPECIFIC\_APPS Zabbix Server SQLi API user.get Method (CVE-2024-42327)`)
## Mitigation Strategies
- Patching Zabbix servers immediately.
- Reviewing and restricting API access controls.
## Related Tools/Techniques
- Other API-based reconnaissance techniques.
***
# Tool/Technique: Bitcoin Scam Exfiltration (POST)
## Overview
Detection rules flagging network activity associated with ongoing Bitcoin scams, specifically focusing on the exfiltration of victim details via HTTP POST requests, and the observation of related scam webpages.
## Technical Details
- Type: Malware/Fraudulent Activity Behavior
- Platform: Web servers/Victim Browsers
- Capabilities: Data theft post-interaction with a scam site.
- First Seen: Unknown (Associated with current scam infrastructure)
## MITRE ATT&CK Mapping
* TA0010 - Exfiltration
* T1041 - Exfiltration Over C2 Channel
* TA0001 - Initial Access
* T1566 - Phishing
## Functionality
### Core Capabilities
- Capturing victim data (likely login details or wallet phrases) entered on a fraudulent webpage.
- Sending this data back to the attacker via an HTTP POST request.
### Advanced Features
- Detection covers both the presence of the scam webpage and the subsequent data transmission.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: HTTP POST requests to known Bitcoin scam infrastructure domains.
- Behavioral Indicators: Accessing or serving known Bitcoin scam pages.
## Associated Threat Actors
- Cybercriminals running financial fraud/scam operations.
## Detection Methods
- Signature-based detection: Snort Rules (`ET CURRENT\_EVENTS Bitcoin Scam Victim Details Exfiltration (POST)`, `ET CURRENT\_EVENTS Bitcoin Scam Webpage Observed`)
## Mitigation Strategies
- Blocking access to cryptocurrency scam domains.
- User vigilance regarding unsolicited financial offers.
## Related Tools/Techniques
- General credential harvesting/exfiltration methods.
***
# Tool/Technique: RuPSRAT (GoBayden Payload)
## Overview
A detection rule identifying inbound command traffic associated with **RuPSRAT** that initiates the download and execution of a payload named **GoBayden**. This indicates activity from a specific threat actor using a known Remote Access Trojan (RAT).
## Technical Details
- Type: Malware (Remote Access Trojan Family)
- Platform: Likely Windows, targeted by C2 structure.
- Capabilities: Remote control, file system access, command execution (via GoBayden payload).
- First Seen: Unknown
## MITRE ATT&CK Mapping
* TA0011 - Command and Control
* T1071 - Application Layer Protocol
* TA0002 - Execution
* T1105 - Ingress Tool Transfer (for downloading GoBayden)
## Functionality
### Core Capabilities
- RuPSRAT acts as the primary C2 communication channel.
- Ability to issue remote commands to victims.
### Advanced Features
- Downloading and executing a secondary payload (`GoBayden`), suggesting multi-stage infection or modular capability.
## Indicators of Compromise
- File Hashes: N/A
- File Names: `GoBayden` (Payload)
- Registry Keys: N/A
- Network Indicators: Inbound C2 traffic matching RuPSRAT patterns.
- Behavioral Indicators: The specific command sequence initiating the GoBayden download/exec.
## Associated Threat Actors
- Actors utilizing the RuPSRAT malware family.
## Detection Methods
- Signature-based detection: Snort Rule (`ET ATTACK\_RESPONSE RuPSRAT Command Inbound (Download/Execute GoBayden)`)
## Mitigation Strategies
- Thorough endpoint scanning for RAT components.
- Network egress/ingress filtering to block known C2 channels.
## Related Tools/Techniques
- Other RATs exploiting similar command structures.
***
# Tool/Technique: Riello Netman 204 UPS SQL Injection (CVE-2024-8877)
## Overview
Detection for an attempt to exploit an SQL Injection vulnerability in the Riello Netman 204 UPS management interface (CVE-2024-8877).
## Technical Details
- Type: Vulnerability / Exploit Attempt
- Platform: Riello Netman 204 UPS devices (Network Management)
- Capabilities: Gaining unauthorized access or control over the UPS management system via API/web interface.
- First Seen: Associated with CVE disclosure in 2024.
## MITRE ATT&CK Mapping
* TA0001 - Initial Access
* T1190 - Exploit Public-Facing Application
## Functionality
### Core Capabilities
- Exploiting improper input validation within the UPS management interface.
- Potential for disruption or data access on the infrastructure layer.
### Advanced Features
- Targeting Operational Technology (OT) infrastructure (UPS systems).
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic targeting Riello UPS interfaces matching SQL injection payloads for this CVE.
- Behavioral Indicators: Unusual requests to configuration or user management endpoints.
## Associated Threat Actors
- Actors targeting critical infrastructure or industrial control systems (ICS).
## Detection Methods
- Signature-based detection: Snort Rule (`ET WEB\_SPECIFIC\_APPS Riello Netman 204 UPS SQL Injection Attempt (CVE-2024-8877)`)
## Mitigation Strategies
- Patching UPS management software immediately.
- Isolating UPS management networks from general IT networks wherever possible.
## Related Tools/Techniques
- Other exploits targeting IoT/OT device management interfaces.