Full Report
The following is the information on Yara and Snort rules (week 3, February 2025) collected and shared by the AhnLab TIP service. 5 YARA Rules Detection name Description Source MAL_BACKORDER_LOADER_WIN_Go_Jan23 Detects the BACKORDER loader compiled in GO which download and executes a second stage payload from a remote server. https://github.com/Neo23x0/signature-base MAL_PHISH_ShellCode_Enc_Payload_Feb25 Detects unknown of phishing-delivered […]
Analysis Summary
This summary is based on the detection rules provided for the third week of February 2025 by AhnLab TIP. Since the context only provides rule names, descriptions, and sources (without underlying malware binaries or detailed operational descriptions), the analysis focuses on characterizing the detected threats and vulnerabilities.
---
# Tool/Technique: MAL\_BACKORDER\_LOADER\_WIN\_Go\_Jan23
## Overview
A loader malware family written in the Go programming language, designed to download and execute a second-stage payload retrieved from a remote server.
## Technical Details
- Type: Malware family (Loader)
- Platform: Windows (Implied by 'WIN')
- Capabilities: Initial access, payload delivery, remote execution.
- First Seen: January 2023 (Implied by name suffix)
## MITRE ATT&CK Mapping
*(Mapping is speculative based on general loader behavior, as precise TTPs are not detailed)*
- TA0002 - Execution
- T1204 - User Execution (If delivered via user interaction)
- T1059 - Command and Scripting Interpreter (Used for execution logic)
- TA0011 - Command and Control
- T1071 - Application Layer Protocol (Used for downloading secondary payload)
## Functionality
### Core Capabilities
- Initialization via Go binary.
- Establishing C2 connection.
- Downloading and executing subsequent malicious code stages.
### Advanced Features
- Compilation in Go (potentially evading certain generic anti-virus signatures based on traditional Windows payloads).
## Indicators of Compromise
- File Hashes: N/A (Rule name only)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Remote server communication for payload fetching.
- Behavioral Indicators: Execution flow involving remote file retrieval.
## Associated Threat Actors
- N/A (No specific threat actor mentioned in the rule context)
## Detection Methods
- Signature-based detection (YARA: MAL\_BACKORDER\_LOADER\_WIN\_Go\_Jan23).
## Mitigation Strategies
- Strict egress filtering to prevent unknown outbound connections to command and control servers.
- Monitoring for execution chains that initiate network connections immediately after file launch.
## Related Tools/Techniques
- Other Go-based malware loaders.
---
# Tool/Technique: MAL\_PHISH\_ShellCode\_Enc\_Payload\_Feb25 & MAL\_PHISH\_Final\_Payload\_Feb25
## Overview
A set of related detections targeting malware likely delivered via phishing campaigns. This malware utilizes embedded shellcode which requires a user-supplied password to decrypt and execute the final payload.
## Technical Details
- Type: Malware family (Payload/Dropper)
- Platform: Windows (Implied by shellcode execution context)
- Capabilities: Initial access via phishing, credential-protected decryption, execution of final malware stage.
- First Seen: February 2025
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- TA0002 - Execution
- T1055 - Process Injection (Likely used by shellcode)
- TA0003 - Persistence / Defense Evasion
- T1027 - Obfuscated Files or Information (Encryption/packing)
## Functionality
### Core Capabilities
- Delivery through phishing vectors.
- Static analysis resistant due to encryption.
### Advanced Features
- **Password-gated decryption:** Requires user interaction (password input) to mobilize the secondary payload, potentially bypassing automated sandbox analysis that cannot satisfy the authentication step.
- Use of embedded shellcode for execution bootstrapping.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Fetching/calling out after decryption.
- Behavioral Indicators: Memory operations related to shellcode execution; attempts to prompt for user input for decryption key.
## Associated Threat Actors
- Threat actors utilizing phishing campaigns distributing password-protected XOR/encrypted payloads.
## Detection Methods
- Signature-based detection (YARA: MAL\_PHISH\_ShellCode\_Enc\_Payload\_Feb25, MAL\_PHISH\_Final\_Payload\_Feb25).
## Mitigation Strategies
- Strong user security awareness training regarding phishing attachments and password prompts.
- Application Control to restrict execution from temporary locations often used by downloaded phishing payloads.
## Related Tools/Techniques
- Other encrypted droppers relying on user interaction.
---
# Tool/Technique: SUSP\_Sysinternals\_Desktops\_Anomaly\_Feb25
## Overview
Detection signature for anomalous behavior observed involving Sysinternals Desktops binaries. This suggests the legitimate Sysinternals tool is being used in a suspicious manner, possibly by malware authors for reconnaissance or sideloading.
## Technical Details
- Type: Suspicious Usage / Technique
- Platform: Windows
- Capabilities: Abuse of legitimate system tools (Living Off The Land).
- First Seen: February 2025
## MITRE ATT&CK Mapping
- TA0005 - Defense Evasion
- T1564.001 - Hide Artifacts: Hidden Files and Directories (If used for staging)
- TA0006 - Credential Access / TA0007 - Discovery
- T1087 - Account Discovery (If used for enumeration)
## Functionality
### Core Capabilities
- Monitoring for unusual command-line arguments or execution contexts of `Desktops.exe`.
### Advanced Features
- None inherent to the tool, relies on adversarial misuse.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Desktops.exe executing oddly.
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Anomalous process ancestry or command-line parameters for `Desktops.exe`.
## Associated Threat Actors
- Adversaries employing LOLBins (Living Off The Land Binaries) techniques.
## Detection Methods
- Signature-based detection (YARA: SUSP\_Sysinternals\_Desktops\_Anomaly\_Feb25).
## Mitigation Strategies
- Implement strict application whitelisting policies that limit execution paths for Sysinternals utilities.
- Monitor process monitoring logs for unexpected parent/child relationships involving system utilities.
## Related Tools/Techniques
- Abuse of other Sysinternals utilities (e.g., PsExec, Autoruns).
---
# Tool/Technique: SUSP\_PE\_Compromised\_Certificate\_Feb25
## Overview
Signature targeting Portable Executable (PE) files that utilize a specific digital certificate known to have been compromised or widely used in a significant phishing campaign in February 2025.
## Technical Details
- Type: Suspicious File Artifact / Technique (Use of Compromised Artifact)
- Platform: Windows (PE files)
- Capabilities: Attempts to bypass signature checks by using a trusted or previously trusted certificate.
- First Seen: February 2025
## MITRE ATT&CK Mapping
- TA0003 - Persistence / TA0005 - Defense Evasion
- T1553.002 - Subvert Trust: Install Root Certificate (If certificate is maliciously installed, though here it refers to using a compromised one).
## Functionality
### Core Capabilities
- Signing malicious binaries to appear legitimate.
### Advanced Features
- Leveraging the residual trust associated with a compromised code-signing certificate.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: PE file exhibiting known malware characteristics while possessing the specific anomalous certificate.
## Associated Threat Actors
- Threat actors involved in the February 2025 phishing campaign.
## Detection Methods
- Signature-based detection (YARA: SUSP\_PE\_Compromised\_Certificate\_Feb25).
## Mitigation Strategies
- Implement certificate reputation checks, blocking binaries signed by certificates flagged as compromised.
- Rely less on code signing status and more on behavioral analysis for execution verification.
## Related Tools/Techniques
- Malware signed with stolen legitimate certificates.
---
*(The following sections summarize high-priority network and exploit detections from the Snort rules)*
# Tool/Technique: Web Application Exploitation & Vulnerability Targeting (CVEs)
## Overview
A collection of Snort rules targeting active exploits, specifically focusing on vulnerabilities in Microsoft products, Palo Alto PAN-OS, and Zyxel devices, as well as general malware C2 traffic.
## Technical Details
- Type: Exploitation / Network Threat
- Platform: Various (Web Servers, Firewalls, Endpoints)
- Capabilities: Detecting exploitation attempts against specific CVEs, C2 beaconing, and unauthorized command execution against network devices.
- First Seen: As documented by the respective CVEs/emerging threats.
## MITRE ATT&CK Mapping
Relevant Mappings largely relate to Initial Access and Execution via exploited vulnerabilities:
- TA0001 - Initial Access
- T1190 - Exploit Public-Facing Application (Relevant for CVEs against MS Purview, PAN-OS, Zyxel)
## Functionality
### Core Capabilities (Specific Exploits Detected)
- **CVE-2025-21385:** Microsoft Purview SSRF exploitation attempt.
- **CVE-2024-38030 / CVE-2024-21320:** Microsoft Windows Themes Spoofing exploitation.
- **CVE-2024-53704:** SonicOS SSLVPN Authentication Bypass (using 'swap' HTTP cookie manipulation).
- **CVE-2025-0108:** Palo Alto PAN-OS Management Web Interface Authentication Bypass.
- **CVE-2025-0890:** Zyxel DSL CPE Default Credentials exploitation (targeting 'supervisor', 'admin', 'zyuser').
- **CVE-2024-40890:** Zyxel DSL CPE Authenticated HTTP Command Injection.
### Advanced Features (Malware C2 Traffic)
- **ET TROJAN ReverseLoader Style Payload Request (GET):** Detecting known request patterns from a ReverseLoader type malware.
- **ET TROJAN Snake Keylogger Exfil via SMTP (VIP Recovery):** Specific network communication patterns indicating data exfiltration by the Snake Keylogger, potentially disguised as "VIP Recovery" traffic.
- **ET TROJAN Build Your Own Botnet CnC Exfil (POST):** Generic detection for command and control exfiltration using POST requests associated with custom botnets.
- **ET TROJAN TA582 CnC Checkin:** Detecting known beaconing patterns attributed to the TA582 threat group.
## Indicators of Compromise
- Network Indicators: Traffic matching specific GET/POST patterns associated with ReverseLoader, Snake Keylogger, and TA582 check-ins. Network sessions attempting to exploit the listed CVEs against vulnerable services.
## Associated Threat Actors
- Threat Actors targeting specific network device vulnerabilities (Palo Alto, Zyxel).
- Snake Keylogger operators.
- TA582 (A known financier/delivery group).
## Detection Methods
- Signature-based detection (Snort Rules: ET EXPLOIT, ET TROJAN, ET WEB\_SPECIFIC\_APPS).
## Mitigation Strategies
- Patch identified CVEs immediately (Microsoft Purview, Windows Themes, PAN-OS, Zyxel).
- Disable unused services on network infrastructure (e.g., non-essential features on Zyxel/SonicOS).
- Implement application-aware firewall rules to monitor and block known malicious C2 communication patterns.
- Change default credentials on Zyxel devices.
## Related Tools/Techniques
- Other known exploitation frameworks targeting public-facing applications.