Full Report
The following is the information on Yara and Snort rules (week 3, January 2025) collected and shared by the AhnLab TIP service. 5 YARA Rules Detection name Description Source PK_BancaTransilvania_bt24 Phishing Kit impersonating Banca Transilvania https://github.com/t4d/PhishingKit-Yara-Rules PK_DHL_wespam Phishing Kit impersonating DHL https://github.com/t4d/PhishingKit-Yara-Rules PK_IdahoCentralCU_prohqcker Phishing Kit impersonating Idaho Central Credit Union https://github.com/t4d/PhishingKit-Yara-Rules PK_Binance_kr3pto Phishing Kit impersonating […]
Analysis Summary
This summary covers the malicious artifacts and detection signatures identified in the AhnLab TIP report for the third week of January 2025, focusing on Phishing Kits, several distinct malware families (RATs, info-stealers, and loaders), and vulnerability exploitation attempts.
Since the source material primarily provides detection names, sources, and associated CVEs rather than comprehensive malware payloads, the details for capabilities, IoCs, and deep functionality are inferred based on the detection rule names.
***
# Tool/Technique: Phishing Kits (Banca Transilvania, DHL, Idaho Central CU, Binance, MonCompteFormation)
## Overview
Several detection rules target specific **Phishing Kits** designed to impersonate legitimate financial institutions and service providers (Banca Transilvania, Idaho Central CU, Binance) and shipping/government portals (DHL, MonCompteFormation), indicating widespread credential harvesting activity.
## Technical Details
- Type: Malware (Phishing Kit)
- Platform: Web Servers (likely PHP/HTML based)
- Capabilities: Credential harvesting, social engineering page loading.
- First Seen: Week 3, January 2025 (based on report date)
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If used via email delivery)
- T1566.002 - Spearphishing Link
## Functionality
### Core Capabilities
- Creating deceptive web pages mimicking login portals of targeted organizations.
- Capturing user input (credentials, sensitive data).
### Advanced Features
- Tailored layouts specific to the targeted entity (e.g., PK\_CPF\_lead targeting MonCompteFormation).
## Indicators of Compromise
- File Hashes: [Not provided by source]
- File Names: [Inferred: Components of known phishing kit structures]
- Registry Keys: [Not applicable/Provided]
- Network Indicators: [Inferred: Communication to attacker-controlled C2 domains for credential submission]
- Behavioral Indicators: [Inferred: Creation of web files, rapid creation of user session files]
## Associated Threat Actors
- Unknown generalized cybercriminals focused on credential theft.
## Detection Methods
- Signature-based detection (YARA Rules: PK\_BancaTransilvania\_bt24, PK\_DHL\_wespam, PK\_IdahoCentralCU\_prohqcker, PK\_Binance\_kr3pto, PK\_CPF\_lead).
## Mitigation Strategies
- User training against phishing attempts.
- Implementing robust email filtering and DMARC/SPF/DKIM authentication.
- Monitoring external hosting for cloned brand websites.
## Related Tools/Techniques
- Web shells used for initial placement post-exploitation.
***
# Tool/Technique: Telemiris C2 Checkin
## Overview
Snort rules are signaling network traffic associated with **Telemiris**, a known Trojan often involved in remote access and C2 communication.
## Technical Details
- Type: Trojan (Implied C2 activity)
- Platform: Unknown (Network Traffic)
- Capabilities: Command and Control communication beaconing.
- First Seen: Week 3, January 2025 (based on report date)
## MITRE ATT&CK Mapping
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Likely HTTP/HTTPS based on "Checkin" designation)
## Functionality
### Core Capabilities
- Maintaining persistent communication with the attacker's infrastructure.
### Advanced Features
- [Not specified]
## Indicators of Compromise
- File Hashes: [Not provided by source]
- File Names: [Not provided by source]
- Registry Keys: [Not provided by source]
- Network Indicators: Traffic matching the signature for **Telemiris CnC Checkin**.
- Behavioral Indicators: Routine outbound connections to known malicious infrastructure IPs/domains.
## Associated Threat Actors
- Threat actors utilizing the Telemiris payload.
## Detection Methods
- Signature-based detection (Snort Rule: ET TROJAN Telemiris CnC Checkin).
- Network monitoring for suspicious beacons.
## Mitigation Strategies
- Network segmentation.
- Egress filtering to block non-standard outbound connections.
## Related Tools/Techniques
- Other Remote Access Trojans (RATs) like ShadowROOT, Sheet RAT.
***
# Tool/Technique: ShadowROOT RAT
## Overview
Multiple Snort rules specifically target indicators related to the **ShadowROOT RAT**, focusing on the characteristics of its SSL certificates used for C2 communications.
## Technical Details
- Type: Remote Access Trojan (RAT)
- Platform: Unknown
- Capabilities: Remote command execution, data exfiltration, persistence (inferred for a RAT).
- First Seen: Prior to January 2025 (Indicators observed in this reporting week).
## MITRE ATT&CK Mapping
- T1071 - Application Layer Protocol (C2)
- T1105 - Ingress Tool Transfer (Implied payload delivery)
## Functionality
### Core Capabilities
- Establishing encrypted C2 channels verified by specific, suspicious SSL certificate details (Serial, Issuer, Subject).
### Advanced Features
- C2 channel obfuscation or strong identification via certificate fingerprints.
## Indicators of Compromise
- File Hashes: [Not provided by source]
- File Names: [Not provided by source]
- Registry Keys: [Not provided by source]
- Network Indicators: Traffic involving SSL certificates with specific characteristics observed in rules:
- Malicious SSL Cert Serial Observed M1/M2
- Malicious SSL Cert Subject Observed (GGliberium44)
- Malicious SSL Certificate Issuer Observed (GGliberium44)
- Behavioral Indicators: C2 beaconing utilizing these specific certificate properties.
## Associated Threat Actors
- Operators deploying the ShadowROOT malware, potentially linked to the "GGliberium44" entity (as per certificate details).
## Detection Methods
- Signature-based detection (Snort Rules monitoring SSL certificate metadata).
## Mitigation Strategies
- SSL/TLS inspection at the gateway layer.
- Monitoring for newly seen or unusual certificate serials/subjects communicating outbound.
## Related Tools/Techniques
- Other RATs observed (Sheet RAT).
***
# Tool/Technique: GammaLoad C2 Activity
## Overview
A detection rule flags network activity related to **GammaLoad**, indicating Command and Control communication, likely associated with a loader component.
## Technical Details
- Type: Loader / C2 activity
- Platform: Unknown
- Capabilities: Potential delivery mechanism for subsequent stage malware payloads.
- First Seen: Prior to January 2025.
## MITRE ATT&CK Mapping
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (GET requests are flagged)
## Functionality
### Core Capabilities
- Performing command and control beacons using HTTP GET requests.
### Advanced Features
- [Not specified]
## Indicators of Compromise
- File Hashes: [Not provided by source]
- File Names: [Not provided by source]
- Registry Keys: [Not provided by source]
- Network Indicators: Traffic matching the signature for **GammaLoad CnC Activity (GET)**.
- Behavioral Indicators: Outbound HTTP GET requests associated with GammaLoad infrastructure.
## Associated Threat Actors
- Threat actors utilizing GammaLoad to maintain access or deliver secondary payloads.
## Detection Methods
- Signature-based detection (Snort Rule: ET TROJAN GammaLoad CnC Activity (GET)).
## Mitigation Strategies
- Web proxy logging and analysis.
## Related Tools/Techniques
- Downloaders and other loaders.
***
# Tool/Technique: Sheet RAT C2 Checkin
## Overview
A detection rule specifically identifies C2 check-in activity related to **Sheet RAT**.
## Technical Details
- Type: Remote Access Trojan (RAT)
- Platform: Unknown
- Capabilities: Remote command execution and exfiltration (inferred).
- First Seen: Prior to January 2025.
## MITRE ATT&CK Mapping
- T1071 - Application Layer Protocol (C2 beaconing)
## Functionality
### Core Capabilities
- Beaconing out to command servers.
### Advanced Features
- [Not specified]
## Indicators of Compromise
- File Hashes: [Not provided by source]
- File Names: [Not provided by source]
- Registry Keys: [Not provided by source]
- Network Indicators: Traffic matching the signature for **Sheet RAT CnC Checkin**.
- Behavioral Indicators: Suspicious network connections resembling RAT C2 patterns.
## Associated Threat Actors
- Operators deploying the Sheet RAT.
## Detection Methods
- Signature-based detection (Snort Rule: ET TROJAN Sheet RAT CnC Checkin).
## Mitigation Strategies
- Network traffic analysis.
## Related Tools/Techniques
- ShadowROOT RAT.
***
# Tool/Technique: CryptBot C2 and Exfiltration
## Overview
Multiple rules target the **CryptBot** malware, indicating both command and control communication and attempts at data exfiltration, suggesting this information stealer/botnet component is active.
## Technical Details
- Type: Trojan / Botnet component (CryptBot)
- Platform: Likely Windows
- Capabilities: C2 communication, data theft/exfiltration.
- First Seen: Prior to January 2025.
## MITRE ATT&CK Mapping
- T1071 - Application Layer Protocol (C2)
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- Communicating with its C2 infrastructure.
- Attempting to send stolen data out over the established channel.
### Advanced Features
- [Not specified, but CryptBot typically focuses on credential/crypto mining theft]
## Indicators of Compromise
- File Hashes: [Not provided by source]
- File Names: [Not provided by source]
- Registry Keys: [Not provided by source]
- Network Indicators: Traffic matching:
- ET TROJAN CryptBot CnC Checkin
- ET TROJAN CryptBot Data Exfiltration Attempt
- Behavioral Indicators: Outbound network connections followed by unusual data transfers.
## Associated Threat Actors
- Threat actors utilizing the CryptBot botnet infrastructure.
## Detection Methods
- Signature-based detection (Snort Rules monitoring C2 and exfiltration traffic).
## Mitigation Strategies
- Comprehensive endpoint protection to block payload execution.
## Related Tools/Techniques
- Other information stealers.
***
# Tool/Technique: Konni APT C2 Checkin
## Overview
Detection for the **Konni APT** malware family’s C2 check-in activity, indicating activity from this established threat group.
## Technical Details
- Type: Malware (Implied C2 activity from APT group)
- Platform: Unknown
- Capabilities: C2 communication, maintaining persistence for APT operations.
- First Seen: Prior to January 2025.
## MITRE ATT&CK Mapping
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (GET requests are flagged for Checkin)
## Functionality
### Core Capabilities
- Establishing contact with the APT operator's infrastructure.
### Advanced Features
- [Not specified]
## Indicators of Compromise
- File Hashes: [Not provided by source]
- File Names: [Not provided by source]
- Registry Keys: [Not provided by source]
- Network Indicators: Traffic matching the signature for **ET TROJAN Konni APT CnC Checkin (GET)**.
## Associated Threat Actors
- Konni APT Group.
## Detection Methods
- Signature-based detection (Snort Rule).
## Mitigation Strategies
- Threat hunting based on known Konni behaviors.
## Related Tools/Techniques
- Other APT malware families.
***
# Tool/Technique: PHASEJAM Web Shell
## Overview
Snort rules are deployed to detect network activity associated with the **PHASEJAM Web Shell**, indicating potential web server compromise.
## Technical Details
- Type: Web Shell (PHASEJAM)
- Platform: Web Servers (IIS, Apache, etc.)
- Capabilities: Remote code execution via HTTP requests on a compromised web server.
- First Seen: Prior to January 2025.
## MITRE ATT&CK Mapping
- T1505 - Server Software Discovery/Interaction
- T1505.003 - Web Shell
## Functionality
### Core Capabilities
- Allowing remote attackers to execute arbitrary commands on the web server.
### Advanced Features
- Obfuscation or evasion techniques embedded in M1 and M2 variants.
## Indicators of Compromise
- File Hashes: [Not provided by source]
- File Names: [Not provided by source - Rule looks for characteristic payloads/behaviors]
- Registry Keys: [Not applicable]
- Network Indicators: Traffic matching the signature for **PHASEJAM Web Shell Activity Observed M1/M2**.
- Behavioral Indicators: Web requests containing command execution parameters to known shell locations.
## Associated Threat Actors
- Attackers utilizing web shells for initial access or persistence on web infrastructure.
## Detection Methods
- Signature-based detection (Snort Rules monitoring C2).
## Mitigation Strategies
- Regular file integrity monitoring (FIM) on web application directories.
- Strong input validation and filtering for web requests.
## Related Tools/Techniques
- Other web shells (e.g., China Chopper, WSO).
***
# Vulnerability Exploitation Techniques (CVEs)
This section summarizes observed activities targeting specific vulnerabilities, which fall under the Exploitation and Impact tactics.
## Tool/Technique: Microsoft LDAP Referral Response Exploit (CVE-2024-49113)
## Overview
Detection for exploitation attempts against a vulnerability in Microsoft's LDAP implementation identified as **CVE-2024-49113**.
## Technical Details
- Type: Exploit
- Platform: Windows/LDAP Servers
- Capabilities: Exploitation of the vulnerability, potentially leading to initial access or elevation.
- First Seen: Prior to January 2025.
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1190.004 - Exploit through External Control Mechanism (If LDAP is external facing)
## Functionality
### Core Capabilities
- Sending a specifically crafted LDAP Referral Response to trigger the vulnerability condition.
## Indicators of Compromise
- Network Indicators: Traffic matching the signature for **ET EXPLOIT Microsoft LDAP Referral Response Inbound (CVE-2024-49113)**.
## Mitigation Strategies
- Patching systems to address **CVE-2024-49113**.
***
## Tool/Technique: Kerio Control CRLF Injection / Response Splitting (CVE-2024-52875)
## Overview
Detection rules flag exploitation of **CVE-2024-52875** in **Kerio Control**, involving both CRLF Injection via the `dest` parameter and HTTP Response Splitting.
## Technical Details
- Type: Exploit (Web Application Vulnerability)
- Platform: Kerio Control Software
- Capabilities: Injection of arbitrary control characters (CR/LF) used to bypass parsing, potentially leading to session hijacking or cache poisoning.
## MITRE ATT&CK Mapping
- T1505 - Server Software Interaction
- T1505.003 - Web Shell (If used for persistence)
- T1070.004 - Indicator Removal: Clear OS Pagefile (If used to cover tracks post-exploitation)
## Functionality
### Core Capabilities
- Injecting newline characters into the HTTP request headers/parameters to prematurely terminate the original response and prepend malicious content (Response Splitting).
## Indicators of Compromise
- Network Indicators: Traffic matching the signature for **ET WEB\_SPECIFIC\_APPS Kerio Control CRLF Injection via dest Parameter (CVE-2024-52875)** and **ET WEB\_SPECIFIC\_APPS Kerio Control HTTP Response Splitting (CVE-2024-52875)**.
## Mitigation Strategies
- Patching Kerio Control immediately to address **CVE-2024-52875**.
***
## Tool/Technique: Ivanti Connect Secure Recon (CVE-2025-0282)
## Overview
A rule monitors for reconnaissance activity targeting **Ivanti Connect Secure** devices related to **CVE-2025-0282**.
## Technical Details
- Type: Reconnaissance / Exploit Preparation
- Platform: Ivanti Connect Secure Gateways
- Capabilities: Probing the gateway for the presence or exploitation of the vulnerability.
## MITRE ATT&CK Mapping
- T1595 - Active Scanning
- T1595.002 - Internet Service Scanning
## Functionality
### Core Capabilities
- Sending specific requests to test the target endpoint for flaws associated with CVE-2025-0282.
## Indicators of Compromise
- Network Indicators: Traffic matching the signature for **ET WEB\_SPECIFIC\_APPS Ivanti Connect Secure Host Checker Recon (CVE-2025-0282)**.
## Mitigation Strategies
- Immediate patching/updating of Ivanti Connect Secure devices for **CVE-2025-0282**.
***
## Tool/Technique: Nagios XI Cross-Site Scripting (CVE-2021-25299)
## Overview
Detection for exploitation attempts related to a legacy **Cross-Site Scripting (XSS)** vulnerability in **Nagios XI** software.
## Technical Details
- Type: Exploit (XSS)
- Platform: Nagios XI (Monitoring Software)
- Capabilities: Injecting malicious client-side script via the `sshterm` functionality.
## MITRE ATT&CK Mapping
- T1059 - Command and Scripting Interpreter
- T1059.007 - JavaScript (Client-side execution)
## Indicators of Compromise
- Network Indicators: Traffic matching the signature for **ET WEB\_SPECIFIC\_APPS [Perch Security] Nagios XI Web SSH Terminal sshterm Cross-Site Scripting (CVE-2021-25299)**.
## Mitigation Strategies
- Ensuring Nagios XI is patched to resolve **CVE-2021-25299** or apply compensating controls if legacy software is in use.
***
## Tool/Technique: Roundcube XSS (CVE-2023-5631)
## Overview
Detection for exploitation attempts targeting a **Cross-Site Scripting (XSS)** vulnerability in **Roundcube** webmail software, specifically concerning SVG handling.
## Technical Details
- Type: Exploit (XSS via SVG)
- Platform: Roundcube Webmail Server
- Capabilities: Executing arbitrary JavaScript in the context of a logged-in Roundcube user.
## MITRE ATT&CK Mapping
- T1059 - Command and Scripting Interpreter
- T1059.007 - JavaScript
## Indicators of Compromise
- Network Indicators: Traffic matching the signature for **ET WEB\_SPECIFIC\_APPS Roundcube rcube\_washtml.php SVG Cross-Site Scripting (CVE-2023-5631)**.
## Mitigation Strategies
- Patching Roundcube installations to address **CVE-2023-5631**.