Full Report
The following is the information on Yara and Snort rules (week 4, December 2024) collected and shared by the AhnLab TIP service. 5 YARA Rules Detection name Description Source PK_BankID_poko Phishing Kit impersonating BankID https://github.com/t4d/PhishingKit-Yara-Rules PK_DisneyPlus_blackforce Phishing Kit impersonating Disney Plus https://github.com/t4d/PhishingKit-Yara-Rules PK_O365_itna1337 Phishing Kit impersonating Office 365 https://github.com/t4d/PhishingKit-Yara-Rules PK_BanquePostale_z0n51_2 Phishing Kit impersonating la Banque […]
Analysis Summary
This article summary focuses on the identified malware families, exploited vulnerabilities (CVEs), and associated network activity detected by Emerging Threats rules.
## Tool/Technique: Zloader C2 Activity
## Overview
Signatures related to the Zloader banking trojan, specifically observing HTTP User-Agents associated with its Command and Control (C2) communication, marked by the string "PresidentPutin".
## Technical Details
- Type: Malware Family (Trojan)
- Platform: Likely Windows (as Zloader is a known Windows malware family)
- Capabilities: Command and Control communication for a banking trojan.
- First Seen: Not specified in the context.
## MITRE ATT&CK Mapping
Due to the limited context (only C2 activity noted), mappings are generalized for C2 beaconing:
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols
## Functionality
### Core Capabilities
- Communication with C2 infrastructure using specific HTTP User-Agent strings.
### Advanced Features
- Not detailed, but Zloader traditionally performs initial infection, credential theft, and financial fraud.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Detected via specific User-Agent string matching during HTTP POST requests associated with CnC activity.
- Behavioral Indicators: Observing HTTP traffic containing the User-Agent "PresidentPutin".
## Associated Threat Actors
- Not explicitly linked to a specific actor in this snippet, but Zloader has been used widely by various financially motivated groups.
## Detection Methods
- Signature-based detection: Emerging Threats rule `ET TROJAN Zloader User-Agent Observed (PresidentPutin)`.
- Behavioral detection: Monitoring for unusual HTTP traffic patterns matching the defined User-Agent.
- YARA rules: N/A
## Mitigation Strategies
- Block known malicious C2 domains/IP addresses (if available).
- Monitor outbound HTTP traffic for suspicious User-Agents.
- Ensure endpoint protection is updated to detect Zloader payloads.
## Related Tools/Techniques
- Other banking trojans relying on HTTP-based C2 channels.
***
## Tool/Technique: XiebroC2 CnC Activity
## Overview
Signatures detecting network communications associated with the Xiebro trojan's Command and Control (C2) infrastructure, specifically identifying beaconing patterns labeled "KeepAlive M4" and data exfiltration/reporting via "SendInfo M4".
## Technical Details
- Type: Malware Family (Trojan)
- Platform: Not specified, but network protocols are common across platforms.
- Capabilities: Established and maintained C2 communication channels, including reporting system information and disconnection signals.
- First Seen: Not specified in the context.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols
- TA0008 - Collection
- T1083 - File and Directory Discovery (Implied by "List Process M4")
## Functionality
### Core Capabilities
- Establishing inbound/outbound C2 sessions ("KeepAlive").
- Sending system status/information ("SendInfo").
- Listing processes on the compromised host ("List Process M4").
- Graceful disconnection/teardown of control sessions ("Disconnect M4").
### Advanced Features
- Use of specific, presumably protocol-defined, markers (M4) for different C2 commands.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic matching the established protocols for Xiebro C2 communication patterns (KeepAlive, SendInfo, List Process, Disconnect).
- Behavioral Indicators: Specific outbound data transmission patterns corresponding to the "SendInfo M4" activity.
## Associated Threat Actors
- Not explicitly linked in the context.
## Detection Methods
- Signature-based detection: Multiple Emerging Threats rules monitoring inbound and outbound Xiebro C2 traffic (e.g., `ET TROJAN XiebroC2 CnC Activity KeepAlive M4 (Outbound)`).
- Behavioral detection: Monitoring for consistent, periodic C2 beaconing.
- YARA rules: N/A
## Mitigation Strategies
- Implement strict egress filtering to prevent unauthorized outbound C2 connections.
- Deploy network IDS/IPS to identify known C2 traffic signatures.
## Related Tools/Techniques
- Other persistent malware families using application-layer protocols for C2.
***
## Tool/Technique: PowerShell Loader Using Encryption Routine
## Overview
Detection of network traffic associated with an inbound connection attempting to deliver or interact with a generic PowerShell malware loader that utilizes an encryption routine to obfuscate its code or communication.
## Technical Details
- Type: Technique/Loader Behavior
- Platform: Windows (PowerShell)
- Capabilities: Downloading or receiving an encrypted payload executed via PowerShell.
- First Seen: Not specified in the context.
## MITRE ATT&CK Mapping
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- TA0003 - Persistence (Likely, if used for malware installation)
- T1547 - Boot or Logon Autostart Execution (If persistence is established)
## Functionality
### Core Capabilities
- Establishing an inbound connection (e.g., via HTTP POST or connection initiation).
- Deploying obfuscated/encrypted PowerShell code.
### Advanced Features
- Use of encryption routines suggests an effort to evade static analysis antivirus signatures.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Specific HTTP requests corresponding to the delivery mechanism.
- Behavioral Indicators: Detection of PowerShell executing heavily obfuscated or encrypted strings.
## Associated Threat Actors
- Generic loaders are used by many threat actors aiming for initial access.
## Detection Methods
- Signature-based detection: `ET TROJAN Generic Powershell Loader Using Encryption Routine Inbound`.
- Behavioral detection: Monitoring for high entropy or encoded strings within PowerShell scripts executed in memory.
- YARA rules: N/A
## Mitigation Strategies
- Constrain PowerShell execution policies.
- Implement Script Block Logging and Module Logging for PowerShell to capture the code before or after decryption.
- Use application control solutions (e.g., AMSI) to scan scripts executed via PowerShell.
## Related Tools/Techniques
- Other fileless techniques leveraging scripting engines (e.g., wscript, mshta).
***
## Tool/Technique: Xenorat C2 Activity
## Overview
Signatures detecting the initial handshake and standard C2 server response traffic associated with the Xenorat Remote Access Trojan (RAT).
## Technical Details
- Type: Malware Family (Trojan/RAT)
- Platform: Not specified (Xenorat has been seen on multiple OSes, but context suggests network communication).
- Capabilities: Initial connection establishment with the C2 server.
- First Seen: Not specified in the context.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
## Functionality
### Core Capabilities
- Initial connection attempt (handshake) with the hardcoded or configured C2 server.
- Receipt of the expected default response from the C2 server, confirming the beacon is active.
### Advanced Features
- N/A (Focus is on default protocol interaction).
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic matching the distinct patterns defined for the Xenorat "Default Handshake Inbound" and "Default C2 Server Response Inbound".
- Behavioral Indicators: Successful two-way communication matching the predefined Xenorat protocol sequence.
## Associated Threat Actors
- Not explicitly linked in the context.
## Detection Methods
- Signature-based detection: Rules for both handshake and response phases (`ET TROJAN Xenorat Default C2 Server Response Inbound`, etc.).
- Behavioral detection: Monitoring for connections to suspicious IPs that respond predictably to the Xenorat handshake.
- YARA rules: N/A
## Mitigation Strategies
- Identify and block all external connections to known Xenorat C2 infrastructure.
## Related Tools/Techniques
- Other RATs employing unique, predictable handshake sequences.
***
## Tool/Technique: Vulnerabilities Across Various Security Products (CVE Summary)
This section summarizes various vulnerabilities exploited by attackers, focusing on the products and the vulnerability type.
| Name | CVE | Type | Platform/Product | Primary Impact | ATT&CK Mapping (General) |
| :--- | :--- | :--- | :--- | :--- | :--- |
| Cleo MFT Arbitrary File Write | CVE-2024-55956 | Vulnerability | Cleo MFT | Arbitrary File Write | T1083 (File Discovery) / T1105 (Ingress Tool Transfer) |
| Apache Struts2 Path Traversal | CVE-2024-53677 | Vulnerability | Apache Struts2 | Path Traversal | T1080 (T1080.001 - Environment Variable) or T1564 Path Traversal |
| Draytek Command Injection (various) | CVE-2020-15415, CVE-2023-1162, CVE-2023-24229 | Vulnerability | Draytek Routers | Command Injection | T1059 (Command and Scripting Interpreter) |
| Draytek Arbitrary File Read (various) | CVE-2023-1009, CVE-2023-1163 | Vulnerability | Draytek Routers | Arbitrary File Read | T1083 (File and Directory Discovery via RCE) |
| Draytek Arbitrary File Deletion | CVE-2023-6265 | Vulnerability | Draytek Routers | Arbitrary File Deletion | T1485 (Data Destruction) |
| Fortinet FortiWLM Command/File Access | CVE-2023-34993/48782 (Exec), CVE-2023-48783 (Read) | Vulnerability | Fortinet FortiWLM | Command Injection / Arbitrary File Read | T1059 (Command Execution) / T1083 (File Discovery) |
| NUUO NVRmini Command Injection | CVE-2018-14933 | Vulnerability | NUUO NVRmini | Command Injection | T1059 (Command Execution) |
| Fortinet FortiClient EMS SQL Injection | CVE-2023-48788 | Vulnerability | FortiClient EMS | SQL Injection | T1059.003 (SQL) |
| Windows Contacts Syslink Control Escape | CVE-2022-44666 | Vulnerability | Microsoft Windows Contacts | Escape Sequence Handling | T1204.002 (User Execution: Malicious File) |
| Craft CMS Template Path Injection RCE | CVE-2024-56145 | Vulnerability | Craft CMS | Remote Code Execution (RCE) | T1204.002 (User Execution: Malicious File) or T1190 (Exploit Public-Facing Application) |
***
### General Findings for Vulnerability Exploitation
## Tool/Technique: Web Application Exploitation Techniques
## Overview
A collection of network alerts indicating attempts to exploit known vulnerabilities in various web applications and networking hardware, primarily leveraging command injection, path traversal, and file access flaws for initial access or post-exploitation activities.
## Technical Details
- Type: Technique (Exploitation Attempt)
- Platform: Web Servers, Network Appliances (Draytek, Fortinet, NUUO), CMS Platforms (Craft CMS).
- Capabilities: Achieving RCE, unauthorized file access, or configuration modification on target devices.
- First Seen: Varies based on the linked CVE disclosure date.
## MITRE ATT&CK Mapping
Specific tactics for exploitation:
- TA0001 - Initial Access
- T1190 - Exploit Public-Facing Application
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter (via Injection flaws)
- TA0005 - Defense Evasion (via bypassing input validation)
## Functionality
### Core Capabilities
- **Command Injection:** Delivering OS commands via specially crafted input fields (Draytek, FortiWLM).
- **Path Traversal:** Accessing sensitive files outside the intended directory structure (Apache Struts2, Draytek).
- **File Write/Deletion:** Manipulating system files (Cleo MFT, Draytek).
- **Credential/Data Theft:** Reading sensitive memory or configuration files (Fortinet File Read).
### Advanced Features
- Exploitation often occurs over HTTP requests targeting specific application functions (`mainfunction.cgi`, `upgrade_handle.php`, template engine handlers).
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Inbound HTTP requests containing payloads indicative of path traversal sequences (e.g., `%2e%2e%2f` for `../`) or command injection characters (`|`, `;`).
- Behavioral Indicators: Application servers returning unusual output or crashing after processing malicious input.
## Associated Threat Actors
- Attackers targeting legacy or unpatched devices, APT groups targeting critical infrastructure (especially network appliances).
## Detection Methods
- Signature-based detection: Numerous Emerging Threats rules are dedicated to specific CVE exploitation attempts (e.g., rules referencing the CVE numbers).
- Behavioral detection: Monitoring application logs for error conditions indicative of injection failures or successful command execution.
- YARA rules: N/A
## Mitigation Strategies
- **Patching:** Immediately apply security patches for all mentioned CVEs (including Web servers, CMS, and network appliances).
- **Input Validation:** Implement strict, allow-list-based input validation on all user-controllable parameters on web applications.
- **Segmentation:** Isolate web-facing assets from core internal networks.
## Related Tools/Techniques
- General web application scanners and exploit toolkits (e.g., Metasploit modules targeting these specific CVEs).