Full Report
The following is the information on Yara and Snort rules (week 4, February 2025) collected and shared by the AhnLab TIP service. 0 YARA Rules 19 Snort Rules Detection name Source ET EXPLOIT PostgreSQL psql SQL Injection (CVE-2025-1094) https://rules.emergingthreatspro.com/open/ ET CURRENT_EVENTS NOTG Phish Landing Page 2025-02-19 https://rules.emergingthreatspro.com/open/ ET CURRENT_EVENTS NOTG Phish Kit Visitor Fingerprinting https://rules.emergingthreatspro.com/open/ […]
Analysis Summary
This summary is based on the provided context, which lists detection rules (YARA and Snort) updated in the fourth week of February 2025 by AhnLab TIP. Since the context only provides detection names and sources, the analysis focuses on what these detections imply about the underlying tools, malware, and techniques.
***
# Tool/Technique: ET EXPLOIT PostgreSQL psql SQL Injection (CVE-2025-1094)
## Overview
A detection rule for an attempted SQL injection vulnerability targeting PostgreSQL's `psql` utility, specifically related to CVE-2025-1094. This indicates an active exploitation or detection attempt against a recently disclosed database vulnerability.
## Technical Details
- Type: Technique (Exploitation)
- Platform: Linux/PostgreSQL environments
- Capabilities: Exploitation of a specific SQL injection vulnerability (CVE-2025-1094).
- First Seen: During the week ending February 2025 (based on rule update date).
## MITRE ATT&CK Mapping
*Implied Mapping based on Injection Technique:*
- TA0001 - Initial Access
- T1190 - Exploit Public-Facing Application
- T1190.003* - SQL Injection (If the vulnerability allows remote code execution or data exfiltration)
## Functionality
### Core Capabilities
- Identifying malicious input patterns designed to exploit CVE-2025-1094 within PostgreSQL servers.
### Advanced Features
- N/A (Focus is on the exploit attempt itself, not a sophisticated tool feature).
## Indicators of Compromise
- File Hashes: N/A (Detection is network/signature-based)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Network traffic matching the pattern of the SQL injection attempt.
- Behavioral Indicators: SQL query syntax targeting the PostgreSQL service that triggers the specific vulnerability.
## Associated Threat Actors
- Unknown (Associated with active exploitation of CVE-2025-1094).
## Detection Methods
- Signature-based detection: Snort Rule (ET EXPLOIT).
- Behavioral detection: Monitoring for malformed SQL queries on PostgreSQL ports.
- YARA rules: 0 YARA rules reported.
## Mitigation Strategies
- Patching PostgreSQL to address CVE-2025-1094.
- Implementing strong SQL sanitation or input validation for services handling user-supplied data for PostgreSQL.
## Related Tools/Techniques
- Other SQL Injection techniques.
***
# Tool/Technique: ET CURRENT\_EVENTS NOTG Phish Landing Page & Visitor Fingerprinting
## Overview
Detection rules targeting activity associated with phishing campaigns, specifically identifying landing pages and techniques used by threat actors to fingerprint or profile visitors to those pages.
## Technical Details
- Type: Technique (Phishing/Reconnaissance)
- Platform: Web Servers, End-user browsers
- Capabilities: Detection of known phishing infrastructure and scripts designed to gather information about the visitor (e.g., IP, User Agent) before delivering the final credential harvesting stage.
- First Seen: Rule updated February 2025.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If link is delivered via attachment)
- T1566.002 - Spearphishing Link
- TA0043 - Reconnaissance (Fingerprinting aspect)
- T1592 - Gather Victim Identity Information
## Functionality
### Core Capabilities
- Identifying network traffic patterns characteristic of known phishing landing pages (ET CURRENT\_EVENTS NOTG Phish Landing Page).
- Detecting client-side scripts used for browser/system profiling.
### Advanced Features
- Visitor Fingerprinting: Scripts actively query client environment details, indicating reconnaissance before payload delivery.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Connections to domains associated with known recent phishing campaigns.
- Behavioral Indicators: Execution or loading of scripts attempting to gather extensive browser environment variables upon landing on a suspicious URL.
## Associated Threat Actors
- Generic or various threat actors utilizing phishing kits.
## Detection Methods
- Signature-based detection: Snort Rules (ET CURRENT\_EVENTS NOTG).
- Behavioral detection: Monitoring web requests to newly observed, high-risk URLs.
## Mitigation Strategies
- User training on identifying phishing links.
- Implementing web filters to block access to known phishing domains.
- Ensuring MFA is enabled to mitigate credential theft from successful phishing attempts.
## Related Tools/Techniques
- Phishing Kits, Credential Harvesting Scripts.
***
# Tool/Technique: ET EXPLOIT Attempted Unauthenticated Palo Alto Global Protect Administrator Password Change
## Overview
Rules designed to catch intrusion attempts targeting Palo Alto GlobalProtect infrastructure, specifically attempts to change administrator passwords without proper authentication, likely leveraging known vulnerabilities in the GlobalProtect portal or gateway.
## Technical Details
- Type: Technique (Exploitation/Web Application Attack)
- Platform: Palo Alto GlobalProtect Web Interface
- Capabilities: Detection of malicious requests attempting to leverage authentication bypass or configuration flaws to force an administrative password reset or change.
- First Seen: Earlier than February 2025, as it targets existing vulnerabilities (indicated by M1/M2 naming convention suggesting iterative detection improvement).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access / TA0004 - Privilege Escalation
- T1190 - Exploit Public-Facing Application
- T1190.001* - Exploit for Web Application
## Functionality
### Core Capabilities
- Monitoring HTTP/HTTPS traffic directed at GlobalProtect endpoints for request parameters or payloads associated with CVEs allowing unauthorized configuration changes.
### Advanced Features
- Distinction between M1 and M2 attempts suggests the vulnerability or exploitation method has multiple facets or evasion techniques that required separate signature development.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Specific HTTP POST/GET requests targeting GlobalProtect authentication or configuration endpoints.
- Behavioral Indicators: High volume of failed configuration attempts originating from a single source.
## Associated Threat Actors
- Threat actors targeting perimeter devices and firewalls for persistent access (e.g., ransomware groups, espionage actors).
## Detection Methods
- Signature-based detection: Snort Rules (ET EXPLOIT, M1 and M2 variations).
- Behavioral detection: Monitoring unusual configuration endpoint activity on Palo Alto devices.
## Mitigation Strategies
- Immediately patching Palo Alto firewalls to address relevant GlobalProtect vulnerabilities.
- Restricting external access to the GlobalProtect login interface where possible.
## Related Tools/Techniques
- Other web application exploits targeting VPN concentrators (e.g., Ivanti, Fortinet).
***
# Tool/Technique: ET WEB\_SPECIFIC\_APPS Ivanti EPM Absolute Path Traversal (CVE-2024-13159)
## Overview
A detection rule focused on attempts to exploit CVE-2024-13159 in Ivanti Endpoint Manager (EPM), which allows for an absolute path traversal attack. This technique allows an attacker to read arbitrary files on the underlying system hosting the EPM server.
## Technical Details
- Type: Technique (Exploitation)
- Platform: Ivanti Endpoint Manager Server
- Capabilities: Exploitation of path traversal to read sensitive system files (e.g., configuration files, system credentials).
- First Seen: Associated with CVE-2024-13159 (disclosed earlier than Feb 2025).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access / TA0005 - Lateral Movement
- T1135 - Exploit Public-Facing Application
- T1135.004* - Path Traversal
## Functionality
### Core Capabilities
- Identifying network requests containing directory traversal sequences (e.g., `../../`) targeted at Ivanti EPM web endpoints susceptible to this flaw.
### Advanced Features
- N/A
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic specifically targeting path traversal vectors against Ivanti EPM paths.
- Behavioral Indicators: Unusual read operations on configuration or log files by the Ivanti service account.
## Associated Threat Actors
- Actors leveraging known vulnerabilities in enterprise security software.
## Detection Methods
- Signature-based detection: Snort Rule (ET WEB\_SPECIFIC\_APPS).
## Mitigation Strategies
- Applying the specific Ivanti EPM patch for CVE-2024-13159.
- Network segmentation to isolate management servers.
## Related Tools/Techniques
- Other path traversal vulnerabilities affecting web applications.
***
# Tool/Technique: ET TROJAN HTran/SensLiceld.A response to infected host
## Overview
Detection targeting communication related to the HTran Trojan family (or associated with a process named SensLiceld.A), specifically flagging an outbound network connection attempt from an infected host, likely indicating C2 callback or payload delivery/exfiltration. "HTran" is generally associated with various remote access or trojan capabilities.
## Technical Details
- Type: Malware (Trojan - HTran/SensLiceld.A)
- Platform: Windows (Inferred from common HTran variants)
- Capabilities: Establishing network connections post-infection; likely C2 communication or data staging.
- First Seen: Varies by specific variant; the detection rule is recent (Feb 2025).
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (If using HTTP/HTTPS for C2)
## Functionality
### Core Capabilities
- Detecting known C2 beaconing patterns or specific outbound connection attempts associated with this Trojan family.
### Advanced Features
- N/A
## Indicators of Compromise
- File Hashes: N/A
- File Names: Potentially processes named `SensLiceld.A` or related executables.
- Registry Keys: N/A
- Network Indicators: Specific destination ports or request formats associated with HTran C2.
- Behavioral Indicators: Outbound connections initiated by suspicious processes masquerading as licensing services.
## Associated Threat Actors
- Unknown/Generic cybercriminals utilizing commodity or custom Remote Access Trojans (RATs).
## Detection Methods
- Signature-based detection: Snort Rule (ET TROJAN).
## Mitigation Strategies
- Execution prevention mechanisms.
- Network egress filtering to permitted C2 destinations only.
## Related Tools/Techniques
- Other RATs utilizing similar obfuscated C2 techniques.
***
# Tool/Technique: ET TROJAN implant.js (Linux & Windows Beaconing/C2 Handshake)
## Overview
A comprehensive set of rules dedicated to detecting the command and control traffic generated by a malware identified as `implant.js` (a JavaScript payload, likely running via JScript/WScript on Windows or potentially Node.js/browser context on Linux). The rules cover initial check-ins, C2 handshakes, and communication related to downloading and executing "evil modules" in both debug and non-debug modes.
## Technical Details
- Type: Malware (Loader/Dropper/Backdoor - implant.js)
- Platform: Linux and Windows
- Capabilities: Establishing persistent C2 communication, beaconing, receiving instructions, dynamically loading modules (evil modules), and supporting both debugged and release operational states.
- First Seen: Activity detected in February 2025 rules.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1090 - Proxy (If used for C2 relay)
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.002 - PowerShell
- T1059.003 - Windows Command Shell
- T1059.004 - Unix Shell (For Linux implant)
## Functionality
### Core Capabilities
- **Beaconing/Check-in:** Initial connection establishing communication (Linux Beacon Check-in, Windows Beacon Check-in).
- **C2 Communication:** Specific handshake patterns (`HS_ACK`).
- **Module Loading:** Detection of requests (`PKT_FETCH`) for external malicious modules.
### Advanced Features
- **Debug Mode Handling:** Sophisticated C2 structure differentiated by debug flags (`DebugMode=ON` vs `DebugMode=OFF`), allowing malware authors to log or test modules without alerting standard monitoring, as well as sending specific debug commands (`DBG_CMD_*`) and receiving responses (`DBG_RESP_*`).
- **Module Execution Reporting:** Rules capturing successful or failed execution reports of loaded modules.
## Indicators of Compromise
- File Hashes: N/A (Detection focuses on network behavior).
- File Names: `implant.js` (if observed locally).
- Registry Keys: N/A
- Network Indicators: Specific payload structures containing `HS_ACK`, `PKT_FETCH`, `Evil Module`, `DBG_CMD_*`, and `DBG_RESP_*`.
- Behavioral Indicators: Regularized network check-ins matching beacon timing; dynamic loading of external code snippets or modules indicated by specific request/response pairs.
## Associated Threat Actors
- Highly organized threat actors capable of developing complex, modular, and multi-platform JavaScript-based C2 frameworks.
## Detection Methods
- Signature-based detection: Numerous Snort Rules (ET TROJAN implant.js variants).
- Behavioral detection: Analyzing network flows for structured communication patterns indicative of C2 and dynamic loading, particularly observing the variations related to debug mode flags.
## Mitigation Strategies
- Strict application whitelisting to prevent execution of unauthorized JavaScript outside of approved browser contexts.
- Network monitoring for unusual outbound traffic destined for known malicious C2 servers or protocols matching these patterns.
## Related Tools/Techniques
- Web Shells, Fileless Malware (if the JS payload is executed directly in memory).