Full Report
The following is the information on Yara and Snort rules (week 4, November 2024) collected and shared by the AhnLab TIP service. 5 YARA Rules Detection name Description Source PK_Amazon_hitman Phishing Kit impersonating Amazon https://github.com/t4d/PhishingKit-Yara-Rules PK_Nedbank_sql Phishing Kit impersonating Nedbank https://github.com/t4d/PhishingKit-Yara-Rules PK_Barclays_offshore Phishing Kit impersonating Barclays https://github.com/t4d/PhishingKit-Yara-Rules PK_OneDrive_awake Phishing Kit impersonating OneDrive https://github.com/t4d/PhishingKit-Yara-Rules PK_Chase_emma Phishing […] 게시물 Weekly Detection Rule (YARA and Snort) Information – Week 4, November 2024이 ASEC에 처음 등장했습니다.
Analysis Summary
This summary focuses on the detection methods (YARA and Snort rules) provided in the context, categorizing the detected items where applicable.
# Tool/Technique: Phishing Kits (Amazon, Nedbank, Barclays, OneDrive, Chase)
## Overview
These are various Phishing Kits detected via YARA rules, designed to impersonate legitimate services (financial institutions and cloud storage providers) for the purpose of credential harvesting.
## Technical Details
- Type: Malware/Attack Resource (Phishing Kit)
- Platform: Web/Server-based (likely PHP/HTML)
- Capabilities: Impersonation, credential theft, web delivery.
- First Seen: Information not explicitly provided (rules released week 4, November 2024).
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If used as an attachment)
- T1566.002 - Spearphishing Link (Typically how web kits are delivered)
## Functionality
### Core Capabilities
- Impersonating Amazon login pages.
- Impersonating Nedbank login pages.
- Impersonating Barclays login pages.
- Impersonating Microsoft OneDrive login pages.
- Impersonating Chase bank login pages.
### Advanced Features
- The specific advanced features of the underlying scripts are not detailed, but phishing kits generally aim for high fidelity in mimicry to trick victims.
## Indicators of Compromise
- File Hashes: N/A (Detection is based on signature/content rules)
- File Names: N/A (Specific file names are not listed, only the rule detection names)
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Hosting web pages designed for credential submission.
## Associated Threat Actors
- General cybercriminals specializing in financial fraud and credential harvesting.
## Detection Methods
- Signature-based detection: Provided via 5 specific YARA rules from AhnLab TIP.
- Behavioral detection: N/A
- YARA rules:
- PK\_Amazon\_hitman
- PK\_Nedbank\_sql
- PK\_Barclays\_offshore
- PK\_OneDrive\_awake
- PK\_Chase\_emma
## Mitigation Strategies
- Implementing robust email filtering and DMARC/SPF/DKIM policies.
- User education on recognizing phishing attempts.
- Using strong Multi-Factor Authentication (MFA).
## Related Tools/Techniques
- Other phishing frameworks (e.g., Modlishka, NameID).
***
# Tool/Technique: Exploitation Techniques Targeting Specific Vendor Software
## Overview
This section summarizes various vulnerability exploitation attempts detected by Snort rules, targeting widely used enterprise software and security appliances, including vulnerabilities in Fortinet, Palo Alto, pyLoad, and WordPress plugins.
## Technical Details
- Type: Technique/Exploit Attempt (Network Intrusion Signatures)
- Platform: Server/Web Application (Involves various network protocols/HTTP requests)
- Capabilities: Remote Code Execution (RCE), Authentication Bypass, Command Injection, Directory Traversal.
- First Seen: Detection rules were active in the week 4, November 2024 update. Specific CVEs map to various historical dates.
## MITRE ATT&CK Mapping
The mapped tactics/techniques depend on the specific CVE/exploit:
| Rule Context | Primary Tactic/Technique |
| :--- | :--- |
| RCE/Injection via FortiManager, pyLoad, Palo Alto | T1190 - Exploit Public-Facing Application |
| Authentication Bypass (Palo Alto, Fortinet) | T1190 - Exploit Public-Facing Application |
| Command Injection (Palo Alto) | T1059.004 - Command and Scripting Interpreter: Unix Shell |
| Directory Traversal (WordPress) | T1083 - File and Directory Discovery |
## Functionality
### Core Capabilities
- **CVE-2024-50340 (Symphony PHP Profiler):** Manipulation of the PHP profiler environment.
- **CVE-2024-47575 (Fortinet FortiManager):** Attempted Unauthenticated Remote Code Execution (M1 & M2 variants) and Unauthenticated Open Server-Side Channel.
- **CVE-2024-39205 (pyLoad):** RCE via sandbox escape in `js2py`.
- **CVE-2024-0012 & Command Injection (Palo Alto PAN-OS):** Authentication bypass and command injection attempts.
- **CVE-2024-9463 (Palo Alto Expedition):** Remote Code Execution attempt.
- **CVE-2024-1212 (Progress Kemp LoadMaster):** RCE attempt.
- **WPLMS Directory Traversal:** Unauthorized file access attempts on WordPress sites.
### Advanced Features
- Exploitation of recently disclosed high-severity vulnerabilities (RCE and Auth Bypass) in critical infrastructure appliances (Fortinet, Palo Alto).
- Exploiting sandbox weaknesses (`js2py`) for RCE in web applications.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Specific network patterns associated with the listed CVE exploitation attempts (e.g., request structure targeting the vulnerable parameters).
- Behavioral Indicators: Malformed requests attempting to trigger RCE or information disclosure on vulnerable services.
## Associated Threat Actors
- Threat actors tracking and deploying exploits for new or known CVEs against widely deployed appliances. Specific groups are not named for all entries, but the exploitation of Fortinet and Palo Alto vulnerabilities is common across various APTs and ransomware affiliates.
## Detection Methods
- Signature-based detection: Provided via 18 Snort Rules from Emerging Threats Pro.
- Behavioral detection: N/A
- YARA rules: N/A (Snort rules target network traffic)
## Mitigation Strategies
- Immediate patching of vulnerable software: Fortinet FortiManager (CVE-2024-47575), Palo Alto PAN-OS (CVE-2024-0012, CVE-2024-9463), pyLoad (CVE-2024-39205), Progress Kemp (CVE-2024-1212).
- Restricting network access to management interfaces of security appliances where possible.
- Applying security patches for WordPress plugins (WPLMS).
## Related Tools/Techniques
- Other network-based exploit attempts leveraging public vulnerabilities.
***
# Tool/Technique: Strela Stealer, Snake/Best Private Keylogger, Glove Stealer, Clickfix
## Overview
These detections relate to various types of malware/trojans identified through Snort rules targeting Command and Control (C2) communications or post-infection activity.
## Technical Details
- Type: Malware (Trojans/Stealers/Keyloggers)
- Platform: Typically Windows (Client/Server communications)
- Capabilities: Stealing data/credentials, Keylogging, C2 communication.
- First Seen: Rules updated week 4, November 2024.
## MITRE ATT&CK Mapping
- Strela Stealer: T1056.001 (Input Capture: Keylogging) / T1071 (Application Layer Protocol)
- Snake/Best Private Keylogger: T1056.001 (Input Capture: Keylogging) / T1041 (Exfiltration Over C2 Channel)
- Glove Stealer: T1041 (Exfiltration Over C2 Channel) / T1071 (Application Layer Protocol)
- Clickfix: T1105 (Ingress Tool Transfer) / T1071 (Application Layer Protocol)
## Functionality
### Core Capabilities
- **Strela Stealer:** C2 communication activity detected.
- **Snake/Best Private Keylogger:** Exfiltration of stolen data (including private keys) via Telegram.
- **Glove Stealer:** Detection of C2 responses and data exfiltration attempts.
- **Clickfix:** Detection of an inbound payload and subsequent C2 request patterns (Portuguese language context suggested by rule name).
### Advanced Features
- Use of legitimate services like Telegram for stealthy data exfiltration (Snake/Best Private).
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- Strela Stealer C2 Activity detected.
- Snake/Best Private Keylogger C2 Exfil via Telegram detected.
- Glove Stealer C2 Response detected.
- Clickfix Payloads detected (inbound and outbound GET requests).
- Behavioral Indicators: Specific network traffic patterns characteristic of these Trojans communicating with their C2 infrastructure.
## Associated Threat Actors
- Threat actors utilizing commodity malware and stealers for opportunistic infections.
## Detection Methods
- Signature-based detection: Provided via relevant Snort Trojan rules.
- Behavioral detection: N/A
- YARA rules: N/A
## Mitigation Strategies
- Endpoint Detection and Response (EDR) solutions capable of monitoring process behavior and network connections.
- Blocking access to known C2 infrastructure patterns.
- Implementing policies to restrict or monitor traffic to non-business-sanctioned messaging services like Telegram for data transfer.
## Related Tools/Techniques
- Other credential harvesting malware like Vidar or Raccoon Stealer.