Full Report
The following is the information on Yara and Snort rules (week 3, December 2024) collected and shared by the AhnLab TIP service. 6 YARA Rules 탐지명 설명 출처 EXPL_Cleo_Exploitation_Log_Indicators_Dec24 Cleo 익스플로잇 로그 탐지 https://github.com/Neo23x0/signature-base EXPL_Cleo_Exploitation_PS1_Indicators_Dec24 Cleo 익스플로잇 Powershell 스크립트 탐지 https://github.com/Neo23x0/signature-base SUSP_EXPL_JAR_Indicators_Dec24 의심스러운 JAR 익스플로잇 탐지 https://github.com/Neo23x0/signature-base EXPL_Cleo_Exploitation_XML_Indicators_Dec24 Cleo 익스플로잇 XML 탐지 https://github.com/Neo23x0/signature-base EXPL_Cleo_Exploitation_JAVA_Payloads_Dec24_1_1 Cleo […]
Analysis Summary
This summary focuses on the malware families, vulnerabilities, and specific network communications detailed in the provided threat intelligence rules.
# Tool/Technique: Retdoor C2 Checkin Detected
## Overview
Detection signature marking network communications indicative of a Retdoor Command and Control (C2) check-in attempt.
## Technical Details
- Type: Malware Family (Implied - C2 Communication)
- Platform: Unknown (Inferred from network traffic)
- Capabilities: Establishing or maintaining contact with a Retdoor C2 infrastructure.
- First Seen: N/A
## MITRE ATT&CK Mapping
- TA0011 - Command and Control (C2 Activity is inherent in C2 check-ins)
## Functionality
### Core Capabilities
- Network beaconing to a remote C2 server.
### Advanced Features
- N/A
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic matching the Retdoor C2 protocol/signature.
- Behavioral Indicators: Network connection outbound/inbound related to C2 communication.
## Associated Threat Actors
- Unknown
## Detection Methods
- Signature-based detection (Emerging Threats Rule: `ET TROJAN Retdoor CnC Checkin`)
## Mitigation Strategies
- Blocking outbound connections to known C2 infrastructure for Retdoor.
- Network monitoring for anomalous connection patterns.
## Related Tools/Techniques
- Other C2 backdoors.
***
# Tool/Technique: QuickResponse C2 Communication Structures
## Overview
Detection signatures for the specific data structures used by the QuickResponse C2 framework for sending default tasking and receiving responses.
## Technical Details
- Type: Malware Family (Implied - C2 Communication)
- Platform: Unknown
- Capabilities: Communicating instructions (tasking) and acknowledgement/results between the malware implant and the QuickResponse C2 server.
- First Seen: N/A
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
## Functionality
### Core Capabilities
- Detecting specific C2 control packets: Default Tasking Structure.
- Detecting specific C2 control packets: Default Response Structure.
### Advanced Features
- N/A
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic containing the specific byte sequences defining the QuickResponse C2 structures.
- Behavioral Indicators: Communication patterns matching the C2 framework.
## Associated Threat Actors
- Unknown
## Detection Methods
- Signature-based detection (Emerging Threats Rules targeting `QuickResponseC2 Default Tasking Struct` and `Default Response Struct`).
## Mitigation Strategies
- Blocking communications matching the observed C2 structures.
- Application whitelisting if the associated application is known.
## Related Tools/Techniques
- Other common C2 protocols.
***
# Tool/Technique: PeakLight/Emmenhtal Loader Payload Delivery Templates
## Overview
Signatures targeting network artifacts related to the delivery mechanism of the PeakLight/Emmenhtal malware loaders, specifically their payload delivery templates and associated web pages.
## Technical Details
- Type: Malware Loader/Downloader
- Platform: Unknown (Likely Windows, given typical loader behavior)
- Capabilities: Delivering the final stage malware payload via unique web page formats or templates.
- First Seen: N/A
## MITRE ATT&CK Mapping
- TA0002 - Execution (Delivery of the payload)
- T1105 - Ingress Tool Transfer (Downloading the payload)
## Functionality
### Core Capabilities
- Identifying the specific template used by PeakLight/Emmenhtal for packaging and serving payloads.
- Identifying the web pages hosting these payloads.
### Advanced Features
- N/A
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic conforming to the delivery template structure or access to the specific delivery URLs.
- Behavioral Indicators: Web requests matching known delivery patterns.
## Associated Threat Actors
- Unknown
## Detection Methods
- Signature-based detection (Rules looking for `PeakLight/Emmenhtal Loader Payload Delivery Template Observed` and `WebPage Observed`).
## Mitigation Strategies
- Web content filtering to block known download sites.
- Host intrusion prevention to catch subsequent execution.
## Related Tools/Techniques
- Other fileless or memory-resident loaders.
***
# Tool/Technique: Cleo MFT Arbitrary File Manipulation (CVE-2024-50623)
## Overview
Exploitation attempts targeting the Cleo MFT application, leveraging **CVE-2024-50623** to perform arbitrary file write and read operations.
## Technical Details
- Type: Vulnerability Exploitation (Web Application)
- Platform: Systems running Cleo MFT
- Capabilities: Unauthorized ability to read sensitive files (`Arbitrary File Read`) and write files to the filesystem (`Arbitrary File Write`), potentially leading to remote code execution or data disclosure.
- First Seen: Related to disclosure/exploitation timeline of CVE-2024-50623.
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1190.001 - Exploit Vulnerability
- T1083 - File and Directory Discovery (File Read)
- T1036 - Masquerading (Abuse of trusted application process)
## Functionality
### Core Capabilities
- Arbitrary File Write: Injecting data into system files.
- Arbitrary File Read: Exfiltrating data from system files.
### Advanced Features
- Exploitation tied to a specific product vulnerability (CVE-2024-50623).
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Malformed web requests targeting the Cleo MFT application specific to the path or parameter exploited by CVE-2024-50623.
- Behavioral Indicators: Unexpected file system operations originating from the Cleo MFT process.
## Associated Threat Actors
- Unknown
## Detection Methods
- Signature-based detection specific to the exploit traffic patterns.
- Vulnerability patching is the primary defense.
## Mitigation Strategies
- **Patching:** Apply the vendor patch for **CVE-2024-50623**.
- Network segmentation for critical applications like MFT software.
## Related Tools/Techniques
- Other authentication bypass or file access vulnerabilities in enterprise applications.
***
# Tool/Technique: Generic Office365 Phishing Landing Page (2024-12-12)
## Overview
Detection for network activity matching a generic phishing landing page template explicitly targeting Microsoft Office 365 credentials, observed around December 12, 2024.
## Technical Details
- Type: Phishing Infrastructure
- Platform: Web/Browser
- Capabilities: Collecting user credentials via a forged login interface designed to mimic Office 365 security prompts.
- First Seen: 2024-12-12
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If email delivery is implied)
- T1566.002 - Spearphishing Link (If link delivery is implied)
## Functionality
### Core Capabilities
- Hosting a deceptive website to capture usernames and passwords.
### Advanced Features
- Timing aligned with a specific campaign (Dec 12, 2024).
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Connections to domains/IPs hosting the specific phishing page structure observed on 2024-12-12.
- Behavioral Indicators: HTTP POST requests containing credential harvesting data directed at the suspicious domain.
## Associated Threat Actors
- Various financially motivated groups.
## Detection Methods
- Signature-based detection on known phishing page URLs or content markers.
## Mitigation Strategies
- User training against credential harvesting.
- Email filtering to block suspicious Office 365 login links.
- Multi-Factor Authentication (MFA) to neutralize harvested credentials.
## Related Tools/Techniques
- Other credential harvesting pages.
***
# Tool/Technique: Github Enterprise Vulnerability Exploits (CVE-2024-0507 & CVE-2024-0200)
## Overview
Detection signatures targeting attempts to exploit two specific vulnerabilities in Github Enterprise: Command Injection via S3 OIDC configuration (**CVE-2024-0507**) and Data Leakage via Unsafe Reflection (**CVE-2024-0200**).
## Technical Details
- Type: Vulnerability Exploitation (Web Application)
- Platform: Github Enterprise Servers
- Capabilities:
- **CVE-2024-0507**: Remote Command Execution via injection into the S3 OIDC command structure.
- **CVE-2024-0200**: Information Disclosure through an Unsafe Reflection vulnerability.
- First Seen: Related to the disclosure/exploitation timelines of the CVEs.
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1190.001 - Exploit Vulnerability
- T1059 - Command and Scripting Interpreter (for CVE-2024-0507)
- T1005 - Data from Network Shared Drive (Implied via file access through these exploits or C2 activity resulting from them)
## Functionality
### Core Capabilities
- Attempted Command Injection against Github Enterprise (CVE-2024-0507).
- Attempted exploitation of Unsafe Reflection to leak internal information (CVE-2024-0200).
### Advanced Features
- Exploits target platform-specific identity and reflection mechanisms (S3 OIDC, Reflection).
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Malformed HTTP requests or payload content designed to trigger the respective vulnerabilities in the Github Enterprise API endpoints or configuration pages.
- Behavioral Indicators: Outbound data transfer immediately following an apparent successful exploitation of CVE-2024-0200.
## Associated Threat Actors
- Unknown
## Detection Methods
- Signature-based detection matching exploit payloads for both CVEs.
## Mitigation Strategies
- Immediate patching of Github Enterprise installations for **CVE-2024-0507** and **CVE-2024-0200**.
- Web Application Firewalls (WAF) configured to inspect GitHub specific traffic for injection patterns.
## Related Tools/Techniques
- Other command injection vulnerabilities.
***
# Tool/Technique: Xiebro C2 Communication Suite
## Overview
A comprehensive set of signatures detecting various communication phases (KeepAlive, SendInfo, Disconnect, List Process) between victim hosts and the Xiebro malware Command and Control server, covering both inbound and outbound traffic.
## Technical Details
- Type: Trojan/Backdoor (C2 communications)
- Platform: Unknown (Likely Windows, based on common backdoor targets)
- Capabilities: Maintaining session persistence (KeepAlive), reporting basic system status (SendInfo), executing remote commands like process enumeration (List Process), and cleanly terminating sessions (Disconnect).
- First Seen: N/A
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071.001 - Application Layer Protocol: Web Protocols (Implied, often HTTP/S)
- T1057 - Process Discovery (For 'List Process' activity)
## Functionality
### Core Capabilities
- **KeepAlive (M1, M2, M3):** Periodic heartbeat traffic to ensure connectivity.
- **SendInfo (M1, M2, M3):** Exfiltrating gathered initial system information.
- **Disconnect (M1, M2, M3):** Signalling an end to the current communication session.
- **List Process (M1, M2, M3):** Executing process enumeration commands remotely.
### Advanced Features
- The activity is segmented into three distinct message formats/versions (M1, M2, M3), suggesting robust C2 versioning or different types of information being tunnelled.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic matching the specific MIME types, headers, or payloads associated with Xiebro's KeepAlive, SendInfo, and List Process commands (inbound and outbound).
- Behavioral Indicators: Sequential communication phases (e.g., KeepAlive followed by SendInfo).
## Associated Threat Actors
- Unknown
## Detection Methods
- Signature-based detection on all listed Xiebro C2 message structures (M1, M2, M3).
## Mitigation Strategies
- Blocking C2 infrastructure identified during analysis.
- Deep packet inspection to identify the unique Xiebro command structures.
## Related Tools/Techniques
- Other persistent backdoors using multipart C2 protocols.