Full Report
The following is the information on Yara and Snort rules (week 3, March 2025) collected and shared by the AhnLab TIP service. 0 YARA Rules 17 Snort Rules Detection name Source ET WEB_SPECIFIC_APPS D-Tale Filter Query Command Injection Attempt (CVE-2025-0655) https://rules.emergingthreatspro.com/open/ ET EXPLOIT [CORELIGHT] – CVE-2025-27218 Sitecore unsafe deserialization attempt https://rules.emergingthreatspro.com/open/ ET WEB_SPECIFIC_APPS Apache Camel […]
Analysis Summary
Given the context, the provided article is a collection of detection rules (Snort rules) released by AhnLab TIP for a specific week in March 2025. This summary will break down the detected threats based on the rule descriptions.
***
# Tool/Technique: ET WEB\_SPECIFIC\_APPS D-Tale Filter Query Command Injection Attempt (CVE-2025-0655)
## Overview
Detection for an attempt to exploit a command injection vulnerability in D-Tale, likely related to filter queries, tracked as CVE-2025-0655.
## Technical Details
- Type: Technique (Exploitation Attempt)
- Platform: Web Application (D-Tale)
- Capabilities: Exploiting a command injection flaw via filter query manipulation.
- First Seen: March 2025 (Based on reporting week)
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1190.003 - Exploit Public-Facing Application: Exploit Vulnerability
## Functionality
### Core Capabilities
- Identifying network traffic attempting to execute OS commands via D-Tale's query functions.
### Advanced Features
- N/A (Specific to vulnerability exploitation signature)
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Signature based on packet content)
- Behavioral Indicators: N/A
## Associated Threat Actors
- Unknown (General vulnerability scanning or exploitation)
## Detection Methods
- Signature-based detection (Snort Rule)
- Behavioral detection (Monitoring for exploit payloads)
- YARA rules: N/A
## Mitigation Strategies
- Patching D-Tale to address CVE-2025-0655.
- Input validation filtering on user-supplied query parameters.
## Related Tools/Techniques
- Other Web Application Exploits listed in context.
***
# Tool/Technique: ET EXPLOIT \[CORELIGHT\] – CVE-2025-27218 Sitecore unsafe deserialization attempt
## Overview
Detection for an attempt to exploit an unsafe deserialization vulnerability in Sitecore products, identified as CVE-2025-27218, possibly by Corelight related signatures.
## Technical Details
- Type: Technique (Exploitation Attempt)
- Platform: Web Application (Sitecore)
- Capabilities: Attempting to leverage unsafe deserialization mechanisms to achieve arbitrary code execution or state manipulation.
- First Seen: March 2025 (Based on reporting week)
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1190.003 - Exploit Public-Facing Application: Exploit Vulnerability
## Functionality
### Core Capabilities
- Identifying serialized object payloads targeting Sitecore deserialization endpoints.
### Advanced Features
- N/A (Specific to vulnerability exploitation signature)
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Signature based on packet content)
- Behavioral Indicators: N/A
## Associated Threat Actors
- Unknown (General vulnerability scanning or exploitation)
## Detection Methods
- Signature-based detection (Snort Rule)
- Behavioral detection (Monitoring for unexpected object execution behavior)
- YARA rules: N/A
## Mitigation Strategies
- Patching Sitecore to address CVE-2025-27218.
- Restricting deserialization capabilities where possible.
## Related Tools/Techniques
- Other Web Application Exploits listed in context.
***
# Tool/Technique: ET WEB\_SPECIFIC\_APPS Apache Camel Message Header Injection (CVE-2025-27636)
## Overview
Detection for an attempt to exploit a message header injection vulnerability affecting Apache Camel, tracked as CVE-2025-27636.
## Technical Details
- Type: Technique (Exploitation Attempt)
- Platform: Web Application/Messaging Framework (Apache Camel)
- Capabilities: Injecting malicious data via HTTP headers to affect Camel routing or processing.
- First Seen: March 2025 (Based on reporting week)
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1190.003 - Exploit Public-Facing Application: Exploit Vulnerability
## Functionality
### Core Capabilities
- Monitoring HTTP headers for patterns indicative of message header injection payloads targeting Camel.
### Advanced Features
- N/A
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: N/A
## Associated Threat Actors
- Unknown
## Detection Methods
- Signature-based detection (Snort Rule)
## Mitigation Strategies
- Updating Apache Camel deployments to a patched version.
- Network filtering on suspicious HTTP header content.
## Related Tools/Techniques
- ET WEB\_SPECIFIC\_APPS Apache Camel Message Header Injection in URI (CVE-2025-29891)
***
# Tool/Technique: ET WEB\_SPECIFIC\_APPS DocsGPT Remote Code Execution Attempt (CVE-2025-0868)
## Overview
Detection for an attempt to exploit a Remote Code Execution (RCE) vulnerability in DocsGPT, tracked by CVE-2025-0868.
## Technical Details
- Type: Technique (Exploitation Attempt)
- Platform: Web Application (DocsGPT)
- Capabilities: Attempting to execute arbitrary code on the underlying server hosting DocsGPT.
- First Seen: March 2025
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1190.003 - Exploit Public-Facing Application: Exploit Vulnerability
## Functionality
### Core Capabilities
- Scanning for and blocking RCE payloads directed at DocsGPT.
### Advanced Features
- N/A
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: N/A
## Associated Threat Actors
- Unknown
## Detection Methods
- Signature-based detection (Snort Rule)
## Mitigation Strategies
- Patching DocsGPT to resolve CVE-2025-0868.
## Related Tools/Techniques
- Other RCE attempts on web applications.
***
# Tool/Technique: ET WEB\_SPECIFIC\_APPS Cockpit Authenticated Arbitrary PHP File Upload (CVE-2025-1025)
## Overview
Detection for an attempt to exploit an authenticated arbitrary file upload vulnerability in the Cockpit Content Management System (CVE-2025-1025), resulting in PHP file upload.
## Technical Details
- Type: Technique (Exploitation Attempt)
- Platform: Web Application (Cockpit CMS)
- Capabilities: Uploading malicious PHP scripts after achieving authenticated access.
- First Seen: March 2025
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1190.003 - Exploit Public-Facing Application: Exploit Vulnerability
- T1078.004 - Valid Accounts: Cloud Accounts (If used in context of web account compromise)
## Functionality
### Core Capabilities
- Identifying HTTP requests containing malicious file uploads targeting Cockpit.
### Advanced Features
- Requires prior authentication to succeed.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Requests attempting to upload `.php` files to web directories via authenticated CMS sessions.
## Associated Threat Actors
- Unknown
## Detection Methods
- Signature-based detection (Snort Rule)
## Mitigation Strategies
- Patching Cockpit CMS.
- Enforcing strict MFA/strong passwords on all CMS accounts.
## Related Tools/Techniques
- Other web-based file upload exploits.
***
# Tool/Technique: ET WEB\_SPECIFIC\_APPS KLog Server Directory Traversal Attempt (CVE-2025-1035)
## Overview
Detection for an attempt to exploit a Directory Traversal (Path Traversal) vulnerability in KLog Server, tracked as CVE-2025-1035, likely to access sensitive files.
## Technical Details
- Type: Technique (Exploitation Attempt)
- Platform: Web Application (KLog Server)
- Capabilities: Accessing files and directories outside the intended web root using sequences like `../`.
- First Seen: March 2025
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1190.003 - Exploit Public-Facing Application: Exploit Vulnerability
- T1083 - File and Directory Discovery
## Functionality
### Core Capabilities
- Identifying URL paths containing traversal sequences targeting KLog implementation.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Requests including encoded or raw `../` sequences in path parameters.
## Associated Threat Actors
- Unknown
## Detection Methods
- Signature-based detection (Snort Rule)
## Mitigation Strategies
- Updating KLog Server to address CVE-2025-1035.
- Hardening input sanitization for path parameters.
## Related Tools/Techniques
- Other directory traversal exploitation efforts.
***
# Tool/Technique: ET WEB\_SPECIFIC\_APPS PHP-CGI OS Command Injection (soft hyphen) (CVE-2024-4577)
## Overview
Detection for exploitation attempts targeting the critical PHP-CGI OS Command Injection vulnerability (CVE-2024-4577), characterized by the use of the 'soft hyphen' character substitution. This vulnerability allows attackers to execute arbitrary commands on systems running vulnerable PHP CGI configurations.
## Technical Details
- Type: Technique (Exploitation Attempt)
- Platform: PHP CGI/Server Environment
- Capabilities: Remote execution of operating system commands via specially crafted URI requests due to improper argument handling in PHP 5, 7, and 8 when running in CGI mode.
- First Seen: Prior to March 2025 (CVE published earlier in 2024)
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1190.003 - Exploit Public-Facing Application: Exploit Vulnerability
- T1059.003 - Command and Scripting Interpreter: Command and Scripting Interpreter
## Functionality
### Core Capabilities
- Identifying attack vectors utilizing the null byte (`%00`) or related character encodings attempting injection past PHP-CGI boundary checks.
### Advanced Features
- Highly effective RCE technique against misconfigured PHP installations.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: HTTP requests containing command execution syntax (e.g., `|`, `&`, `;`) in URLs or POST parameters when targeting PHP-CGI scripts.
## Associated Threat Actors
- Known threat actors exploiting this widespread vulnerability.
## Detection Methods
- Signature-based detection (Snort Rule)
## Mitigation Strategies
- **Primary Mitigation:** Do not run PHP via CGI; use a modern, secure handler (e.g., FPM). If CGI must be used, ensure proper access controls and utilize the latest PHP versions addressing the flaw.
## Related Tools/Techniques
- General OS Command Injection methods.
***
# Tool/Technique: ET WEB\_SPECIFIC\_APPS Apache Tomcat Path Equivalence (CVE-2025-24813)
## Overview
Detection for exploitation attempts against an Apache Tomcat vulnerability related to Path Equivalence, tracked as CVE-2025-24813. This type of vulnerability often leads to unauthorized access or information disclosure by bypassing security checks.
## Technical Details
- Type: Technique (Exploitation Attempt)
- Platform: Web Application (Apache Tomcat)
- Capabilities: Exploiting path manipulation nuances to access restricted resources or execute code paths unintended by the developer.
- First Seen: March 2025
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1190.003 - Exploit Public-Facing Application: Exploit Vulnerability
## Functionality
### Core Capabilities
- Identifying specific URL constructions attempting to leverage path equivalence flaws in Tomcat.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: N/A
## Associated Threat Actors
- Unknown
## Detection Methods
- Signature-based detection (Snort Rule)
## Mitigation Strategies
- Updating Apache Tomcat servers to the latest secure version.
## Related Tools/Techniques
- Other web server path canonicalization bypasses.
***
# Tool/Technique: ET TROJAN Observed DNS Query to Rasuq Force Domain
## Overview
Detection for a DNS query directed towards a domain associated with the "Rasuq Force" activity (likely a threat actor or known malware infrastructure). This suggests a system may be communicating with C2 infrastructure.
## Technical Details
- Type: Behavioral Indicator (Network Activity)
- Platform: Any system performing outbound DNS resolution.
- Capabilities: Identifying beaconing or data exfiltration attempts pointing to a known malicious domain used by Rasuq Force operators.
- First Seen: March 2025 (Based on reporting week)
## MITRE ATT&CK Mapping
- T1071.004 - Application Layer Protocol: DNS
- T1071.004.002 - Application Layer Protocol: DNS - Non-Standard Protocol
## Functionality
### Core Capabilities
- Monitoring egress DNS traffic for specific malicious domains.
### Advanced Features
- N/A
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: DNS queries for `rasuq` related domains (defanged: `rasuq<dot>force<dot>xyz` structure implied).
- Behavioral Indicators: Outbound DNS traffic matching the observed pattern.
## Associated Threat Actors
- Rasuq Force (Implied)
## Detection Methods
- Signature-based detection (Snort Rule on DNS queries)
## Mitigation Strategies
- Blocking DNS resolutions to the identified infrastructure at the firewall or DNS resolver level.
- Investigating endpoint activity associated with the query origin.
## Related Tools/Techniques
- General C2 communication attempts.
***
# Tool/Technique: ET WEB\_SPECIFIC\_APPS GLPI Pre-auth SQL Injection (CVE-2025-24799)
## Overview
Detection for attempts to exploit a Pre-authentication SQL Injection vulnerability in GLPI (IT Asset Management software), tracked as CVE-2025-24799.
## Technical Details
- Type: Technique (Exploitation Attempt)
- Platform: Web Application (GLPI)
- Capabilities: Injecting malicious SQL queries without needing valid credentials, potentially leading to data exfiltration or database compromise.
- First Seen: March 2025
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1190.003 - Exploit Public-Facing Application: Exploit Vulnerability
- T1059.004 - Command and Scripting Interpreter: SQL
## Functionality
### Core Capabilities
- Inspecting parameters for common SQL injection payloads (e.g., `OR 1=1`, time-based injection strings) targeting GLPI endpoints.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: HTTP requests containing SQL commands in URI or POST bodies destined for GLPI instances.
## Associated Threat Actors
- Unknown
## Detection Methods
- Signature-based detection (Snort Rule)
## Mitigation Strategies
- Patching GLPI to address CVE-2025-24799.
- Implementing a robust Web Application Firewall (WAF) to filter SQL syntax.
## Related Tools/Techniques
- Other database injection attacks.
***
# Tool/Technique: ET CURRENT\_EVENTS TA453 Google Drive Lookalike (drives .googles. * .site)
## Overview
Detection targeting phishing infrastructure associated with the threat actor TA453, specifically using lookalike domains mimicking Google Drive (e.g., `drives.googles.site`). This is indicative of credential harvesting campaigns.
## Technical Details
- Type: Technique (Phishing Infrastructure)
- Platform: Internet/Email (Credential Harvesting)
- Capabilities: Hosting malicious websites designed to trick users into submitting credentials for Google services.
- First Seen: March 2025 (Active campaign noted)
## MITRE ATT&CK Mapping
- T1566.001 - Phishing: Spearphishing Attachment (If used in email)
- T1566.002 - Phishing: Spearphishing Link (Most likely)
- T1090.003 - Proxy: Multi-hop Proxy (If infrastructure is complex)
## Functionality
### Core Capabilities
- Blocking network connections to specific domains registered under TA453's control structure.
### Advanced Features
- Utilizing typo-squatting to bypass basic URL checks.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Domains like `drives<dot>googles<dot>something<dot>site`.
- Behavioral Indicators: N/A
## Associated Threat Actors
- TA453
## Detection Methods
- Signature-based detection (Snort Rule on DNS requests/HTTP flows)
## Mitigation Strategies
- Updating internal DNS filters (Sinkholing).
- User training on identifying phishing links, especially those related to cloud storage services.
## Related Tools/Techniques
- Other credential harvesting campaigns.
***
# Tool/Technique: ET TROJAN TINYSHELL impad Variant Encrypted Auth Token / Command Packet
## Overview
Detection for network traffic associated with the `TINYSHELL` family of malware, specifically variants named "impad," characterized by recognizable encrypted authentication tokens and command packets.
## Technical Details
- Type: Malware Family (Backdoor/RAT)
- Platform: Windows/Linux (Implied by general usage of TINYSHELL)
- Capabilities: Establishing command and control (C2) communication using custom, encrypted protocols for authentication and command delivery.
- First Seen: Context suggests activity in March 2025
## MITRE ATT&CK Mapping
- T1071.001 - Application Layer Protocol: Web Protocols (If HTTP/S is used for C2)
- T1071.004 - Application Layer Protocol: DNS (If DNS Tunnelling is used)
- T1573.001 - Encrypted Channel: Symmetric Cryptography
## Functionality
### Core Capabilities
- Identifying the specific C2 signature (encrypted token/packet handshake) used by the *impad* variant of TINYSHELL.
### Advanced Features
- Use of symmetric encryption to obscure C2 operations.
## Indicators of Compromise
- File Hashes: N/A (Rules target network traffic)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Specific packet structures or content indicating the *impad* protocol handshake.
- Behavioral Indicators: Outbound connections mirroring known C2 timing and structure for this trojan.
## Associated Threat Actors
- Unknown (Associated with TINYSHELL infrastructure)
## Detection Methods
- Signature-based detection (Snort Rules focusing on packet payload structure).
## Mitigation Strategies
- Blocking all C2 communication associated with identified IPs/Domains for TINYSHELL.
- Endpoint detection to remove the malware payload itself.
## Related Tools/Techniques
- ET TROJAN TINYSHELL *irad* Variant (See next entries).
***
# Tool/Technique: ET TROJAN TINYSHELL irad Variant ICMP Inbound
## Overview
Detection for network activity associated with the `TINYSHELL` malware family, specifically the *irad* variant, utilizing ICMP traffic for inbound command and control. This suggests covert C2 channel usage.
## Technical Details
- Type: Malware Family (Backdoor/RAT)
- Platform: Systems running TINYSHELL *irad* (likely Windows or Linux endpoints).
- Capabilities: Receiving commands covertly via ICMP Echo Reply/Request packets (ICMP tunneling).
- First Seen: March 2025
## MITRE ATT&CK Mapping
- T1071.004 - Application Layer Protocol: DNS (If DNS is used, but here specifically ICMP is noted)
- T1090.004 - Proxy: Domain Fronting (Not applicable, but C2 technique)
- T1090.005 - Proxy: **ICMP Tunneling** (Most applicable for covert C2)
## Functionality
### Core Capabilities
- Identifying encapsulated data or specific metadata within ICMP packets that signify a TINYSHELL *irad* command.
### Advanced Features
- Use of ICMP for covert C2, often bypassing standard port-based firewall rules.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: ICMP packets containing payload data fragments (e.g., `uSarguuS62bKRA0J`, `1spCq0BMbJwCoeZn` likely hash/payload identifiers).
- Behavioral Indicators: Non-standard ICMP payload content.
## Associated Threat Actors
- Unknown (Associated with TINYSHELL infrastructure)
## Detection Methods
- Signature-based detection (Snort Rules analyzing ICMP payloads).
## Mitigation Strategies
- Auditing firewall rules to restrict or deeply inspect ICMP payloads for non-standard content (ICMP Tunneling detection).
## Related Tools/Techniques
- ET TROJAN TINYSHELL *impad* Variant.