Full Report
The following is the information on Yara and Snort rules (week 4, January 2025) collected and shared by the AhnLab TIP service. 7 YARA Rules Detection name Description Source PK_SumUp_pseller Phishing Kit impersonating SumUp https://github.com/t4d/PhishingKit-Yara-Rules PK_SwissPass_z3ci_2 Phishing Kit impersonating SwissPass.ch https://github.com/t4d/PhishingKit-Yara-Rules PK_PayPal_0x Phishing Kit impersonating Paypal https://github.com/t4d/PhishingKit-Yara-Rules PK_IndonesiaBaikId_malay Phishing Kit impersonating Indonesia Baik id https://github.com/t4d/PhishingKit-Yara-Rules […]
Analysis Summary
The provided context consists of a list of Yara and Snort rules released by AhnLab TIP in week 4 of January 2025. This summary will focus on the malware, phishing kits, and general threat detection techniques highlighted by these rules.
***
# Tool/Technique: Phishing Kits (General Category)
## Overview
Various distinct phishing kits designed to impersonate legitimate services, shared via specific Yara rules.
## Technical Details
- Type: Malware/Lure (Phishing Kit)
- Platform: Web/Generic (Used for credential harvesting)
- Capabilities: Impersonation of financial institutions or service providers (SumUp, SwissPass, PayPal, AT&T) and general services (Indonesia Baik id).
- First Seen: Week 4, January 2025 (Detection update)
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T600.001 - Drive-by Compromise (Implied, as phishing is the delivery mechanism)
- TA0006 - Credential Access
- T1555 - Credentials from Password Stores (Primary goal of phishing)
## Functionality
### Core Capabilities
- Mimicking login pages for services like SumUp, SwissPass.ch, PayPal, and AT&T to steal user credentials.
### Advanced Features
- Rule `PK_IndonesiaBaikId_malay` suggests variants targeting Indonesian specific services or utilizing Malay language features.
## Indicators of Compromise
*Note: Specific file hashes, file names, or network indicators are not provided in the context, only detection rule names.*
- File Hashes: [N/A]
- File Names: [N/A]
- Registry Keys: [N/A]
- Network Indicators: [N/A]
- Behavioral Indicators: [N/A]
## Associated Threat Actors
- Undetermined for specific kits, though associated tactics involve common cybercriminal operations.
## Detection Methods
- Signature-based detection via Yara rules: `PK_SumUp_pseller`, `PK_SwissPass_z3ci_2`, `PK_PayPal_0x`, `PK_IndonesiaBaikId_malay`, `PK_ATandT_yb`.
## Mitigation Strategies
- User training awareness regarding phishing attempts.
- Implementing multi-factor authentication (MFA).
- Monitoring network traffic for suspicious connections originating from user workstations.
## Related Tools/Techniques
- Other credential harvesting techniques.
***
# Tool/Technique: wmRAT
## Overview
A Remote Access Trojan (RAT) tracked by malware analysts, detected based on specific coding characteristics.
## Technical Details
- Type: Malware (RAT)
- Platform: Undetermined (Likely Windows based on common RAT targets and context)
- Capabilities: Remote control and system access, characterized by unique socket usage and error handling.
- First Seen: Week 4, January 2025 (Detection update)
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information
## Functionality
### Core Capabilities
- Establishing remote access.
### Advanced Features
- Characterized by "socket usage" and "odd error handling," suggesting obfuscation or custom communications logic.
- Reuses strings, which aids in signature creation.
## Indicators of Compromise
- Detection focuses on internal code artifacts rather than external IOCs.
- File Hashes: [N/A]
- File Names: [N/A]
- Registry Keys: [N/A]
- Network Indicators: [N/A]
- Behavioral Indicators: Unusual socket usage patterns, specific error handling sequences.
## Associated Threat Actors
- APT\_IN\_TA397
## Detection Methods
- Signature-based detection via Yara rule: `APT_IN_TA397_wmRAT`.
## Mitigation Strategies
- Application control to restrict unauthorized executables.
- Network monitoring for abnormal outbound communication patterns (C2).
## Related Tools/Techniques
- Other RATs and remote access tools.
***
# Technique: Exploiting NTFS Alternate Data Streams (ADS) for Payload Staging
## Overview
A technique where malicious content (specifically RAR archives) is hidden within NTFS Alternate Data Streams to evade simple file scanning.
## Technical Details
- Type: Technique/Behavioral Indicator
- Platform: Windows
- Capabilities: Achieving file persistence or evasion by hiding data within the file system metadata.
- First Seen: Week 4, January 2025 (Detection update)
## MITRE ATT&CK Mapping
- TA0005 - Defense Evasion
- T1027.002 - Obfuscated Files or Information: Alternate Data Streams
## Functionality
### Core Capabilities
- Encapsulating a RAR archive within an NTFS ADS.
### Advanced Features
- Hiding a potentially dangerous compressed file format directly in file metadata, bypassing standard file-hash checks on the main stream.
## Indicators of Compromise
- Detection focuses on the structure of files on disk.
- File Hashes: [N/A]
- File Names: [N/A]
- Registry Keys: [N/A]
- Network Indicators: [N/A]
- Behavioral Indicators: File access/creation involving the `:<stream_name>` syntax specific to ADS.
## Associated Threat Actors
- Undetermined, but common among fileless/evasive malware.
## Detection Methods
- Signature-based detection via Yara rule: `SUSP_RAR_NTFS_ADS`.
## Mitigation Strategies
- Implementing security solutions that actively enumerate and inspect NTFS Alternate Data Streams.
- Restricting file creation privileges on sensitive directories.
## Related Tools/Techniques
- Steganography techniques.
***
# Vulnerabilities and Exploits (Detected via Snort Rules)
This section summarizes threats detected via Emerging Threats (ET) Snort rules, focusing on specific CVEs and exploitation patterns.
## Technical Details (General)
- Type: Exploits/Traffic Signature (Network Intrusion Detection)
- Platform: Various Web Applications/Network Appliances
- Capabilities: Detecting attempts to exploit known vulnerabilities or traffic indicating known malware families.
- First Seen: Week 4, January 2025 (Detection update)
## MITRE ATT&CK Mapping
Varies widely based on the specific CVE/exploit, but generally maps to Initial Access (T600) or Execution (T602).
## Functionality
### Core Capabilities (Specific Detections)
The rules target exploitation attempts against:
1. **Aviatrix Controller**: Unauthenticated OS Command Injection (CVE-2024-50603).
2. **Fortinet**: Authentication Bypass via Node.js Websocket (CVE-2024-55591).
3. **Various Web Components**: Cross-Site Scripting (XSS) attempts against:
* Squid Proxy (`user_name` and `auth` parameters).
* phpGACL components (multiple CVEs: 2020-13562, -13563, -13564).
* WordPress Limit Login Attempts Plugin (CVE-2023-1861).
* Apache ActiveMQ Web Console (CVE-2020-13947).
* Apache Superset Markdown Component (CVE-2021-27907).
### Advanced Features
- Detection of traffic associated with known malware command-and-control or staging:
* `ET TROJAN Obfuscated Clickfix Javascript Payload Inbound`.
* `ET TROJAN Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2` (Indicating Stealc or Vidar related C2 activity).
## Indicators of Compromise
- Network traffic patterns matching exploit payloads or C2 headers associated with the mentioned vulnerabilities or malware families.
## Associated Threat Actors
- Threat actors leveraging known, unpatched vulnerabilities in common enterprise software (Aviatrix, Fortinet, Apache components).
- Actors using Stealc, Vidar, or Clickfix JavaScript payloads.
## Detection Methods
- Signature-based detection via Snort rules (e.g., `ET WEB_SPECIFIC_APPS...`).
## Mitigation Strategies
- **Patch Management**: Immediate patching of all listed vulnerable systems (Aviatrix Controller, Fortinet, specific web applications/plugins).
- **Network Segmentation**: Isolate vulnerable web services where possible.
- **Input Validation**: Ensure robust input validation on all user-facing application parameters to prevent XSS.
## Related Tools/Techniques
- Exploits targeting specific vendor weaknesses.