Full Report
The following is the information on Yara and Snort rules (week 4, March 2025) collected and shared by the AhnLab TIP service. 10 YARA Rules Detection name Description Source PK_Alibaba_whizkossy Phishing Kit impersonating Alibaba https://github.com/t4d/PhishingKit-Yara-Rules PK_Caixa_db Phishing Kit impersonating Caixa Bank https://github.com/t4d/PhishingKit-Yara-Rules PK_MBHBank_takare Phishing Kit impersonating MBH Bank from Hungary https://github.com/t4d/PhishingKit-Yara-Rules PK_Telstra_mengunjungi2 Phishing Kit impersonating […]
Analysis Summary
This summary extracts information related to malware, tools, and specific offensive techniques based on the provided YARA and Snort rules catalog from March 2025.
# Tool/Technique: Phishing Kits (e.g., PK\_Alibaba\_whizkossy, PK\_Caixa\_db)
## Overview
Various phishing kits targeting specific brands (Alibaba, Caixa Bank, MBH Bank, Telstra, Visa, Kraken) used to trick users into providing credentials or sensitive information. Signature rules are being created to detect files associated with these kits.
## Technical Details
- Type: Tool (Phishing infrastructure components)
- Platform: Web Servers (PHP/HTML/etc.)
- Capabilities: Impersonation of legitimate login pages for credential harvesting, social engineering.
- Detection Focus: YARA Rules detection based on internal strings or structure.
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Applicable if kits are distributed via email)
- T1566.002 - Spearphishing Link (Most common vector for web-based kits)
## Functionality
### Core Capabilities
- Mimicking legitimate service interfaces.
- Collecting user input (credentials, payment info).
### Advanced Features
- Specific branding and localized content for targeted organizations.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: [Not provided in context, but determined by the kit contents]
- Registry Keys: [N/A]
- Network Indicators: [Directs user to attacker-controlled domains for submission]
- Behavioral Indicators: Successful submission of credentials via HTTP POST requests from the fake login page.
## Associated Threat Actors
- Actors specializing in financial fraud and credential theft campaigns.
## Detection Methods
- Signature-based detection: YARA rules actively target specific strings or structures associated with these known kits (e.g., `PK_Alibaba_whizkossy`, `PK_Kraken_pacman`).
## Mitigation Strategies
- User education on recognizing phishing attempts.
- Implementation of strong authentication (MFA).
- Domain/URL filtering.
## Related Tools/Techniques
- Web application frameworks used for hosting malicious content.
---
# Tool/Technique: Octowave Loader
## Overview
A malware family or component detected through supporting files containing hardcoded values and DLLs utilizing WAV steganography techniques for loading persistence or additional payloads.
## Technical Details
- Type: Malware Loader
- Platform: Windows (implied by DLL/WAV file usage)
- Capabilities: Loading secondary payloads, potentially covert communication via steganography.
- First Seen: Mentioned in March 2025 context.
## MITRE ATT&CK Mapping
- T1564.006 - Steganography (Specific capability observed)
- T1027 - Obfuscated Files or Information
- T1071 - Application Layer Protocol (Used for C2, though not specified directly)
## Functionality
### Core Capabilities
- Loading malicious code from supporting files.
- Using WAV files to hide data.
### Advanced Features
- Steganography to hide operational data or secondary payloads within benign file formats (WAV).
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: Supporting files for the loader.
- Registry Keys: [Not provided in context]
- Network Indicators: [Not provided in context]
- Behavioral Indicators: Accessing/reading WAV files in a suspicious manner, loading suspicious DLLs.
## Associated Threat Actors
- [Not explicitly named, suggests a sophisticated actor capable of implementing steganography.]
## Detection Methods
- Signature-based detection: YARA rules (`Octowave_Loader_Supporting_File_03_2025`, `Octowave_Loader_03_2025`) targeting opcodes and hardcoded values.
## Mitigation Strategies
- Restricting privileges for applications to read and process common file formats in unexpected ways.
- Monitoring for unusual file access patterns.
## Related Tools/Techniques
- Other file-based steganography tools.
---
# Tool/Technique: Suspicious SVG with JavaScript Payload
## Overview
A generic detection for Scalable Vector Graphics (SVG) files that contain embedded JavaScript payloads, often used in web-based attacks or document exploits.
## Technical Details
- Type: Attack Artifact/Payload Delivery Mechanism
- Platform: Web browsers, any system processing SVG files that allow script execution.
- Capabilities: Executing arbitrary client-side scripts (e.g., XSS, redirection, cookie theft).
- Detection Focus: Content analysis via YARA rule (`SUSP_SVG_JS_Payload_Mar25`).
## MITRE ATT&CK Mapping
- T1204.002 - User Execution: Malicious File
- T1027 - Obfuscated Files or Information
- T1568 - Dynamic Resolution (If payload is dynamically fetched)
## Functionality
### Core Capabilities
- Delivery and execution of client-side code via an SVG wrapper.
### Advanced Features
- Potential for low detection rates if the embedded JavaScript is obfuscated or packed.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: Suspiciously named `.svg` files.
- Registry Keys: [N/A]
- Network Indicators: [N/A]
- Behavioral Indicators: Execution of JavaScript found within an SVG context that otherwise would be static content.
## Associated Threat Actors
- General web attackers, XSS distributors.
## Detection Methods
- Signature-based detection: YARA rule specifically looking for JavaScript content markers within SVG file structures.
## Mitigation Strategies
- Content Security Policy (CSP) implementation to restrict script sources.
- Disabling SVG rendering or scripting where possible on endpoints/email gateways.
## Related Tools/Techniques
- XSS payloads.
---
# Tool/Technique: ZDI-CAN-25373 Exploitation via Padded LNK Files
## Overview
Detection for specialized Link (.LNK) files designed to exploit the vulnerability documented under ZDI-CAN-25373, using file padding to potentially hide malicious structures or confuse simple signature checks.
## Technical Details
- Type: Exploit Artifact / Delivery mechanism
- Platform: Windows (LNK files)
- Capabilities: Arbitrary code execution upon user interaction with the LNK file.
- Detection Focus: YARA rule (`EXT_EXPL_ZTH_LNK_EXPLOIT_A`) targeting padded LNK structures.
## MITRE ATT&CK Mapping
- T1204.002 - User Execution: Malicious File
- T1173 - Exploitation for Client Execution (If triggered by LNK opening)
## Functionality
### Core Capabilities
- Weaponizing LNK files to trigger a specific vulnerability.
### Advanced Features
- Use of padding to avoid detection by rules looking for non-standard file sizes or structures.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: `.lnk` files.
- Registry Keys: [Not provided in context]
- Network Indicators: [If used to download secondary payload]
- Behavioral Indicators: Anomalous system activity following the opening of an LNK file.
## Associated Threat Actors
- Actors leveraging zero-day/N-day vulnerabilities disclosed via ZDI programs.
## Detection Methods
- Signature-based detection: YARA rule targeting the padded LNK structure specific to this exploit.
## Mitigation Strategies
- Patching systems against ZDI-CAN-25373 immediately.
- Restricting the execution of LNK files or enforcing strict application control.
## Related Tools/Techniques
- Other LNK file exploits (e.g., LNK Zone Identifier manipulation).
---
# Tool/Technique: Generic Rust Stealer Exfiltration / RustyStealer
## Overview
Detection signatures targeting network traffic associated with data exfiltration performed by stealer malware written in Rust, specifically mentioning generic Rust stealers and the 'RustyStealer' variant.
## Technical Details
- Type: Malware (Information Stealer) / Network Behavior
- Platform: Unknown, likely Windows or Multi-platform (Rust)
- Capabilities: Stealing various types of sensitive data (passwords, cookies, cryptocurrency wallets) and exfiltrating them, often via HTTP POST requests.
- Detection Focus: Snort rules monitoring POST traffic patterns.
## MITRE ATT&CK Mapping
- T1041 - Exfiltration Over C2 Channel
- T1048.003 - Exfiltration Over Web Service (POST requests)
## Functionality
### Core Capabilities
- Collecting sensitive endpoint data.
- Sending collected data outbound over HTTP POST requests.
### Advanced Features
- Potential evasion techniques common in Rust binaries (though not detailed here).
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: [Not provided in context]
- Registry Keys: [Not provided in context]
- Network Indicators: Snort rules detect traffic patterns consistent with data exfiltration POST requests often associated with stealers.
- Behavioral Indicators: POST request volume or characteristic content length associated with known stealer artifacts.
## Associated Threat Actors
- Cybercriminals deploying commodity malware (RustyStealer).
## Detection Methods
- Network Signature: Snort rules (`ET TROJAN Generic Rust Stealer Exfiltration`, `ET TROJAN RustyStealer CnC Checkin/Exfil`).
## Mitigation Strategies
- Network segmentation.
- Traffic inspection (DPI) to examine POST request contents for PII/credentials.
- Antivirus detecting the compiled Rust binary.
## Related Tools/Techniques
- Amadey C2 (also listed via Snort rule).
- Other stealer malware like Vidar, Raccoon.
---
# Tool/Technique: Amadey C2 Communication
## Overview
A Snort rule designed to detect command and control (C2) communication patterns linked to the Amadey trojan.
## Technical Details
- Type: Malware Command and Control (C2)
- Platform: Windows (primarily)
- Capabilities: Establishing C2 linkage, often preceding payload deployment or tasking.
- Detection Focus: Snort rule monitoring specific network signatures.
## MITRE ATT&CK Mapping
- T1071.001 - C2: Web Protocols
## Functionality
### Core Capabilities
- Outbound beaconing or inbound command reception.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- Network Indicators: Snort rule targets traffic matching known Amadey C2 responses.
## Associated Threat Actors
- Various threat actors utilizing Amadey as an initial access broker or simple downloader.
## Detection Methods
- Network Signature: Snort rule (`ET TROJAN Amadey CnC Response`).
## Mitigation Strategies
- Blocking known Amadey C2 domains/IPs (if extracted).
- Network monitoring for beaconing behavior.
## Related Tools/Techniques
- Other loaders/droppers often used in conjunction with Amadey.
---
# Tool/Technique: CVE-Specific Vulnerabilities (Wazuh, xml-crypto, Ncast DVR, Edimax, PandoraFMS, MegaRAC)
## Overview
This section covers detections related to specific, named vulnerabilities found in various software platforms, often targeted by web application exploits.
## Technical Details
- Type: Vulnerabilities being actively exploited (via network connection or payload delivery)
- Platform: Specific software targets (Wazuh, Node.js/xml-crypto, Ncast DVR, Edimax IC-7100, PandoraFMS, MegaRAC)
- Capabilities: Exploitation leading to unhandled exceptions, command injection, authentication bypass, or denial of service.
- Detection Focus: Snort rules targeting exploit payloads targeting specific CVEs.
## MITRE ATT&CK Mapping (General for CEs):
- T1190 - Exploit Public-Facing Application
## Functionality
- **Auth Bypass/Injection:** Bypassing login mechanisms or injecting OS commands into application inputs.
## Indicators of Compromise
- Network Indicators: Snort rules detect the precise attack strings or structural elements characteristic of the exploit fitting the CVE pattern.
## Associated Threat Actors
- Vulnerability scanners, automated worms, or threat actors actively exploiting publicly disclosed flaws.
## Detection Methods
- Network Signature: Snort rules specific to each named CVE/product combination.
## Mitigation Strategies
- **Patching:** Applying security updates for the specific CVEs mentioned (e.g., CVE-2025-24016, CVE-2025-29774, etc.).
- Ensuring input validation and least privilege access for web applications.
## Related Tools/Techniques
- Exploit frameworks (e.g., Metasploit modules targeting these CVEs).