The following is the information on Yara and Snort rules (week 1, August 2024) collected and shared by the AhnLab TIP service.

26 YARA Rule

Detection name
설명
Source

PK_A1_webmail
Phishing Kit impersonating A1.net webmail
https://github.com/t4d/PhishingKit-Yara-Rules

PK_CitiBank_imgamerzchoices
Phishing Kit impersonating Citi Bank
https://github.com/t4d/PhishingKit-Yara-Rules

PK_ING_alexronyy
Phishing Kit impersonating ING bank
https://github.com/t4d/PhishingKit-Yara-Rules

PK_NAB_otp
Phishing Kit impersonating National Australia Bank (NAB)
https://github.com/t4d/PhishingKit-Yara-Rules

PK_TaiwanPost_alfabrabus
Phishing Kit impersonating Taiwan POST
https://github.com/t4d/PhishingKit-Yara-Rules

MAL_Go_Modbus_Jul24_1
Detects characteristics reported by Dragos for FrostyGoop ICS malware
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_ScheduledTask_Loader
Detects a scheduled task loader used by Andariel
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_KaosRAT_Yamabot
Detects the KaosRAT variant
https://github.com/Neo23x0/signature-base

MAL_APT_NK_TriFaux_EasyRAT_JUPITER
Detects a variant of the EasyRAT malware family
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_CutieDrop_MagicRAT
Detects the MagicRAT variant used by Andariel
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_HHSD_FileTransferTool
Detects a variant of the HHSD File Transfer Tool
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_Atharvan_3RAT
Detects a variant of the Atharvan 3RAT malware family
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_LilithRAT_Variant
Detects a variant of the Lilith RAT malware family
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_SocksTroy_Strings_OpCodes
Detects a variant of the SocksTroy malware family
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_Agni
Detects samples of the Agni malware family
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_GoLang_Validalpha_Handshake
Detects a variant of the GoLang Validalpha malware
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_GoLang_Validalpha_Tasks
Detects a variant of the GoLang Validalpha malware
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_GoLang_Validalpha_BlackString
Detects a variant of the GoLang Validalpha malware based on a file path found in the samples
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_ELF_Backdoor_Fipps
Detects a Linux backdoor named Fipps used by Andariel
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_BindShell
Detects a BindShell used by Andariel
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_Grease2
Detects the Grease2 malware family used by Andariel
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_NoPineapple_Dtrack_Unpacked
Detects the Dtrack variant used by Andariel
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_DTrack_Unpacked
Detects DTrack variant used by Andariel
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_TigerRAT_Crowdsourced_Rule
Detects the Tiger RAT variant used by Andariel
https://github.com/Neo23x0/signature-base

MAL_APT_NK_WIN_Tiger_RAT_Auto
Detects the Tiger RAT variant used by Andariel
https://github.com/Neo23x0/signature-base

MAL_APT_NK_WIN_DTrack_Auto
Detects DTrack variant used by Andariel
https://github.com/Neo23x0/signature-base

13 Snort Rules

Detection name
Source

ET TROJAN UNK_HamsaHatef Related URI
https://rules.emergingthreatspro.com/open/

ET TROJAN Daolpu Stealer Data Exfiltration Attempt
https://rules.emergingthreatspro.com/open/

ET TROJAN Lumma Stealer CnC Host Checkin
https://rules.emergingthreatspro.com/open/

ET TROJAN APT Related URI in HTTP Request
https://rules.emergingthreatspro.com/open/

ET WEB_SPECIFIC_APPS Openmediavault Crontab Manipulation Remote Code Execution/Privilege Escalation (CVE-2013-3652)
https://rules.emergingthreatspro.com/open/

ET TROJAN ASYNC RAT Payload Inbound
https://rules.emergingthreatspro.com/open/

ET TROJAN Observed Malicious SSL Cert (Pantegana Botnet RAT)
https://rules.emergingthreatspro.com/open/

ET TROJAN Win32/Rhadamanthys CnC Activity (GET)
https://rules.emergingthreatspro.com/open/

ET TROJAN JaskaGO Infrastructure Observed Inbound
https://rules.emergingthreatspro.com/open/

ET TROJAN JaskaGO CnC Activity (GET)
https://rules.emergingthreatspro.com/open/

ET TROJAN JaskaGO CnC Server Response
https://rules.emergingthreatspro.com/open/

ET TROJAN PrivateLoader CnC Activity (GET)
https://rules.emergingthreatspro.com/open/

ET TROJAN PrivateLoader CnC Activity (POST)
https://rules.emergingthreatspro.com/open/

 

2024-08_ASEC_Notes_1_snort.rules

2024-08_ASEC_Notes_1.yar

Article Link: Weekly Detection Rule (YARA and Snort) Information – Week 1, August 2024 – ASEC

1 post – 1 participant

Read full topic

​The following is the information on Yara and Snort rules (week 1, August 2024) collected and shared by the AhnLab TIP service.

26 YARA Rule

Detection name
설명
Source

PK_A1_webmail
Phishing Kit impersonating A1.net webmail
https://github.com/t4d/PhishingKit-Yara-Rules

PK_CitiBank_imgamerzchoices
Phishing Kit impersonating Citi Bank
https://github.com/t4d/PhishingKit-Yara-Rules

PK_ING_alexronyy
Phishing Kit impersonating ING bank
https://github.com/t4d/PhishingKit-Yara-Rules

PK_NAB_otp
Phishing Kit impersonating National Australia Bank (NAB)
https://github.com/t4d/PhishingKit-Yara-Rules

PK_TaiwanPost_alfabrabus
Phishing Kit impersonating Taiwan POST
https://github.com/t4d/PhishingKit-Yara-Rules

MAL_Go_Modbus_Jul24_1
Detects characteristics reported by Dragos for FrostyGoop ICS malware
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_ScheduledTask_Loader
Detects a scheduled task loader used by Andariel
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_KaosRAT_Yamabot
Detects the KaosRAT variant
https://github.com/Neo23x0/signature-base

MAL_APT_NK_TriFaux_EasyRAT_JUPITER
Detects a variant of the EasyRAT malware family
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_CutieDrop_MagicRAT
Detects the MagicRAT variant used by Andariel
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_HHSD_FileTransferTool
Detects a variant of the HHSD File Transfer Tool
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_Atharvan_3RAT
Detects a variant of the Atharvan 3RAT malware family
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_LilithRAT_Variant
Detects a variant of the Lilith RAT malware family
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_SocksTroy_Strings_OpCodes
Detects a variant of the SocksTroy malware family
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_Agni
Detects samples of the Agni malware family
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_GoLang_Validalpha_Handshake
Detects a variant of the GoLang Validalpha malware
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_GoLang_Validalpha_Tasks
Detects a variant of the GoLang Validalpha malware
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_GoLang_Validalpha_BlackString
Detects a variant of the GoLang Validalpha malware based on a file path found in the samples
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_ELF_Backdoor_Fipps
Detects a Linux backdoor named Fipps used by Andariel
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_BindShell
Detects a BindShell used by Andariel
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_Grease2
Detects the Grease2 malware family used by Andariel
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_NoPineapple_Dtrack_Unpacked
Detects the Dtrack variant used by Andariel
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_DTrack_Unpacked
Detects DTrack variant used by Andariel
https://github.com/Neo23x0/signature-base

MAL_APT_NK_Andariel_TigerRAT_Crowdsourced_Rule
Detects the Tiger RAT variant used by Andariel
https://github.com/Neo23x0/signature-base

MAL_APT_NK_WIN_Tiger_RAT_Auto
Detects the Tiger RAT variant used by Andariel
https://github.com/Neo23x0/signature-base

MAL_APT_NK_WIN_DTrack_Auto
Detects DTrack variant used by Andariel
https://github.com/Neo23x0/signature-base

13 Snort Rules

Detection name
Source

ET TROJAN UNK_HamsaHatef Related URI
https://rules.emergingthreatspro.com/open/

ET TROJAN Daolpu Stealer Data Exfiltration Attempt
https://rules.emergingthreatspro.com/open/

ET TROJAN Lumma Stealer CnC Host Checkin
https://rules.emergingthreatspro.com/open/

ET TROJAN APT Related URI in HTTP Request
https://rules.emergingthreatspro.com/open/

ET WEB_SPECIFIC_APPS Openmediavault Crontab Manipulation Remote Code Execution/Privilege Escalation (CVE-2013-3652)
https://rules.emergingthreatspro.com/open/

ET TROJAN ASYNC RAT Payload Inbound
https://rules.emergingthreatspro.com/open/

ET TROJAN Observed Malicious SSL Cert (Pantegana Botnet RAT)
https://rules.emergingthreatspro.com/open/

ET TROJAN Win32/Rhadamanthys CnC Activity (GET)
https://rules.emergingthreatspro.com/open/

ET TROJAN JaskaGO Infrastructure Observed Inbound
https://rules.emergingthreatspro.com/open/

ET TROJAN JaskaGO CnC Activity (GET)
https://rules.emergingthreatspro.com/open/

ET TROJAN JaskaGO CnC Server Response
https://rules.emergingthreatspro.com/open/

ET TROJAN PrivateLoader CnC Activity (GET)
https://rules.emergingthreatspro.com/open/

ET TROJAN PrivateLoader CnC Activity (POST)
https://rules.emergingthreatspro.com/open/

 
2024-08_ASEC_Notes_1_snort.rules
2024-08_ASEC_Notes_1.yar
Article Link: Weekly Detection Rule (YARA and Snort) Information – Week 1, August 2024 – ASEC
1 post – 1 participant
Read full topic