The following is the information on Yara and Snort rules (week 1, August 2024) collected and shared by the AhnLab TIP service.
26 YARA Rule
Detection name
설명
Source
PK_A1_webmail
Phishing Kit impersonating A1.net webmail
https://github.com/t4d/PhishingKit-Yara-Rules
PK_CitiBank_imgamerzchoices
Phishing Kit impersonating Citi Bank
https://github.com/t4d/PhishingKit-Yara-Rules
PK_ING_alexronyy
Phishing Kit impersonating ING bank
https://github.com/t4d/PhishingKit-Yara-Rules
PK_NAB_otp
Phishing Kit impersonating National Australia Bank (NAB)
https://github.com/t4d/PhishingKit-Yara-Rules
PK_TaiwanPost_alfabrabus
Phishing Kit impersonating Taiwan POST
https://github.com/t4d/PhishingKit-Yara-Rules
MAL_Go_Modbus_Jul24_1
Detects characteristics reported by Dragos for FrostyGoop ICS malware
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_ScheduledTask_Loader
Detects a scheduled task loader used by Andariel
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_KaosRAT_Yamabot
Detects the KaosRAT variant
https://github.com/Neo23x0/signature-base
MAL_APT_NK_TriFaux_EasyRAT_JUPITER
Detects a variant of the EasyRAT malware family
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_CutieDrop_MagicRAT
Detects the MagicRAT variant used by Andariel
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_HHSD_FileTransferTool
Detects a variant of the HHSD File Transfer Tool
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_Atharvan_3RAT
Detects a variant of the Atharvan 3RAT malware family
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_LilithRAT_Variant
Detects a variant of the Lilith RAT malware family
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_SocksTroy_Strings_OpCodes
Detects a variant of the SocksTroy malware family
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_Agni
Detects samples of the Agni malware family
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_GoLang_Validalpha_Handshake
Detects a variant of the GoLang Validalpha malware
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_GoLang_Validalpha_Tasks
Detects a variant of the GoLang Validalpha malware
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_GoLang_Validalpha_BlackString
Detects a variant of the GoLang Validalpha malware based on a file path found in the samples
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_ELF_Backdoor_Fipps
Detects a Linux backdoor named Fipps used by Andariel
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_BindShell
Detects a BindShell used by Andariel
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_Grease2
Detects the Grease2 malware family used by Andariel
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_NoPineapple_Dtrack_Unpacked
Detects the Dtrack variant used by Andariel
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_DTrack_Unpacked
Detects DTrack variant used by Andariel
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_TigerRAT_Crowdsourced_Rule
Detects the Tiger RAT variant used by Andariel
https://github.com/Neo23x0/signature-base
MAL_APT_NK_WIN_Tiger_RAT_Auto
Detects the Tiger RAT variant used by Andariel
https://github.com/Neo23x0/signature-base
MAL_APT_NK_WIN_DTrack_Auto
Detects DTrack variant used by Andariel
https://github.com/Neo23x0/signature-base
13 Snort Rules
Detection name
Source
ET TROJAN UNK_HamsaHatef Related URI
https://rules.emergingthreatspro.com/open/
ET TROJAN Daolpu Stealer Data Exfiltration Attempt
https://rules.emergingthreatspro.com/open/
ET TROJAN Lumma Stealer CnC Host Checkin
https://rules.emergingthreatspro.com/open/
ET TROJAN APT Related URI in HTTP Request
https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS Openmediavault Crontab Manipulation Remote Code Execution/Privilege Escalation (CVE-2013-3652)
https://rules.emergingthreatspro.com/open/
ET TROJAN ASYNC RAT Payload Inbound
https://rules.emergingthreatspro.com/open/
ET TROJAN Observed Malicious SSL Cert (Pantegana Botnet RAT)
https://rules.emergingthreatspro.com/open/
ET TROJAN Win32/Rhadamanthys CnC Activity (GET)
https://rules.emergingthreatspro.com/open/
ET TROJAN JaskaGO Infrastructure Observed Inbound
https://rules.emergingthreatspro.com/open/
ET TROJAN JaskaGO CnC Activity (GET)
https://rules.emergingthreatspro.com/open/
ET TROJAN JaskaGO CnC Server Response
https://rules.emergingthreatspro.com/open/
ET TROJAN PrivateLoader CnC Activity (GET)
https://rules.emergingthreatspro.com/open/
ET TROJAN PrivateLoader CnC Activity (POST)
https://rules.emergingthreatspro.com/open/
2024-08_ASEC_Notes_1_snort.rules
Article Link: Weekly Detection Rule (YARA and Snort) Information – Week 1, August 2024 – ASEC
1 post – 1 participant
The following is the information on Yara and Snort rules (week 1, August 2024) collected and shared by the AhnLab TIP service.
26 YARA Rule
Detection name
설명
Source
PK_A1_webmail
Phishing Kit impersonating A1.net webmail
https://github.com/t4d/PhishingKit-Yara-Rules
PK_CitiBank_imgamerzchoices
Phishing Kit impersonating Citi Bank
https://github.com/t4d/PhishingKit-Yara-Rules
PK_ING_alexronyy
Phishing Kit impersonating ING bank
https://github.com/t4d/PhishingKit-Yara-Rules
PK_NAB_otp
Phishing Kit impersonating National Australia Bank (NAB)
https://github.com/t4d/PhishingKit-Yara-Rules
PK_TaiwanPost_alfabrabus
Phishing Kit impersonating Taiwan POST
https://github.com/t4d/PhishingKit-Yara-Rules
MAL_Go_Modbus_Jul24_1
Detects characteristics reported by Dragos for FrostyGoop ICS malware
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_ScheduledTask_Loader
Detects a scheduled task loader used by Andariel
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_KaosRAT_Yamabot
Detects the KaosRAT variant
https://github.com/Neo23x0/signature-base
MAL_APT_NK_TriFaux_EasyRAT_JUPITER
Detects a variant of the EasyRAT malware family
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_CutieDrop_MagicRAT
Detects the MagicRAT variant used by Andariel
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_HHSD_FileTransferTool
Detects a variant of the HHSD File Transfer Tool
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_Atharvan_3RAT
Detects a variant of the Atharvan 3RAT malware family
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_LilithRAT_Variant
Detects a variant of the Lilith RAT malware family
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_SocksTroy_Strings_OpCodes
Detects a variant of the SocksTroy malware family
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_Agni
Detects samples of the Agni malware family
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_GoLang_Validalpha_Handshake
Detects a variant of the GoLang Validalpha malware
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_GoLang_Validalpha_Tasks
Detects a variant of the GoLang Validalpha malware
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_GoLang_Validalpha_BlackString
Detects a variant of the GoLang Validalpha malware based on a file path found in the samples
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_ELF_Backdoor_Fipps
Detects a Linux backdoor named Fipps used by Andariel
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_BindShell
Detects a BindShell used by Andariel
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_Grease2
Detects the Grease2 malware family used by Andariel
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_NoPineapple_Dtrack_Unpacked
Detects the Dtrack variant used by Andariel
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_DTrack_Unpacked
Detects DTrack variant used by Andariel
https://github.com/Neo23x0/signature-base
MAL_APT_NK_Andariel_TigerRAT_Crowdsourced_Rule
Detects the Tiger RAT variant used by Andariel
https://github.com/Neo23x0/signature-base
MAL_APT_NK_WIN_Tiger_RAT_Auto
Detects the Tiger RAT variant used by Andariel
https://github.com/Neo23x0/signature-base
MAL_APT_NK_WIN_DTrack_Auto
Detects DTrack variant used by Andariel
https://github.com/Neo23x0/signature-base
13 Snort Rules
Detection name
Source
ET TROJAN UNK_HamsaHatef Related URI
https://rules.emergingthreatspro.com/open/
ET TROJAN Daolpu Stealer Data Exfiltration Attempt
https://rules.emergingthreatspro.com/open/
ET TROJAN Lumma Stealer CnC Host Checkin
https://rules.emergingthreatspro.com/open/
ET TROJAN APT Related URI in HTTP Request
https://rules.emergingthreatspro.com/open/
ET WEB_SPECIFIC_APPS Openmediavault Crontab Manipulation Remote Code Execution/Privilege Escalation (CVE-2013-3652)
https://rules.emergingthreatspro.com/open/
ET TROJAN ASYNC RAT Payload Inbound
https://rules.emergingthreatspro.com/open/
ET TROJAN Observed Malicious SSL Cert (Pantegana Botnet RAT)
https://rules.emergingthreatspro.com/open/
ET TROJAN Win32/Rhadamanthys CnC Activity (GET)
https://rules.emergingthreatspro.com/open/
ET TROJAN JaskaGO Infrastructure Observed Inbound
https://rules.emergingthreatspro.com/open/
ET TROJAN JaskaGO CnC Activity (GET)
https://rules.emergingthreatspro.com/open/
ET TROJAN JaskaGO CnC Server Response
https://rules.emergingthreatspro.com/open/
ET TROJAN PrivateLoader CnC Activity (GET)
https://rules.emergingthreatspro.com/open/
ET TROJAN PrivateLoader CnC Activity (POST)
https://rules.emergingthreatspro.com/open/
2024-08_ASEC_Notes_1_snort.rules
2024-08_ASEC_Notes_1.yar
Article Link: Weekly Detection Rule (YARA and Snort) Information – Week 1, August 2024 – ASEC
1 post – 1 participant
Read full topic