Weekly Detection Rule (YARA and Snort) Information – Week 2, August 2024

MalBot · August 7, 2024, 5:46am

The following is the information on Yara and Snort rules (week 2, August 2024) collected and shared by the AhnLab TIP service.

Detection name	Description	Source
PK_DocuSign_dong	Phishing Kit impersonating DocuSign	https://github.com/t4d/PhishingKit-Yara-Rules
PK_GECU_z118	Phishing Kit impersonating GECU Credit Union	https://github.com/t4d/PhishingKit-Yara-Rules
PK_GarantiBBVA_Turkey	Phishing Kit impersonating Garanti BBVA Turkey	https://github.com/t4d/PhishingKit-Yara-Rules
PK_Netflix_ug3yo	Phishing Kit impersonating Netflix	https://github.com/t4d/PhishingKit-Yara-Rules
PK_Wallets_imp	Phishing Kit impersonating several wallet providers	https://github.com/t4d/PhishingKit-Yara-Rules
ByteCode_MSIL_Backdoor_NjRAT	Yara rule that detects NjRAT backdoor.	https://github.com/reversinglabs/reversinglabs-yara-rules
Linux_Trojan_ChinaZ	Yara rule that detects ChinaZ trojan.	https://github.com/reversinglabs/reversinglabs-yara-rules

Detection name	Source
ET TROJAN EncryptHub Stealer Host Details Exfil via Telegram (POST)	https://rules.emergingthreatspro.com/open/
ET TROJAN 9002 RAT CnC Activity (POST)	https://rules.emergingthreatspro.com/open/
ET TROJAN PshellBkdr C2 Traffic Known Authorization Bearer in HTTP Request (POST)	https://rules.emergingthreatspro.com/open/
ET TROJAN Specula Framework CnC Activity (POST)	https://rules.emergingthreatspro.com/open/
ET TROJAN Specula Framework CnC Activity (GET)	https://rules.emergingthreatspro.com/open/
ET TROJAN CHM Stealer CnC Host Profile Exfil (POST)	https://rules.emergingthreatspro.com/open/
ET TROJAN Crimson RAT CnC Activity (Inbound) M1	https://rules.emergingthreatspro.com/open/
ET TROJAN Crimson RAT CnC Activity (Inbound) M2	https://rules.emergingthreatspro.com/open/
ET TROJAN Crimson RAT CnC Victim Details Exfil	https://rules.emergingthreatspro.com/open/
ET TROJAN APT SideWinder CnC Domain in DNS Lookup	https://rules.emergingthreatspro.com/open/