Community Review - April 8, 2024

Greetings all - time for some shout-outs to those researchers, industry partners, and public intel disclosures that’ve helped us research, analyze, and write our #IDS rules for #snort and suricata as part of etopen! Here’s only a few that’ve contributed…

From @BlackLotusLabs, their writeup on #TheMoon malware targeting EoL’d home networking equipment and IoT devices - SID 2051806 fires on an outbound checkin from a compromised device - byte patterened modeled from network traffic showcased in the blog:

SID 2051842 comes from this @cyfirma research for #Sync-#Scheduler #Stealer activity - data is exfiltrated in the #POST request in the form of ‘form-data’ to the malicious receiver site.

2051842 fire

Our friend @Jane0sint tips #Konni #APT exfiltration domains in this tweet and @anyrun_app sandbox share - SIDs 2051888 and 2051889 for DNS query alert and the TLS handshake to host will fire!

An @eSentire #parallax #checkin is modeled for alerting in SID 2051947 - our reference samples for this cracked #RAT alert on its outbound traffic.

And lastly, a couple shout-outs on the homefront - This @threatinsight blog not only features valuable threat research on #Latrodectus #loader activity as identified within email threat campaigns, but the referenced etopen signatures (on domains, GET/POST, and other related activity) will help you keep you alerted to this activity within your protected networks.

And (literally) even closer to home - beware of game cracks hawked on youtube - the @threatinsight team has identified multiple cases where channels are promoted quick-wins via cracks and pirated that end up in vidar and #Lumma #stealer malware infections! Check out the referenced etopen SIDs as well!

Thanks all for us folks - have a great week.

1 Like