Community Review - March 22, 2024

Greetings all - we really value the #infosec #community that allows us to create detections and protections as part of etopen! So many people contribute by tagging us here on twitter or posting at our community site (community.emergingthreats.net) - and we want to shine some light on them in thanks!

Here’s @Gi7w0rm tipping up from @JustWantToQ1 C2 IPs which led back to a hash context which allowed us to alert on #DaoDao Cloud Loader C2 outbound (2051640) and response (2051639) traffic with a handy literal in there as a diagnostic…

image

This @tosscoinwitcher tweet and Hatching run not only gave us some #DarkGate involved domain alerts for DNS queries (2051645-2051646) and some SNI signatures alerting from the TLS handshake to identified hosts (2051655-2051660,2051662-2051663) but also inbound payload (2051664) and outbound c2 activity (2051661) as well!

From @kevross33 here on our #Discousre #community site, two rule adds on #BunnyLoader - check out how easy it is to contribute to our free etopen ruleset! We QA these rules just the same as etpro and host them to help people protect their information assets and networks.

and a couple more as well - look at this thread & the comments - see how the ET team analyzes these submissions and will work with you to bring your submission to the ruleset!

Friend @bushidotoken’s blog here on #UAC-0050,a threat actor targeting government agencies in Ukraine, allowed us to render out some actor-controlled domains (2051626-2051629) and TLS SNI alerts (2051630-2051633) on same. Take a look at this comprehensive writeup:

From this @morphisec blog - #HijackLoader #IDAT use #steganography to evade detection by hiding the payload within an embedded PNG - SID 2051761 fires on the retrieval of that image!

This @malwrhunterteam tweet and hash led to analysis feeding SID 2051697 - it alerts on #FakeUnity #Lazarus #SPT (h/t @JAMESWT_MHT & @smica83) C2 traffic outbound from a compromised host. Kudos to Namecheap for suspending the identified domain! We’re all in this together.

SIDs 2051751 and 2051752 alert on lookups against and connection to Fake #Crypto investing domains via a malicious #calendly link in this writeup shared by @briankrebs:

And lastly to the homefront, check out @Myrtus0x0 here on the #Proofpoint #Discarded podcast this week…

“A Trip Down Malware Lane: How Today’s Hottest Malware Stacks Up Against Predecessors” by Proofpoint via #spreaker A Trip Down Malware Lane: How Today's Hottest Malware Stacks Up Against Predecessors

As well as our latest @threatinsight blog:

Take care all - enjoy your weekend and be well.