Community Review - March 8, 2024

Hello and welcome back to the end of another week here! As we spend our time researching, writing, testing, curating, and releasing these protections we want to call out those researchers and industry entities that’ve been kind enough to share their great work and intelligence that have helped us so much. What a great community!

A reminder: these are ET Open rules. They’re free for your use: Proofpoint Emerging Threats Rules. They’re BSD licensed, which allows you to do what you like with them! Just remember to give us feedback on twitter, at support(at)emergingthreats(dot)net, or here on our Discourse (

Friend @viriback chimed into our ET Discord (DM for an invite!) with a hatching triage run for a #Loader that we ended up calling #MarioLoader - we were able to sig for alerts on the outbound C2 (SIDs 2051119 & 2051120) as well as a GET payload request (2051120)


From this @StratosphereIPS blog (the power of interns!) - a comprehensive rundown of #PyRation #bot actions which allowed us to provide signature coverage on multiple activities: incoming command to client (2051079), action sent inbound (2051080), configuration incoming (2051081), & outbound config request (2051082)

From @jpcert_en #JPCERT a writeup on #Lazarus malicious python packages and their malicious network activity capabilities - from it we got some #IOC for malicious domains involved (SIDs 2051150-2051152) as well as #Comebacker outbound POST alert (2051149) firing on the observed HTTP request!

Friend @suyog41 provides hashes on #Ducktail #APT - analysis rendered not only the (currently) involved domains (2051141-2051148) but some sturdy patterns for us to alert on C2 activity (2051140) based on the user agent used & URI content.

We love our community posts - here @Jane0sint tips us up on malicious #Impacket use - we’ve seen this in concert with recent #CVE exploits on #NTLM hash exfil/harvesting via SMB. SID 2051432 detects SMB responses from impacket, as it can be fingerprinted from its use of use of a default server GUID (all A’s). This is an INFO sig - it provides context along with other fires & activitiy and is NOT necessarily indicative of ‘badness’ in isolation.

Also on #Discourse, @g0njxa tips research and analysis for #Smartloader (shout out to @herrcore as well!) - stop by and see how 2051456 (C2 activity) and 2051455 (exfil) came to be!

Lots of #IOC rules came from this @ahnlab_secuinfo #Andariel writeup (TLS SNI & DNS domain lookup alert SIDs 2051117, 2051118, 2051134, 2051135, 2051137) as well as meaty network patterns allowing coverage thanks to @greglesnewich intel on #TA430 #AndarLoader in 2051136, 2051138-39, 2051153-2051156 covering oubound and inbound #NukSped backdoor activity.

A reminder - those #IOC based rules may not ‘live’ very long - the DNS lookup alerts and TLS SNI signatures firing on the matching of the #ClientHello for the #TLS destination server are burnt infrastructure to some extent - so the etopen rules created from that published content have a shorter TTR (Time to Review) within our processes - but those later ones based on the actual network activity will ‘live’ longer in the ruleset!

That’s not to discount IOC-based rules - they’re valuable! From @XForce, if SIDs 2051526-2051534 (DNS lookups) and 2051535-2051541 (TLS SNI handshake) on #FakeExt fire in your environments, it may be worth investigating in context of other received alerts. But if 2051542 (outbound exfil attempt) alerts, you should check that source host out for compromise!

This @KrollWire writeup on #ScreenConnect #CVE_2024_1708 #CVE_2024_1709 #exploit details suspected #Kimsuky deploying #BabyShark malware and we’ve got SID 2051497 alerting on an infected host POST to a known malicious destination:

From #Mastodon user #ginkgo We’ve got a shared hash on #Bitter #APT activity on outbound #Curl grabs (2051513, 2051515) that encode the affected host in the GET URL.

Ginkgo: "#APT #Bitter 💥🇵🇰 10f4479d5f531def842a712277ae961…" - Infosec Exchange

And on the homefront, some external publications from our own @et_labs team! Check out @ishaughnessy on the latest #Discarded podcast here: Hiding In Plain Sight: Unique Methods Of C2 From Infostealers

And then read about Selena, Jake, and @dumiller battling #TA4903 on the @threatinsight blog!

That’s all folks - enjoy your weekend!