Daily Ruleset Update Summary 2022/09/15

jtaylor · September 15, 2022, 9:47pm

Summary:
29 new OPEN, 33 new PRO (29 + 4). OSX/XCSSET, Windows/OriginLogger
and various Brute Ratel.

Thanks @SentinelOne

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

Added rules:

Open:

2038831 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup
(appledocs .ru) (malware.rules)
2038832 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup
(gurumades .ru) (malware.rules)
2038833 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup
(kinksdoc .ru) (malware.rules)
2038834 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup
(superdocs .ru) (malware.rules)
2038835 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup
(cosmodron .com) (malware.rules)
2038836 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup
(gismolow .com) (malware.rules)
2038837 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup
(melindas .ru) (malware.rules)
2038838 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup
(adobefile .ru) (malware.rules)
2038839 - ET MALWARE Observed DNS Query to Default Brute Ratel C2
Domain (evasionlabs .com) (malware.rules)
2038840 - ET MALWARE Brute Ratel Fake User-Agent (malware.rules)
2038841 - ET MALWARE Brute Ratel CnC Activity (xml-c2) M1 (malware.rules)
2038842 - ET MALWARE Brute Ratel CnC Activity (xml-c2) M2 (malware.rules)
2038843 - ET MALWARE Brute Ratel CnC Activity (json-c2) M1 (malware.rules)
2038844 - ET MALWARE Brute Ratel CnC Activity (json-c2) M2 (malware.rules)
2038845 - ET MALWARE Observed DNS Query to TA444 Domain (cloud .tptf
.ltd) (malware.rules)
2038846 - ET MALWARE Observed DNS Query to TA444 Domain (careers
.bankofamerica .nyc) (malware.rules)
2038847 - ET MALWARE Observed DNS Query to TA444 Domain
(bankofamerica .offerings .cloud) (malware.rules)
2038848 - ET MALWARE Observed DNS Query to TA444 Domain
(bankofamerica .tel) (malware.rules)
2038849 - ET MALWARE Observed DNS Query to TA444 Domain (cloud .mufg
.uk) (malware.rules)
2038850 - ET MALWARE Observed TA444 Domain (cloud .tptf .ltd in TLS
SNI) (malware.rules)
2038851 - ET MALWARE Observed TA444 Domain (bankofamerica .tel in
TLS SNI) (malware.rules)
2038852 - ET MALWARE Observed TA444 Domain (cloud .mufg .uk in TLS
SNI) (malware.rules)
2038853 - ET MALWARE Observed TA444 Domain (bankofamerica .offerings
.cloud in TLS SNI) (malware.rules)
2038854 - ET MALWARE Observed TA444 Domain (careers .bankofamerica
.nyc in TLS SNI) (malware.rules)
2038855 - ET MALWARE Windows/OriginLogger CnC Domain (originpro .me)
in DNS Lookup (malware.rules)
2038856 - ET MALWARE Windows/OriginLogger CnC Domain (originproducts
.xyz) in DNS Lookup (malware.rules)
2038857 - ET MALWARE Windows/OriginLogger CnC Domain (originlogger
.com) in DNS Lookup (malware.rules)
2038858 - ET MALWARE Windows/OriginLogger CnC Domain (originproducts
.pw) in DNS Lookup (malware.rules)
2038859 - ET MALWARE Win64/Spy.Agent.EE CnC Checkin Server Response
(malware.rules)

Pro:

Modified active rules:

2839790 - ETPRO HUNTING Windows BITS UA Retrieving EXE (hunting.rules)

Disabled and modified rules:

2031428 - ET MALWARE Observed SystemBC CnC Domain in DNS Query (malware.rules)
2824419 - ETPRO MALWARE Cmstar or Etirehni or Related Implant DNS
Lookup (malware.rules)

Topic		Replies	Views
Daily Ruleset Update Summary 2022/09/26 Ruleset Updates	1	127	September 27, 2022
Ruleset Update Summary - 2023/07/18 - v10374 Ruleset Updates	0	197	July 18, 2023
Ruleset Update Summary - 2023/09/18 - v10419 Ruleset Updates	0	225	September 18, 2023
Ruleset Update Summary - 2023/09/28 - v10428 Ruleset Updates	0	254	September 28, 2023
Ruleset Update Summary - 2023/04/27 - v10309 Ruleset Updates	0	240	April 27, 2023

Daily Ruleset Update Summary 2022/09/15

Related Topics