Summary:
17 new OPEN, 19 new PRO (17 + 2) DonotGroup, RecordBreaker/RaccoonV2, TA444, and Remcos.
Today we introduced a new “deployment” metadata tag of “alert_only”. This deployment value indicates the rule should not be placed in a “blocking” mode and the rule action* in the rule should only ever be
“alert”. Population of this deployment metadata tag will continue as new rules are written.
Added rules:
Open:
2038913 - ET MALWARE DonotGroup Activity (GET) (malware.rules)
2038914 - ET MALWARE DonotGroup Related Domain in DNS Lookup (furnish .spacequery .live) (malware.rules)
2038915 - ET MALWARE Observed DonotGroup Related Domain (furnish .spacequery .live in TLS SNI) (malware.rules)
2038916 - ET MALWARE Win32/RecordBreaker - Observed UA M3 (TakeMyPainBack) (malware.rules)
2038917 - ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response M2 (malware.rules)
2038918 - ET MALWARE Win32/Cryptbotv2 Activity (POST) (malware.rules)
2038919 - ET MALWARE Observed DNS Query to TA444 Domain (docuprivacy .com) (malware.rules)
2038920 - ET MALWARE Observed DNS Query to TA444 Domain (share .anobaka .info) (malware.rules)
2038921 - ET MALWARE Observed DNS Query to TA444 Domain (privacysign .org) (malware.rules)
2038922 - ET MALWARE Observed DNS Query to TA444 Domain (ms .onlineshares .cloud) (malware.rules)
2038923 - ET MALWARE Observed DNS Query to TA444 Domain (team .msteam .biz) (malware.rules)
2038924 - ET MALWARE Observed DNS Query to TA444 Domain (mizuhogroup .us) (malware.rules)
2038925 - ET MALWARE Observed DNS Query to TA444 Domain (docs .azurehosting .co) (malware.rules)
2038926 - ET MALWARE Observed DNS Query to TA444 Domain (tptf .fund) (malware.rules)
2038927 - ET MALWARE Observed DNS Query to TA444 Domain (perseus .bond) (malware.rules)
2038928 - ET MALWARE Observed DNS Query to TA444 Domain (smbcgroup .us) (malware.rules)
2038929 - ET MALWARE Observed DNS Query to TA444 Domain (tptf .cloud) (malware.rules)
Pro:
2852394 - ETPRO MALWARE Win32/Remcos RAT Checkin 837 (malware.rules)
Modified active rules:
2012252 - ET SHELLCODE Common 0a0a0a0a Heap Spray String (shellcode.rules)
2035463 - ET INFO Observed Discord Domain (discord .com in TLS SNI) (info.rules)
2035464 - ET INFO Observed Discord Domain (discordapp .com in TLS SNI) (info.rules)
2035465 - ET INFO Observed Discord Domain in DNS Lookup (discord .com) (info.rules)
2035466 - ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) (info.rules)
2036269 - ET ADWARE_PUP Win/Malware.Filetour Variant Checkin M1 (adware_pup.rules)
2803758 - ETPRO MALWARE Covert DNS Channel Query (ipcheker .com) (malware.rules)
2038904 - ET PHISHING TA398 Phishing Kit URI Pattern M1 (phishing.rules)
2038905 - ET PHISHING TA398 Phishing Kit URI Pattern M2 (phishing.rules)
Modified inactive rules
2015736 - ET MALWARE DNS Query to Unknown CnC DGA Domain (defmaybe .com) 09/25/12 (malware.rules)
2803759 - ETPRO MALWARE Covert DNS Channel Query (ipgreat .com) (malware.rules)
2849665 - ETPRO HUNTING Observed Suspicious URI Structure with Common Escape Character - Possible Exploit (hunting.rules)