Summary:
17 new OPEN, 39 new PRO (17 + 22) Smokeloader, Gamaredon,
WinGo/Go-rod, Various Stealer, Win32/XWorm, and Win32/Spy.Agent.QHZ
Thanks @Slash30Miata @AuCyble @h2jazi
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
Added rules:
Open:
2039103 - ET MALWARE Suspected Smokeloader Activity (POST) (malware.rules)
2039104 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (faristo .site) (malware.rules)
2039105 - ET MALWARE WinGo/Go-rod signInUrls Failed Data Exfiltration attempt (malware.rules)
2039106 - ET MALWARE WinGo/Go-rod moz_cookies Failed Data Exfiltration attempt (malware.rules)
2039107 - ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Histories Google Chrome.txt) M1 (hunting.rules)
2039108 - ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Histories Google Chrome.txt) M2 (hunting.rules)
2039109 - ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Histories Firefox.txt) M1 (hunting.rules)
2039110 - ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Histories Firefox.txt) M2 (hunting.rules)
2039111 - ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Bookmarks Firefox.txt) M1 (hunting.rules)
2039112 - ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Bookmarks Firefox.txt) M2 (hunting.rules)
2039113 - ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Cookies Firefox.txt) M1 (hunting.rules)
2039114 - ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Cookies Firefox.txt) M2 (hunting.rules)
2039115 - ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Information.html) M1 (hunting.rules)
2039116 - ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Information.html) M2 (hunting.rules)
2039117 - ET HUNTING Suspicious Zipped Filename in Outbound POST Request (ProcessInfo_Log.txt) M2 (hunting.rules)
2039118 - ET HUNTING Suspicious Zipped Filename in Outbound POST Request (ProcessInfo_Log.txt) M1 (hunting.rules)
2039119 - ET MALWARE SocGholish CnC Domain in DNS Lookup (internal .blessedfoodshalalmeat .com) (malware.rules)
Pro:
2852485 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-10-06 1) (coinminer.rules)
2852486 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-10-06 2) (coinminer.rules)
2852487 - ETPRO MALWARE Win32/XWorm CnC Command (PING?) (malware.rules)
2852488 - ETPRO MALWARE Win32/XWorm CnC Command (PING!) (malware.rules)
2852489 - ETPRO MALWARE Win32/XWorm CnC Command (DDosS) (malware.rules)
2852490 - ETPRO MALWARE Win32/XWorm CnC Command (DDosT) (malware.rules)
2852491 - ETPRO MALWARE Win32/XWorm CnC Command (Cilpper) (malware.rules)
2852492 - ETPRO MALWARE Win32/XWorm CnC Command (hidefolderfile) (malware.rules)
2852493 - ETPRO MALWARE Win32/XWorm CnC Command (showfolderfile) (malware.rules)
2852494 - ETPRO MALWARE Win32/XWorm CnC Command (creatnewfolder) (malware.rules)
2852495 - ETPRO MALWARE Win32/XWorm CnC Command (creatfile) (malware.rules)
2852496 - ETPRO MALWARE Win32/XWorm CnC Command (downloadfile) (malware.rules)
2852497 - ETPRO MALWARE Win32/XWorm CnC Command (sendfileto) (malware.rules)
2852498 - ETPRO MALWARE Win32/XWorm CnC Command (DW) (malware.rules)
2852499 - ETPRO MALWARE Win32/XWorm CnC Command (RD-) (malware.rules)
2852500 - ETPRO MALWARE Win32/XWorm CnC Command (RD+) (malware.rules)
2852501 - ETPRO MALWARE Win32/XWorm CnC Command (###) (malware.rules)
2852502 - ETPRO MALWARE Win32/XWorm CnC Command ($$$) (malware.rules)
2852503 - ETPRO MALWARE Win32/XWorm CnC Command (^^^g) (malware.rules)
2852504 - ETPRO MALWARE Win32/XWorm CnC Command (ENC) (malware.rules)
2852505 - ETPRO MALWARE Win32/XWorm CnC Command (HVNC) (malware.rules)
2852506 - ETPRO MALWARE Win32/Spy.Agent.QHZ CnC Activity (malware.rules)