Ruleset Update Summary - 2022/11/22 - v10179

rulesbot · November 22, 2022, 10:16pm

Summary:

14 new OPEN, 20 new PRO (14 + 6)

Thanks @narimanGharib, @Thingzeye

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

Added rules:

Open:

2039818 - ET HUNTING Redirect Link in TikTok URL (hunting.rules)
2039819 - ET MALWARE TA453 Domain in DNS Lookup (washingtonlnstitute .org) (malware.rules)
2039820 - ET MALWARE Observed TA453 Domain (washingtonlnstitute .org in TLS SNI) (malware.rules)
2039821 - ET PHISHING Generic Credential Phish Landing Page 2022-11-22 (phishing.rules)
2039822 - ET PHISHING Ulpian Credential Phish Landing Page 2022-11-22 (phishing.rules)
2039823 - ET MALWARE TA444 Domain in DNS Lookup (sharedrive .ink) (malware.rules)
2039824 - ET MALWARE TA444 Domain in DNS Lookup (dnx .capital) (malware.rules)
2039825 - ET MALWARE Observed TA453 Domain (sharedrive .ink in TLS SNI) (malware.rules)
2039826 - ET MALWARE Observed TA453 Domain (dnx .capital in TLS SNI) (malware.rules)
2039827 - ET PHISHING Successful Generic Credential OTP Phish 2022-11-22 (phishing.rules)
2039828 - ET PHISHING Successful Generic Credential Phish 2022-11-22 (phishing.rules)
2039829 - ET MOBILE_MALWARE Android/ShartBot CNC Domain (cdopea .store) in DNS Lookup (mobile_malware.rules)
2039830 - ET MALWARE SocGholish Domain in DNS Lookup (dashboard .skybacherslocker .com) (malware.rules)
2039831 - ET MALWARE SocGholish Domain in DNS Lookup (montage .travelguidediva .com) (malware.rules)

Pro:

2852842 - ETPRO MALWARE Win32/Spy.Delf Variant Sending System Information (POST) (malware.rules)
2852843 - ETPRO PHISHING Successful Generic Phish 2022-11-22 (phishing.rules)
2852844 - ETPRO PHISHING Successful National Bank of Canada Phish 2022-11-22 (phishing.rules)
2852845 - ETPRO MALWARE DonotGroup Kaspov Related UA (malware.rules)
2852846 - ETPRO MALWARE DonotGroup Kaspov Related UA (malware.rules)
2852847 - ETPRO MALWARE XWorm Short C&C Request (flowbit set) (malware.rules)

Modified active rules:

2007727 - ET P2P Possible Torrent Download via HTTP Request (p2p.rules)
2022842 - ET MALWARE ProjectSauron Remsec/HTTPBrowser/Pisloader Covert DNS CnC Channel TXT Lookup (malware.rules)
2024731 - ET MALWARE DNS Query For TURNEDUP.Backdoor CnC (securityupdated) (malware.rules)
2026546 - ET MALWARE MICROPSIA CnC Domain Observed in SNI (samwinchester .club) (malware.rules)
2027312 - ET MALWARE AridViper CnC Domain in SNI (malware.rules)
2033822 - ET MALWARE HCRootkit CnC Domain in DNS Lookup (ywbgrcrupasdiqxknwgceatlnbvmezti .com) (malware.rules)
2033823 - ET MALWARE HCRootkit CnC Domain in DNS Lookup (yhgrffndvzbtoilmundkmvbaxrjtqsew .com) (malware.rules)
2033824 - ET MALWARE HCRootkit CnC Domain in DNS Lookup (wcmbqxzeuopnvyfmhkstaretfciywdrl .name) (malware.rules)
2033825 - ET MALWARE HCRootkit CnC Domain in DNS Lookup (ruciplbrxwjscyhtapvlfskoqqgnxevw .name) (malware.rules)
2033828 - ET MALWARE HCRootkit CnC Domain in DNS Lookup (pdjwebrfgdyzljmwtxcoyomapxtzchvn .com) (malware.rules)
2033829 - ET MALWARE HCRootkit CnC Domain in DNS Lookup (nfcomizsdseqiomzqrxwvtprxbljkpgd .name) (malware.rules)
2809606 - ETPRO MALWARE PWS.WIN32/BZUB DNS Query to CNAME related to cyber espionage 1 (malware.rules)
2809607 - ETPRO MALWARE PWS.WIN32/BZUB DNS Query to CNAME related to cyber espionage 2 (malware.rules)
2809608 - ETPRO MALWARE PWS.WIN32/BZUB DNS Query to CNAME related to cyber espionage 3 (malware.rules)
2823895 - ETPRO MALWARE Chthonic TCP Domain Lookup 11 (malware.rules)
2823947 - ETPRO MALWARE Chthonic TCP Domain Lookup 12 (malware.rules)
2824072 - ETPRO MALWARE Chthonic TCP Domain Lookup 03 (malware.rules)
2824077 - ETPRO MALWARE Chthonic TCP Domain Lookup 08 (malware.rules)
2824078 - ETPRO MALWARE Chthonic TCP Domain Lookup 09 (malware.rules)
2824079 - ETPRO MALWARE Chthonic TCP Domain Lookup 10 (malware.rules)
2828182 - ETPRO MALWARE DNSMessenger/FreeMilk Payload DNS Query (malware.rules)
2831092 - ETPRO MALWARE Ursnif Inject Domain (oncofonderot .top in TLS SNI) (malware.rules)
2852499 - ETPRO MALWARE Win32/XWorm CnC Command (RD-) (malware.rules)

Removed rules:

2023022 - ET MALWARE ProjectSauron Remsec DNS Lookup (myhomemusic. com) (malware.rules)
2027628 - ET MALWARE APT33 CnC Domain in DNS Lookup (malware.rules)
2031408 - ET MALWARE Observed AridViper CnC Domain in TLS SNI (malware.rules)
2034067 - ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup (malware.rules)
2034068 - ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup (malware.rules)
2034069 - ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup (malware.rules)
2034070 - ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup (malware.rules)
2034071 - ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup (malware.rules)
2034073 - ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup (malware.rules)
2034123 - ET MALWARE Observed Elysium Stealer Domain in TLS SNI (phonefix .bar) (malware.rules)
2824070 - ETPRO MALWARE Chthonic TCP Domain Lookup 01 (malware.rules)
2824071 - ETPRO MALWARE Chthonic TCP Domain Lookup 02 (malware.rules)
2828235 - ETPRO MALWARE DNSMessenger CnC Beacon via DNS (malware.rules)
2833828 - ETPRO MALWARE STOLENPENCIL CnC Domain in DNS Lookup (malware.rules)
2834076 - ETPRO MALWARE Observed DNS Query for Ursnif Domain (malware.rules)
2839443 - ETPRO MALWARE Observed DNS Query to Known Queu Downloader Sub Domain (malware.rules)
2844155 - ETPRO MALWARE Observed MythBot CnC Domain in TLS SNI (malware.rules)
2846747 - ETPRO MOBILE_MALWARE Android/Obfus.RJ (TLS SNI) 78 (mobile_malware.rules)
2848442 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 40 (mobile_malware.rules)
2848498 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 61 (mobile_malware.rules)
2848947 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 111 (mobile_malware.rules)
2849027 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 123 (mobile_malware.rules)
2849150 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 149 (mobile_malware.rules)
2849205 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 153 (mobile_malware.rules)
2849894 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 186 (mobile_malware.rules)
2852791 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Jocker.ei CnC Domain in DNS Lookup (mobile_malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2022/12/19 - v10199 Ruleset Updates	350	December 19, 2022
Ruleset Update Summary - 2022/12/16 - v10198 Ruleset Updates	215	December 16, 2022
Ruleset Update Summary - 2022/11/21 - v10178 Ruleset Updates	405	November 21, 2022
Ruleset Update Summary - 2022/12/05 - v10188 Ruleset Updates	329	December 5, 2022
Ruleset Update Summary - 2023/02/24 - v10253 Ruleset Updates	225	February 24, 2023