Ruleset Update Summary - 2022/12/28 - v10206

Summary:

75 new OPEN, 78 new PRO (75 + 3)

Thanks @sekoia_io, @nozominetworks

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

There will be no signature release on Monday, January 2, 2023 due to New Year holiday observance.

Added rules:

Open:

• 2043023 - ET PHISHING Generic Cryptocurrency Credential Phish Related Domain in DNS Lookup (thedoodles .site) (phishing.rules)
• 2043026 - ET INFO Suspicious Empty Accept-Encoding Header (info.rules)
• 2043027 - ET MALWARE Observed Glupteba CnC Domain (greenphoenix .xyz in TLS SNI) (malware.rules)
• 2043028 - ET MALWARE Observed Glupteba CnC Domain (cdneurops .buzz in TLS SNI) (malware.rules)
• 2043029 - ET MALWARE Observed Glupteba CnC Domain (mastiakele .ae .org in TLS SNI) (malware.rules)
• 2043030 - ET MALWARE Observed Glupteba CnC Domain (cdneurops .pics in TLS SNI) (malware.rules)
• 2043031 - ET MALWARE Observed Glupteba CnC Domain (zaoshang .ooo in TLS SNI) (malware.rules)
• 2043032 - ET MALWARE Observed Glupteba CnC Domain (getyourgift .life in TLS SNI) (malware.rules)
• 2043033 - ET MALWARE Observed Glupteba CnC Domain (zaoshang .ru in TLS SNI) (malware.rules)
• 2043034 - ET MALWARE Observed Glupteba CnC Domain (tmetres .com in TLS SNI) (malware.rules)
• 2043035 - ET MALWARE Observed Glupteba CnC Domain (revouninstaller .homes in TLS SNI) (malware.rules)
• 2043036 - ET MALWARE Observed Glupteba CnC Domain (limeprime .com in TLS SNI) (malware.rules)
• 2043037 - ET MALWARE Observed Glupteba CnC Domain (zaoshanghao .su in TLS SNI) (malware.rules)
• 2043038 - ET MALWARE Observed Glupteba CnC Domain (cdneurop .cloud in TLS SNI) (malware.rules)
• 2043039 - ET MALWARE Observed Glupteba CnC Domain (zaoshanghaoz .net in TLS SNI) (malware.rules)
• 2043040 - ET MALWARE Observed Glupteba CnC Domain (checkpos .net in TLS SNI) (malware.rules)
• 2043041 - ET MALWARE Observed Glupteba CnC Domain (zaoshang .moscow in TLS SNI) (malware.rules)
• 2043042 - ET MALWARE Observed Glupteba CnC Domain (mastiakele .icu in TLS SNI) (malware.rules)
• 2043043 - ET MALWARE Observed Glupteba CnC Domain (cdntokiog .studio in TLS SNI) (malware.rules)
• 2043044 - ET MALWARE Observed Glupteba CnC Domain (mastiakele .xyz in TLS SNI) (malware.rules)
• 2043045 - ET MALWARE Observed Glupteba CnC Domain (cdneurops .health in TLS SNI) (malware.rules)
• 2043046 - ET MALWARE Observed Glupteba CnC Domain (cdneurops .shop in TLS SNI) (malware.rules)
• 2043047 - ET MALWARE Observed Glupteba CnC Domain (mastiakele .cyou in TLS SNI) (malware.rules)
• 2043048 - ET MALWARE Observed Glupteba CnC Domain (duniadekho .bar in TLS SNI) (malware.rules)
• 2043049 - ET MALWARE Lazarus APT Related Domain in DNS Lookup (professiondesc .com) (malware.rules)
• 2043050 - ET MALWARE Win32/RisePro CnC Command Outbound (get_settings) (malware.rules)
• 2043051 - ET MALWARE Observed DNS Query to RisePro Domain (first-mirror .com) (malware.rules)
• 2043052 - ET MALWARE Observed DNS Query to RisePro Domain (torggissoft .com) (malware.rules)
• 2043053 - ET MALWARE Observed DNS Query to RisePro Domain (myrise .pro) (malware.rules)
• 2043054 - ET MALWARE Observed DNS Query to RisePro Domain (hero-files .com) (malware.rules)
• 2043055 - ET MALWARE Observed DNS Query to RisePro Domain (uc-files .com) (malware.rules)
• 2043056 - ET MALWARE Observed DNS Query to RisePro Domain (files-rate .com) (malware.rules)
• 2043057 - ET MALWARE Observed DNS Query to RisePro Domain (rate-files .com) (malware.rules)
• 2043058 - ET MALWARE Observed DNS Query to RisePro Domain (xx1-files .com) (malware.rules)
• 2043059 - ET MALWARE Observed DNS Query to RisePro Domain (webproduct25 .com) (malware.rules)
• 2043060 - ET MALWARE Observed DNS Query to RisePro Domain (pin-files .com) (malware.rules)
• 2043061 - ET MALWARE Observed DNS Query to RisePro Domain (best24-files .com) (malware.rules)
• 2043062 - ET MALWARE Observed DNS Query to RisePro Domain (get-24files .com) (malware.rules)
• 2043063 - ET MALWARE Observed DNS Query to RisePro Domain (neo-files .com) (malware.rules)
• 2043064 - ET MALWARE Observed DNS Query to RisePro Domain (m-rise .pro) (malware.rules)
• 2043065 - ET MALWARE Observed DNS Query to RisePro Domain (pickofiles .com) (malware.rules)
• 2043066 - ET MALWARE Observed DNS Query to RisePro Domain (my-rise .cc) (malware.rules)
• 2043067 - ET MALWARE Observed DNS Query to RisePro Domain (my-rise .pro) (malware.rules)
• 2043068 - ET MALWARE Observed DNS Query to RisePro Domain (fvp-files .com) (malware.rules)
• 2043069 - ET MALWARE Observed DNS Query to RisePro Domain (gg-download .com) (malware.rules)
• 2043070 - ET MALWARE Observed DNS Query to RisePro Domain (get-files24 .com) (malware.rules)
• 2043071 - ET MALWARE Observed DNS Query to RisePro Domain (vi-files .com) (malware.rules)
• 2043072 - ET MALWARE Observed DNS Query to RisePro Domain (greatsofteasy .com) (malware.rules)
• 2043073 - ET MALWARE Observed DNS Query to RisePro Domain (qd-file .com) (malware.rules)
• 2043074 - ET MALWARE Observed DNS Query to RisePro Domain (upxlead .com) (malware.rules)
• 2043075 - ET MALWARE Observed DNS Query to RisePro Domain (jojo-files .com) (malware.rules)
• 2043076 - ET MALWARE Observed DNS Query to RisePro Domain (vip-space .com) (malware.rules)
• 2043077 - ET MALWARE Observed DNS Query to RisePro Domain (files-sender .com) (malware.rules)
• 2043078 - ET MALWARE Observed DNS Query to RisePro Domain (elite-hacks .ru) (malware.rules)
• 2043079 - ET MALWARE Observed DNS Query to RisePro Domain (gg-loader .com) (malware.rules)
• 2043080 - ET MALWARE Observed DNS Query to RisePro Domain (softs-portal .com) (malware.rules)
• 2043081 - ET MALWARE Observed DNS Query to RisePro Domain (factor1right .com) (malware.rules)
• 2043082 - ET MALWARE Observed DNS Query to RisePro Domain (gs24softeasy .com) (malware.rules)
• 2043083 - ET MALWARE Observed DNS Query to RisePro Domain (teleportsoft .com) (malware.rules)
• 2043084 - ET MALWARE Observed DNS Query to RisePro Domain (boost-files .com) (malware.rules)
• 2043085 - ET MALWARE Observed DNS Query to RisePro Domain (testitsoft .com) (malware.rules)
• 2043086 - ET MALWARE Observed DNS Query to RisePro Domain (uni-files .com) (malware.rules)
• 2043087 - ET MALWARE Observed DNS Query to RisePro Domain (fixgroupfactor .com) (malware.rules)
• 2043088 - ET MALWARE Observed DNS Query to RisePro Domain (pu-file .com) (malware.rules)
• 2043089 - ET MALWARE Possible PrivateLoader Payload Request (GET) (malware.rules)
• 2043090 - ET MALWARE Win32/RisePro CnC Server Response M3 (malware.rules)
• 2043091 - ET MALWARE Win32/RisePro CnC Server Response M4 (malware.rules)
• 2043092 - ET MALWARE Win32/RisePro CnC Server Response M5 (malware.rules)
• 2043093 - ET ADWARE_PUP Observed DNS Query to PUP Domain (omnatuor .com) (adware_pup.rules)
• 2043094 - ET PHISHING US Government Bid Credential Phish Landing Page 2022-12-28 (phishing.rules)
• 2043095 - ET PHISHING Successful US Government Bid Credential Phish 2022-12-28 (phishing.rules)
• 2043096 - ET PHISHING Successful MetaMask Pass Phrase Phish 2022-12-27 (phishing.rules)
• 2043097 - ET PHISHING Successful Netflix Credential Phish 2022-12-27 (phishing.rules)
• 2043098 - ET MALWARE Win32/Uwamson.A!ml CnC Checkin (malware.rules)
• 2043099 - ET MALWARE TA569 Domain in DNS Lookup (luxurycompare .com) (malware.rules)

Pro:

• 2852984 - ETPRO MALWARE Win32/Glupteba CnC Activity (malware.rules)
• 2852985 - ETPRO MALWARE Win32/Glupteba CnC Activity (malware.rules)
• 2852986 - ETPRO MALWARE Win32/Glupteba CnC Activity (malware.rules)

Modified active rules:

• 2007994 - ET HUNTING Suspicious Empty User-Agent (hunting.rules)
• 2042977 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
• 2843688 - ETPRO PHISHING Successful Generic Central Credit Union Phish 2020-07-27 (phishing.rules)

Removed rules:

• 2043023 - ET MALWARE TA444/Lazarus Related Domain in DNS Lookup (thedoodles .site) (malware.rules)
• 2837497 - ETPRO POLICY Empty User-Agent Header (policy.rules)