Ruleset Update Summary - 2023/01/03 - v10210

rulesbot · January 3, 2023, 10:54pm

Summary:

41 new OPEN, 49 new PRO (41 + 8)

Thanks @Doctor_Web, @Trustwave, @rmceoin, @_tweedge

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

Added rules:

Open:

2043161 - ET ATTACK_RESPONSE PowerShell String Base64 Encoded Invoke-RestMethod (dm9rZS1SZXN0TWV0) in DNS TXT Reponse (attack_response.rules)
2043162 - ET ATTACK_RESPONSE PowerShell String Base64 Encoded Invoke-RestMethod (Zva2UtUmVzdE1ld) in DNS TXT Reponse (attack_response.rules)
2043163 - ET ATTACK_RESPONSE PowerShell String Base64 Encoded Invoke-RestMethod (2b2tlLVJlc3RNZX) in DNS TXT Reponse (attack_response.rules)
2043164 - ET ATTACK_RESPONSE PowerShell String Base64 Encoded Text.Encoding (ZXh0LkVuY29k) in DNS TXT Reponse (attack_response.rules)
2043165 - ET ATTACK_RESPONSE PowerShell String Base64 Encoded Text.Encoding (V4dC5FbmNvZ) in DNS TXT Reponse (attack_response.rules)
2043166 - ET ATTACK_RESPONSE PowerShell String Base64 Encoded Text.Encoding (leHQuRW5jb2) in DNS TXT Reponse (attack_response.rules)
2043167 - ET MALWARE ViperSoftX HTTP CnC Activity (malware.rules)
2043168 - ET MALWARE ActionLoader CnC Domain in DNS Lookup (mejito .ru) (malware.rules)
2043169 - ET MALWARE ActionLoader CnC Domain in DNS Lookup (roskazna .net) (malware.rules)
2043170 - ET MALWARE ActionLoader CnC Domain in DNS Lookup (cloud-documents .com) (malware.rules)
2043171 - ET MALWARE ActionLoader CnC Domain in DNS Lookup (kc-3 .ru) (malware.rules)
2043172 - ET MALWARE ActionLoader CnC Domain in DNS Lookup (azure-tech .pro) (malware.rules)
2043173 - ET MALWARE ActionLoader CnC Domain in DNS Lookup (xlssmooth .xyz) (malware.rules)
2043174 - ET MALWARE ActionLoader CnC Domain in DNS Lookup (ekb .tanzedrom .ru) (malware.rules)
2043175 - ET PHISHING Office 365 Credential Harvesting Domain (rightofcourse .com) in DNS Lookup (phishing.rules)
2043176 - ET PHISHING Office 365 Credential Harvesting Domain (rightofcourse .com) in TLS SNI (phishing.rules)
2043177 - ET MALWARE linux.backdoor.wordpressexploit.1 CnC Domain (gabriellalovecats .com) in DNS Lookup (malware.rules)
2043178 - ET MALWARE linux.backdoor.wordpressexploit.1 CnC Domain (transadforward .icu) in DNS Lookup (malware.rules)
2043179 - ET MALWARE linux.backdoor.wordpressexploit.1 CnC Domain (tommyforgreendream .icu) in DNS Lookup (malware.rules)
2043180 - ET MALWARE Observed linux.backdoor.wordpressexploit.1 Domain (gabriellalovecats .com) in TLS SNI (malware.rules)
2043181 - ET MALWARE Observed linux.backdoor.wordpressexploit.1 Domain (transadforward .icu) in TLS SNI (malware.rules)
2043182 - ET MALWARE Observed linux.backdoor.wordpressexploit.1 Domain (tommyforgreendream .icu) in TLS SNI (malware.rules)
2043183 - ET MALWARE linux.backdoor.wordpressexploit.2 CnC Domain (clon .collectfasttracks .com) in DNS Lookup (malware.rules)
2043184 - ET MALWARE linux.backdoor.wordpressexploit.2 CnC Domain (letsmakeparty3 .ga) in DNS Lookup (malware.rules)
2043185 - ET MALWARE linux.backdoor.wordpressexploit.2 CnC Domain (count .trackstatisticsss .com) in DNS Lookup (malware.rules)
2043186 - ET MALWARE linux.backdoor.wordpressexploit.2 CnC Domain (lobbydesires .com) in DNS Lookup (malware.rules)
2043187 - ET MALWARE linux.backdoor.wordpressexploit.2 CnC Domain (deliverygoodstrategies .com) in DNS Lookup (malware.rules)
2043188 - ET MALWARE Observed linux.backdoor.wordpressexploit.2 Domain (clon .collectfasttracks .com) in TLS SNI (malware.rules)
2043189 - ET MALWARE Observed linux.backdoor.wordpressexploit.2 Domain (letsmakeparty3 .ga) in TLS SNI (malware.rules)
2043190 - ET MALWARE Observed linux.backdoor.wordpressexploit.2 Domain (count .trackstatisticsss .com) in TLS SNI (malware.rules)
2043191 - ET MALWARE Observed linux.backdoor.wordpressexploit.2 Domain (lobbydesires .com) in TLS SNI (malware.rules)
2043192 - ET MALWARE Observed linux.backdoor.wordpressexploit.2 Domain (deliverygoodstrategies .com) in TLS SNI (malware.rules)
2043193 - ET MALWARE linux.backdoor.wordpressexploit.1 CnC Checkin (malware.rules)
2043194 - ET MALWARE linux.backdoor.wordpressexploit.1 JS backdoor retrieval (malware.rules)
2043195 - ET MALWARE linux.backdoor.wordpressexploit.2 CnC Checkin (malware.rules)
2043196 - ET MALWARE linux.backdoor.wordpressexploit.2 JS backdoor retrieval (malware.rules)
2043197 - ET MALWARE linux.backdoor.wordpressexploit file upload test (malware.rules)
2043198 - ET MALWARE Win32/Aurora Stealer WORK Command (malware.rules)
2043199 - ET MALWARE Win32/Aurora Stealer Accept Command (malware.rules)
2043200 - ET MALWARE Win32/Aurora Stealer Thanks Command (malware.rules)
2043201 - ET PHISHING Successful American First CU Credential Phish 2023-01-03 (phishing.rules)

Pro:

2852993 - ETPRO INFO Observed Sophos Phishing Awareness Domain in DNS Lookup (info.rules)
2852994 - ETPRO INFO Observed Sophos Phishing Awareness Domain in DNS Lookup (info.rules)
2852995 - ETPRO INFO Observed Sophos Phishing Awareness Domain in DNS Lookup (info.rules)
2852996 - ETPRO INFO Observed Sophos Phishing Awareness Domain in DNS Lookup (info.rules)
2852997 - ETPRO INFO Observed Sophos Phishing Awareness Domain in TLS SNI (info.rules)
2852998 - ETPRO INFO Observed Sophos Phishing Awareness Domain in TLS SNI (info.rules)
2852999 - ETPRO INFO Observed Sophos Phishing Awareness Domain in TLS SNI (info.rules)
2853000 - ETPRO INFO Observed Sophos Phishing Awareness Domain in TLS SNI (info.rules)

Modified active rules:

2841974 - ETPRO MALWARE Win32/Fabookie.ek CnC Activity M1 (malware.rules)
2851115 - ETPRO MALWARE Win32/Fabookie.ek CnC Activity M2 (malware.rules)
2852979 - ETPRO MALWARE Win32/Fabookie.ek CnC Response (malware.rules)
2852980 - ETPRO MALWARE Win32/Fabookie.ek CnC Request M1 (GET) (malware.rules)
2852981 - ETPRO MALWARE Win32/Fabookie.ek CnC Request M3 (GET) (malware.rules)

Modified inactive rules:

2013514 - ET MALWARE Potential DNS Command and Control via TXT queries (malware.rules)

Disabled and modified rules:

2038951 - ET MALWARE SocGholish Domain in DNS Lookup (loans .mistakenumberone .com) (malware.rules)
2039092 - ET MALWARE TA569 Domain in DNS Lookup (gloogletag .com) (malware.rules)
2039093 - ET MALWARE TA569 Domain in DNS Lookup (brocode3s .com) (malware.rules)
2039101 - ET MALWARE TA569 Domain in DNS Lookup (pastukhova .com) (malware.rules)
2040145 - ET MALWARE SocGholish Domain in DNS Lookup (wiki .clotheslane .com) (malware.rules)
2040146 - ET MALWARE SocGholish Domain in DNS Lookup (perspective .cdsignner .com) (malware.rules)
2040147 - ET MALWARE SocGholish Domain in DNS Lookup (mask .covidturf .com) (malware.rules)
2040148 - ET MALWARE SocGholish Domain in DNS Lookup (progress .cashdigger .com) (malware.rules)
2042968 - ET MALWARE SocGholish Domain in DNS Lookup (navyseal .bezmail .com) (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/02/22 - v10250 Ruleset Updates	360	February 22, 2023
Ruleset Update Summary - 2022/12/14 - v10196 Ruleset Updates	373	December 14, 2022
Ruleset Update Summary - 2023/01/30 - v10232 Ruleset Updates	226	January 30, 2023
Ruleset Update Summary - 2023/01/19 - v10224 Ruleset Updates	369	January 19, 2023
Ruleset Update Summary - 2023/01/05 - v10212 Ruleset Updates	307	January 5, 2023