Ruleset Update Summary - 2023/01/09 - v10215

Ruleset Updates
1

Summary:

14 new OPEN, 17 new PRO (14 + 3)

Thanks @Unit42_Intel, @mawlare_traffic, @trustwave

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

Added rules:

Open:

  • 2043238 - ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org) (info.rules)
  • 2043239 - ET MALWARE Win32/Screenshotter Backdoor Payload Request (GET) (malware.rules)
  • 2043240 - ET MALWARE Win32/Screenshotter Backdoor CnC Activity (GET) (malware.rules)
  • 2043241 - ET MALWARE Observed DNS Query to IcedID Domain (coldcreekranch .com) (malware.rules)
  • 2043242 - ET MALWARE Observed DNS Query to IcedID Domain (dogotungtam .com) (malware.rules)
  • 2043243 - ET MALWARE Observed DNS Query to IcedID Domain (acehphonnajaya .com) (malware.rules)
  • 2043244 - ET MALWARE Observed DNS Query to IcedID Domain (baherlakerl .online) (malware.rules)
  • 2043245 - ET MALWARE Observed DNS Query to IcedID Domain (ajerlakerl .online) (malware.rules)
  • 2043246 - ET MALWARE WinPwn PenTesting Activity (malware.rules)
  • 2043247 - ET PHISHING Generic Korean Bank Credential Theft 2023-01-09 (phishing.rules)
  • 2043248 - ET MALWARE Vidar Stealer IP Address in DNS Query Response (malware.rules)
  • 2043249 - ET MALWARE NetSupport RAT Domain (tradinghuy .duckdns .org) in DNS Lookup (malware.rules)
  • 2043250 - ET PHISHING Successful Coinbase Credential Phish 2023-01-09 (phishing.rules)
  • 2043251 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .asset .tradingvein .xyz) (malware.rules)

Pro:

  • 2853022 - ETPRO MALWARE UltimateLoader Connection Request (malware.rules)
  • 2853023 - ETPRO MALWARE ActionLoader Data Exfiltration (GET) (malware.rules)
  • 2853024 - ETPRO MALWARE ActionLoader Second Stage Payload Request (GET) (malware.rules)

Modified active rules:

  • 2012758 - ET INFO DYNAMIC_DNS Query to *.dyndns. Domain (info.rules)
  • 2042687 - ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain (info.rules)
  • 2042688 - ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain (info.rules)