Ruleset Update Summary - 2023/01/12 - v10219

Summary:

8 new OPEN, 12 new PRO (8 + 4)

Thanks @suyog41, @dtmsecurity

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

Added rules:

Open:

• 2043288 - ET MALWARE DCRAT Checkin via Telegram (malware.rules)
• 2043289 - ET MALWARE VectorStealer Data Exfil via Telegram (malware.rules)
• 2043290 - ET MALWARE ZeroBot/ZeroStresser Botnet Related Domain in DNS Lookup (zero .sudolite .ml) (malware.rules)
• 2043291 - ET MALWARE Observed Various Malware Staging Domain (direct-trojan .com in TLS SNI) (malware.rules)
• 2043292 - ET MALWARE Various Malware Staging Domain in DNS Lookup (direct-trojan .com) (malware.rules)
• 2043293 - ET MALWARE Magecart CnC Domain in DNS Lookup (2xdepp .com) (malware.rules)
• 2043294 - ET MALWARE Magecart CnC Domain in DNS Lookup (saylor2xbtc .com) (malware.rules)
• 2043295 - ET MALWARE Magecart CnC Domain in DNS Lookup (elon2xmusk .com) (malware.rules)

Pro:

• 2853038 - ETPRO MALWARE Arkei/Vidar/Mars Stealer Variant User-Agent Observed (20100101 Firefox) (malware.rules)
• 2853039 - ETPRO MALWARE Arkei/Vidar/Mars Stealer Variant CnC Response (malware.rules)
• 2853040 - ETPRO PHISHING Successful Gmail Credential Phish 2023-01-12 (phishing.rules)
• 2853041 - ETPRO MALWARE Win32/PSW.Agent.ONW Telegram Response (malware.rules)

Modified active rules:

• 2034194 - ET MALWARE DCRAT Activity (GET) (malware.rules)

Disabled and modified rules:

• 2038952 - ET MALWARE SocGholish Domain in DNS Lookup (restructuring .breatheinnew .life) (malware.rules)
• 2039442 - ET MALWARE SocGholish Domain in DNS Lookup (consultant .meredithklemmblog .com) (malware.rules)
• 2042773 - ET MALWARE SocGholish Domain in DNS Lookup (modernism .designpaw .com) (malware.rules)
• 2042774 - ET MALWARE SocGholish Domain in DNS Lookup (library .covebooks .com) (malware.rules)
• 2809178 - ETPRO EXPLOIT DTLS 1.2 HelloVerifyRequest CookieSize Heap Overflow CVE-2014-6321 (exploit.rules)
• 2809179 - ETPRO EXPLOIT DTLS Pre 1.0 HelloVerifyRequest Schannel OOB Read CVE-2014-6321 (exploit.rules)
• 2809180 - ETPRO EXPLOIT DTLS 1.0 HelloVerifyRequest Schannel OOB Read CVE-2014-6321 (exploit.rules)
• 2809181 - ETPRO EXPLOIT DTLS 1.2 HelloVerifyRequest Schannel OOB Read CVE-2014-6321 (exploit.rules)