Summary:
8 new OPEN, 12 new PRO (8 + 4)
Thanks @suyog41, @dtmsecurity
The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net
We will announce the mailing list retirement date in the near future.
Added rules:
Open:
- 2043288 - ET MALWARE DCRAT Checkin via Telegram (malware.rules)
- 2043289 - ET MALWARE VectorStealer Data Exfil via Telegram (malware.rules)
- 2043290 - ET MALWARE ZeroBot/ZeroStresser Botnet Related Domain in DNS Lookup (zero .sudolite .ml) (malware.rules)
- 2043291 - ET MALWARE Observed Various Malware Staging Domain (direct-trojan .com in TLS SNI) (malware.rules)
- 2043292 - ET MALWARE Various Malware Staging Domain in DNS Lookup (direct-trojan .com) (malware.rules)
- 2043293 - ET MALWARE Magecart CnC Domain in DNS Lookup (2xdepp .com) (malware.rules)
- 2043294 - ET MALWARE Magecart CnC Domain in DNS Lookup (saylor2xbtc .com) (malware.rules)
- 2043295 - ET MALWARE Magecart CnC Domain in DNS Lookup (elon2xmusk .com) (malware.rules)
Pro:
- 2853038 - ETPRO MALWARE Arkei/Vidar/Mars Stealer Variant User-Agent Observed (20100101 Firefox) (malware.rules)
- 2853039 - ETPRO MALWARE Arkei/Vidar/Mars Stealer Variant CnC Response (malware.rules)
- 2853040 - ETPRO PHISHING Successful Gmail Credential Phish 2023-01-12 (phishing.rules)
- 2853041 - ETPRO MALWARE Win32/PSW.Agent.ONW Telegram Response (malware.rules)
Modified active rules:
- 2034194 - ET MALWARE DCRAT Activity (GET) (malware.rules)
Disabled and modified rules:
- 2038952 - ET MALWARE SocGholish Domain in DNS Lookup (restructuring .breatheinnew .life) (malware.rules)
- 2039442 - ET MALWARE SocGholish Domain in DNS Lookup (consultant .meredithklemmblog .com) (malware.rules)
- 2042773 - ET MALWARE SocGholish Domain in DNS Lookup (modernism .designpaw .com) (malware.rules)
- 2042774 - ET MALWARE SocGholish Domain in DNS Lookup (library .covebooks .com) (malware.rules)
- 2809178 - ETPRO EXPLOIT DTLS 1.2 HelloVerifyRequest CookieSize Heap Overflow CVE-2014-6321 (exploit.rules)
- 2809179 - ETPRO EXPLOIT DTLS Pre 1.0 HelloVerifyRequest Schannel OOB Read CVE-2014-6321 (exploit.rules)
- 2809180 - ETPRO EXPLOIT DTLS 1.0 HelloVerifyRequest Schannel OOB Read CVE-2014-6321 (exploit.rules)
- 2809181 - ETPRO EXPLOIT DTLS 1.2 HelloVerifyRequest Schannel OOB Read CVE-2014-6321 (exploit.rules)