Ruleset Update Summary - 2023/01/20 - v10225

rulesbot · January 20, 2023, 9:53pm

Summary:

52 new OPEN, 52 new PRO (52 + 0)

Thanks @SLASH30Miata, @suyog41

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

Several Android, IcedID, Pyramid Framework, DCRAT, and many more. Today is free sig Friday, ALL RULES RELEASED TODAY WILL BE AVAILABLE IN BOTH THE ETOPEN and ETPRO RULESET!

Added rules:

Open:

2043371 - ET MOBILE_MALWARE Android/Spy.Agent.AKS CnC Domain in DNS Lookup (mobile_malware.rules)
2043372 - ET MOBILE_MALWARE Backdoor.AndroidOS.Xhunter.a CnC Domain in DNS Lookup (mobile_malware.rules)
2043373 - ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Agent.ld CnC Domain in DNS Lookup (mobile_malware.rules)
2043374 - ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Agent.ld CnC Domain in DNS Lookup (mobile_malware.rules)
2043375 - ET MOBILE_MALWARE Android/Spy.Vultur.A CnC Domain in DNS Lookup (mobile_malware.rules)
2043376 - ET MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.ta CnC Domain in DNS Lookup (mobile_malware.rules)
2043377 - ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.aa CnC Domain in DNS Lookup (mobile_malware.rules)
2043378 - ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Rewardsteal.e CnC Domain in DNS Lookup (mobile_malware.rules)
2043379 - ET MOBILE_MALWARE Android/Spy.SmsSpy.XC CnC Domain in DNS Lookup (mobile_malware.rules)
2043380 - ET MOBILE_MALWARE Android/Spy.Banker.BOF CnC Domain in DNS Lookup (mobile_malware.rules)
2043381 - ET MOBILE_MALWARE Android.Backdoor.866.origin CnC Domain in DNS Lookup (mobile_malware.rules)
2043382 - ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Rewardsteal.e CnC Domain in DNS Lookup (mobile_malware.rules)
2043383 - ET MALWARE IcedID CnC Domain in DNS Lookup (skaiortalop .com) (malware.rules)
2043384 - ET MALWARE IcedID CnC Domain in DNS Lookup (allertmnemonkik .com) (malware.rules)
2043385 - ET MALWARE IcedID CnC Domain in DNS Lookup (headertolz .com) (malware.rules)
2043386 - ET MALWARE IcedID CnC Domain in DNS Lookup (wagringamuk .com) (malware.rules)
2043387 - ET MALWARE IcedID CnC Domain in DNS Lookup (ertusaporf .com) (malware.rules)
2043388 - ET MALWARE IcedID CnC Domain in DNS Lookup (windmencherser .com) (malware.rules)
2043389 - ET MALWARE IcedID CnC Domain in DNS Lookup (dgormiugatox .com) (malware.rules)
2043390 - ET MALWARE IcedID CnC Domain in DNS Lookup (elcapolis .com) (malware.rules)
2043391 - ET MALWARE IcedID CnC Domain in DNS Lookup (needzolapa .com) (malware.rules)
2043392 - ET MALWARE IcedID CnC Domain in DNS Lookup (klayerziluska .com) (malware.rules)
2043393 - ET MALWARE IcedID CnC Domain in DNS Lookup (avoymratax .com) (malware.rules)
2043394 - ET MALWARE IcedID CnC Domain in DNS Lookup (plivetrakoy .com) (malware.rules)
2043395 - ET MALWARE IcedID CnC Domain in DNS Lookup (june85 .cyou) (malware.rules)
2043396 - ET MALWARE IcedID CnC Domain in DNS Lookup (wcollopracket .com) (malware.rules)
2043397 - ET MALWARE IcedID CnC Domain in DNS Lookup (ijoyzymama .com) (malware.rules)
2043398 - ET MALWARE IcedID CnC Domain in DNS Lookup (ebothlips .com) (malware.rules)
2043399 - ET MALWARE IcedID CnC Domain in DNS Lookup (likasertik .shop) (malware.rules)
2043400 - ET MALWARE IcedID CnC Domain in DNS Lookup (qsertopinajil .com) (malware.rules)
2043401 - ET MALWARE IcedID CnC Domain in DNS Lookup (umousteraton .com) (malware.rules)
2043402 - ET MALWARE IcedID CnC Domain in DNS Lookup (trinazhkoma .club) (malware.rules)
2043403 - ET MALWARE IcedID CnC Domain in DNS Lookup (brakudafear .pics) (malware.rules)
2043404 - ET MALWARE IcedID CnC Domain in DNS Lookup (golddisco .top) (malware.rules)
2043405 - ET MALWARE DOUBLEBACK Related Domain in DNS Lookup (barricks .org) (malware.rules)
2043406 - ET MALWARE Observed DOUBLEBACK Related Domain (barricks .org in TLS SNI) (malware.rules)
2043407 - ET MALWARE Pyramid Framework Payload Request (base-bh.py) (malware.rules)
2043408 - ET MALWARE Pyramid Framework Payload Request (base-bof.py) (malware.rules)
2043409 - ET MALWARE Pyramid Framework Payload Request (base-clr.py) (malware.rules)
2043410 - ET MALWARE Pyramid Framework Payload Request (base-DonPAPI.py) (malware.rules)
2043411 - ET MALWARE Pyramid Framework Payload Request (base-impacket-secretsdump.py) (malware.rules)
2043412 - ET MALWARE Pyramid Framework Payload Request (base-LaZagne.py) (malware.rules)
2043413 - ET MALWARE Pyramid Framework Payload Request (base-pythonmemorymodule.py) (malware.rules)
2043414 - ET MALWARE Pyramid Framework Payload Request (base-tunnel-inj.py) (malware.rules)
2043415 - ET MALWARE Pyramid Framework Payload Request (base-tunnel-socks5.py) (malware.rules)
2043416 - ET MALWARE Cobalt Strike Activity (GET) (malware.rules)
2043417 - ET MALWARE DCRat Initial Checkin Server Response M5 (malware.rules)
2043418 - ET MALWARE DCRat Initial Checkin Server Response M6 (malware.rules)
2043419 - ET MALWARE Discord .exe Download URL In HTTP Response (malware.rules)
2043420 - ET MALWARE Win32/Enigma Stealer CnC Checkin (malware.rules)
2043421 - ET MALWARE Win32/Neshta.A Checkin (malware.rules)
2043422 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .betting .cockroachracing .site) (malware.rules)

Modified active rules:

2036823 - ET MALWARE DOUBLEBACK CnC Activity (malware.rules)
2844133 - ETPRO MALWARE DCRat Initial Checkin Server Response M1 (malware.rules)

Disabled and modified rules:

2039510 - ET MALWARE SocGholish Domain in DNS Lookup (chess .north-atlantic .com) (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2022/11/24 - v10181 Ruleset Updates	284	November 24, 2022
Ruleset Update Summary - 2022/11/25 - v10182 Ruleset Updates	226	November 25, 2022
Ruleset Update Summary - 2023/01/26 - v10230 Ruleset Updates	683	January 26, 2023
Ruleset Update Summary - 2023/02/17 - v10246 Ruleset Updates	107	February 17, 2023
Ruleset Update Summary - 2022/11/15 - v10173 Ruleset Updates	124	November 15, 2022