Ruleset Update Summary - 2023/01/27 - v10231

rulesbot · January 27, 2023, 9:40pm

Summary:

10 new OPEN, 93 new PRO (10 + 83)

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

Added rules:

Open:

2044004 - ET MALWARE Observed Glupteba CnC Domain (nisdably .com in TLS SNI) (malware.rules)
2044005 - ET MALWARE Observed Glupteba CnC Domain (ninhaine .com in TLS SNI) (malware.rules)
2044006 - ET MALWARE Gamaredon APT Related Activity (GET) (malware.rules)
2044007 - ET MALWARE Gamaredon APT Related Activity (GET) (malware.rules)
2044008 - ET EXPLOIT Realtek SDK - Command Execution/Backdoor Access Inbound (CVE-2021-35394) (exploit.rules)
2044009 - ET EXPLOIT D-Link webupg Remote Code Execution Attempt Inbound (CVE 2021-46441, 2021-46442) (exploit.rules)
2044010 - ET EXPLOIT Possible Oracle E-Business RCE Attempt Inbound M1 (CVE-2022-21587) (exploit.rules)
2044011 - ET EXPLOIT Possible Oracle E-Business RCE Attempt Inbound M2 (CVE-2022-21587) (exploit.rules)
2044012 - ET EXPLOIT Possible Oracle E-Business RCE Attempt Inbound M3 (CVE-2022-21587) (exploit.rules)
2044013 - ET EXPLOIT Possible Oracle E-Business RCE Attempt Inbound M4 (CVE-2022-21587) (exploit.rules)

Pro:

2810416 - ETPRO HUNTING Inbound cmd.exe Base64 Encoded (Unicode) 1 (hunting.rules)
2810417 - ETPRO HUNTING Inbound cmd.exe Base64 Encoded (Unicode) 2 (hunting.rules)
2810418 - ETPRO HUNTING Inbound cmd.exe Base64 Encoded (Unicode) 3 (hunting.rules)
2810419 - ETPRO HUNTING Inbound cmd.exe Base64 Encoded (ASCII) 1 (hunting.rules)
2810420 - ETPRO HUNTING Inbound cmd.exe Base64 Encoded (ASCII) 2 (hunting.rules)
2810421 - ETPRO HUNTING Inbound cmd.exe Base64 Encoded (ASCII) 3 (hunting.rules)
2853174 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Rewardsteal.l CnC Domain in DNS Lookup (mobile_malware.rules)
2853175 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.h CnC Domain in DNS Lookup (mobile_malware.rules)
2853176 - ETPRO MOBILE_MALWARE Android/Spy.Banker.BSO CnC Domain in DNS Lookup (mobile_malware.rules)
2853177 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.KTE CnC Domain in DNS Lookup (mobile_malware.rules)
2853178 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Rewardsteal.l CnC Domain in DNS Lookup (mobile_malware.rules)
2853179 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.KMZ CnC Domain in DNS Lookup (mobile_malware.rules)
2853180 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Xhunter.a CnC Domain in DNS Lookup (mobile_malware.rules)
2853181 - ETPRO MOBILE_MALWARE Android.BankBot.14183 CnC Domain in DNS Lookup (mobile_malware.rules)
2853182 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2853183 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2853184 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2853185 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2853186 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2853187 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2853188 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2853189 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2853190 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2853191 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2853192 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2853193 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2853194 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2853195 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2853196 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2853197 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2853198 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2853199 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2853200 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2853201 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2853202 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2853203 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2853204 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2853205 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2853206 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2853207 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2853208 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2853209 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2853210 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2853211 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2853212 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2853213 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2853214 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2853215 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2853216 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2853217 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2853218 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2853219 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2853220 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2853221 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
2853222 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2853223 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
2853224 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2853225 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2853226 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2853227 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2853228 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2853229 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2853230 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
2853231 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2853232 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
2853233 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2853234 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2853235 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2853236 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2853237 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2853238 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2853239 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2853240 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2853241 - ETPRO MALWARE XWorm CnC Domain in DNS Lookup (malware.rules)
2853242 - ETPRO MALWARE XWorm CnC Domain in DNS Lookup (malware.rules)
2853243 - ETPRO MALWARE XWorm CnC Domain in DNS Lookup (malware.rules)
2853244 - ETPRO MALWARE XWorm CnC Domain in DNS Lookup (malware.rules)
2853245 - ETPRO MALWARE XWorm CnC Domain in DNS Lookup (malware.rules)
2853246 - ETPRO MALWARE XWorm CnC Domain in DNS Lookup (malware.rules)
2853247 - ETPRO MALWARE XWorm CnC Domain in DNS Lookup (malware.rules)
2853248 - ETPRO MALWARE FormBook CnC Checkin (GET) (malware.rules)
2853249 - ETPRO MALWARE VBA/TrojanDownloader.Agent.OJG CnC Activity (GET) (malware.rules)
2853250 - ETPRO MALWARE Suspected DOUBLEDRAG Variant Activity (GET) (malware.rules)

Removed rules:

2810416 - ETPRO MALWARE Inbound cmd.exe Base64 Encoded (Unicode) 1 (malware.rules)
2810417 - ETPRO INFO Inbound cmd.exe Base64 Encoded (Unicode) 2 (info.rules)
2810418 - ETPRO INFO Inbound cmd.exe Base64 Encoded (Unicode) 3 (info.rules)
2810419 - ETPRO INFO Inbound cmd.exe Base64 Encoded (ASCII) 1 (info.rules)
2810420 - ETPRO MALWARE Inbound cmd.exe Base64 Encoded (ASCII) 2 (malware.rules)
2810421 - ETPRO MALWARE Inbound cmd.exe Base64 Encoded (ASCII) 3 (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/02/15 - v10244 Ruleset Updates	232	February 15, 2023
Ruleset Update Summary - 2023/01/19 - v10224 Ruleset Updates	372	January 19, 2023
Ruleset Update Summary - 2023/02/06 - v10237 Ruleset Updates	230	February 6, 2023
Ruleset Update Summary - 2023/03/30 - v10281 Ruleset Updates	422	March 30, 2023
Ruleset Update Summary - 2022/11/16 - v10174 Ruleset Updates	321	November 16, 2022