Ruleset Update Summary - 2023/02/01 - v10234

Summary:

16 new OPEN, 39 new PRO (16 + 23)

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.


Added rules:

Open:

  • 2044045 - ET MALWARE Phorpiex CnC Domain (twizt .org) in DNS Lookup (malware.rules)
  • 2044046 - ET INFO URL Shortener Service (fanlink .to) in DNS Lookup (info.rules)
  • 2044047 - ET INFO Observed URL Shortener Service Domain (fanlink .to) in TLS SNI (info.rules)
  • 2044048 - ET MALWARE Ice Breaker Backdoor CnC Domain (xn–screnshot-iib .net) in DNS Lookup (malware.rules)
  • 2044049 - ET MALWARE Ice Breaker Backdoor CnC Domain (ponzix .net) in DNS Lookup (malware.rules)
  • 2044050 - ET MALWARE Ice Breaker Backdoor CnC Domain (screenshotlite .com) in DNS Lookup (malware.rules)
  • 2044051 - ET MALWARE Ice Breaker Backdoor CnC Domain (screenshot .icu) in DNS Lookup (malware.rules)
  • 2044052 - ET MALWARE Ice Breaker Backdoor CnC Domain (xn–screnshot-jib .net) in DNS Lookup (malware.rules)
  • 2044053 - ET MALWARE Ice Breaker Backdoor CnC Domain (screenshotcap .com) in DNS Lookup (malware.rules)
  • 2044054 - ET PHISHING Successful Metamask Pass Phrase Phish 2023-02-01 (phishing.rules)
  • 2044055 - ET MALWARE Observed DNS Query to IcedID Domain (alijhaborta .com) (malware.rules)
  • 2044056 - ET MALWARE Observed DNS Query to IcedID Domain (qoipaboni .com) (malware.rules)
  • 2044057 - ET MALWARE Observed DNS Query to IcedID Domain (windmencherser .com) (malware.rules)
  • 2044058 - ET MALWARE Observed DNS Query to IcedID Domain (leftcatrheringg .com) (malware.rules)
  • 2044059 - ET MALWARE Observed DNS Query to IcedID Domain (yelsopotre .com) (malware.rules)
  • 2044060 - ET MALWARE Observed DNS Query to IcedID Domain (headertolz .com) (malware.rules)

Pro:

  • 2853270 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2023-02-01 1) (coinminer.rules)
  • 2853271 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2023-02-01 2) (coinminer.rules)
  • 2853272 - ETPRO MALWARE Win32/Phorpiex Bot Executable Payload Inbound (malware.rules)
  • 2853273 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2853274 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2853275 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2853276 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2853277 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2853278 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2853279 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2853280 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2853281 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2853282 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2853283 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2853284 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2853285 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2853286 - ETPRO HUNTING NT Authorty - Domain SID in URI (hunting.rules)
  • 2853287 - ETPRO HUNTING NT Authorty - LocalSystem SID in URI (hunting.rules)
  • 2853288 - ETPRO HUNTING NT Authority - Users SID in URI (hunting.rules)
  • 2853289 - ETPRO HUNTING AzureAD SID in URI (hunting.rules)
  • 2853290 - ETPRO HUNTING Look-alike Domain Query (.xyz) (hunting.rules)
  • 2853291 - ETPRO HUNTING Look-alike Domain Query (.space) (hunting.rules)
  • 2853292 - ETPRO MALWARE Win32/Phorpiex Twizt Variant CnC Checkin (malware.rules)

Disabled and modified rules:

  • 2038953 - ET MALWARE SocGholish Domain in DNS Lookup (prompt .zonashoppers .academy) (malware.rules)
  • 2043251 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .asset .tradingvein .xyz) (malware.rules)