Ruleset Update Summary - 2023/02/03 - v10236

Ruleset Updates
1

Summary:

40 new OPEN, 72 new PRO (40 + 32)

Thanks @WithSecure, @NoahWolf, @ConnectWiseCRU

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

Added rules:

Open:

  • 2044078 - ET INFO DYNAMIC_DNS Query to a *.disisleri .com Domain (info.rules)
  • 2044079 - ET INFO DYNAMIC_DNS HTTP Request to a *.disisleri .com Domain (info.rules)
  • 2044080 - ET INFO DYNAMIC_DNS Query to a *.nicolasi .com Domain (info.rules)
  • 2044081 - ET INFO DYNAMIC_DNS HTTP Request to a *.nicolasi .com Domain (info.rules)
  • 2044082 - ET INFO DYNAMIC_DNS Query to a *.xseller .com Domain (info.rules)
  • 2044083 - ET INFO DYNAMIC_DNS HTTP Request to a *.xseller .com Domain (info.rules)
  • 2044084 - ET INFO DYNAMIC_DNS Query to a *.tuquy .com Domain (info.rules)
  • 2044085 - ET INFO DYNAMIC_DNS HTTP Request to a *.tuquy .com Domain (info.rules)
  • 2044086 - ET MALWARE TA430/Andariel ACRES Backdoor Activity (GET) (malware.rules)
  • 2044087 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (officenced .com) (info.rules)
  • 2044088 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (prizemons .com) (info.rules)
  • 2044089 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (mesharepoint .com) (info.rules)
  • 2044090 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (prizewel .com) (info.rules)
  • 2044091 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (sharesbyte .com) (info.rules)
  • 2044092 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (sharession .com) (info.rules)
  • 2044093 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (prizegives .com) (info.rules)
  • 2044094 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (prizewings .com) (info.rules)
  • 2044095 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (doctricant .com) (info.rules)
  • 2044096 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (attemplate .com) (info.rules)
  • 2044097 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (templatent .com) (info.rules)
  • 2044098 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (sharepointle .com) (info.rules)
  • 2044099 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (officences .com) (info.rules)
  • 2044100 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (sharestion .com) (info.rules)
  • 2044101 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (sharepointin .com) (info.rules)
  • 2044102 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (officested .com) (info.rules)
  • 2044103 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (mcsharepoint .com) (info.rules)
  • 2044104 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (officence .com) (info.rules)
  • 2044105 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (templatern .com) (info.rules)
  • 2044106 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (sharepointen .com) (info.rules)
  • 2044107 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (officentry .com) (info.rules)
  • 2044108 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (templateau .com) (info.rules)
  • 2044109 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (shareholds .com) (info.rules)
  • 2044110 - ET INFO Microsoft Defender Attack Simulation Training Domain in DNS Lookup (windocyte .com) (info.rules)
  • 2044111 - ET MALWARE Patchwork APT BADNEWS Variant CnC Checkin M1 (malware.rules)
  • 2044112 - ET MALWARE Patchwork APT BADNEWS Variant CnC Checkin M2 (malware.rules)
  • 2044113 - ET MALWARE Patchwork APT BADNEWS CnC Domain (bingoplant .live) in DNS Lookup (malware.rules)
  • 2044114 - ET EXPLOIT VMWare ESXi 6.7.0 OpenSLP Remote Code Execution Attempt - Directory Agent Advertisement Heap Overflow (CVE-2021-21974) (exploit.rules)
  • 2044115 - ET PHISHING Successful Wallet Connect Private Key Phish 2023-02-03 (phishing.rules)
  • 2044116 - ET PHISHING Successful Wallet Connect Pass Phrase Phish 2023-02-03 (phishing.rules)
  • 2044117 - ET PHISHING Successful Wallet Connect Key Store Phish 2023-02-03 (phishing.rules)

Pro:

  • 2853301 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853302 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853303 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853304 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853305 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853306 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853307 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Rewardsteal.l CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853308 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CMO CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853309 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.aay CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853310 - ETPRO MOBILE_MALWARE Observed Trojan-Spy.AndroidOS.Agent.aay Domain in TLS SNI (mobile_malware.rules)
  • 2853311 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Fakecalls.at CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853312 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Fakecalls.at CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853313 - ETPRO MOBILE_MALWARE Trojan-Downloader.AndroidOS.Banker.a CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853314 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853315 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853316 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853317 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853318 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853319 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853320 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853321 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853322 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853323 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853324 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853325 - ETPRO MOBILE_MALWARE Android.Spy.5254 Checkin (mobile_malware.rules)
  • 2853326 - ETPRO MOBILE_MALWARE Android.Spy.5254 Checkin 2 (mobile_malware.rules)
  • 2853327 - ETPRO MOBILE_MALWARE Android.Spy.5254 Checkin 3 (mobile_malware.rules)
  • 2853328 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.fc CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853329 - ETPRO MOBILE_MALWARE Trojan-Clicker.AndroidOS.Xafekopy.e CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853330 - ETPRO MOBILE_MALWARE Observed Trojan-Clicker.AndroidOS.Xafekopy.e Domain in TLS SNI (mobile_malware.rules)
  • 2853331 - ETPRO HUNTING Look-alike Domain Query (.rest) (hunting.rules)
  • 2853332 - ETPRO HUNTING Look-alike Domain Query (.surf) (hunting.rules)

Enabled and modified rules:

  • 2040144 - ET MALWARE SocGholish Domain in DNS Lookup (pastor .cntcog .org) (malware.rules)
  • 2043024 - ET MALWARE SocGholish Domain in DNS Lookup (people .fl2wealth .com) (malware.rules)
  • 2043159 - ET MALWARE SocGholish Domain in DNS Lookup (kinematics .starmidwest .com) (malware.rules)
  • 2043160 - ET MALWARE SocGholish Domain in DNS Lookup (passphrase .singinganewsong .com) (malware.rules)