Ruleset Update Summary - 2023/02/14 - v10243

Ruleset Updates
1

Summary:

16 new OPEN, 34 new PRO (16 + 18)

Thanks @StopMalvertisin, @jaydinbas, @ahnlab_secuinfo, @SLASH30Miata

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

Added rules:

Open:

  • 2044190 - ET MALWARE DonotGroup Pult Downloader Activity M3 (malware.rules)
  • 2044191 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
  • 2044192 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
  • 2044193 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
  • 2044194 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
  • 2044195 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
  • 2044196 - ET MALWARE zgRAT Activity M3 (malware.rules)
  • 2044197 - ET MALWARE Gamaredon APT Related Activity (GET) (malware.rules)
  • 2044198 - ET MALWARE Donot Group Related Domain in DNS Lookup (mayosasa .buzz) (malware.rules)
  • 2044199 - ET MALWARE Observed External IP Lookup Domain (mayosasa .buzz in TLS SNI) (malware.rules)
  • 2044200 - ET MALWARE Win32/Loader Variant Activity (POST) (malware.rules)
  • 2044201 - ET EXPLOIT GitLab Pre-Auth RCE Detected (CVE-2021-22205) (exploit.rules)
  • 2044202 - ET MALWARE Donot APT Related Domain in DNS Lookup (best .tasterschoice .shop) (malware.rules)
  • 2044203 - ET MALWARE Donot APT Related Domain in DNS Lookup (blogs .tourseasons .xyz) (malware.rules)
  • 2044204 - ET MALWARE Donot APT Related Domain in DNS Lookup (blogs .libraryutilitis .live) (malware.rules)
  • 2044205 - ET EXPLOIT Sunlogin Sunflower Simplified 1.0.1.43315 Directory Traversal Attempt (CVE-2022-48323) (exploit.rules)

Pro:

  • 2853364 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2023-02-13 1) (coinminer.rules)
  • 2853365 - ETPRO MALWARE Win32/XWorm CnC Domain in DNS Lookup (malware.rules)
  • 2853366 - ETPRO MALWARE Win32/XWorm CnC Domain in DNS Lookup (malware.rules)
  • 2853367 - ETPRO MALWARE Win32/XWorm CnC Domain in DNS Lookup (malware.rules)
  • 2853368 - ETPRO MALWARE Win32/XWorm CnC Domain in DNS Lookup (malware.rules)
  • 2853369 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2853370 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2853371 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2853372 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2853373 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2853374 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2853375 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2853376 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2853377 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2853378 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2853379 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2853380 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2853381 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Disabled and modified rules:

  • 2031439 - ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (img565vv6 .holdmydoor .com) (mobile_malware.rules)
  • 2031440 - ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (crashparadox .net) (mobile_malware.rules)
  • 2031441 - ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (f15fwd322 .regularhours .net) (mobile_malware.rules)

Removed rules:

  • 2851962 - ETPRO MALWARE Suspected DonotGroup Pult Downloader Activity M3 (malware.rules)