Ruleset Update Summary - 2023/02/24 - v10253

Summary:

28 new OPEN, 28 new PRO (28 + 0)

Thanks @c7rl4ltd3lc, @certfalab

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

The mailing list is being retired on April 3, 2023.

Happy Free Sig Friday!


Added rules:

Open:

  • 2044318 - ET PHISHING HiYu - Request for Victim Enrichment (phishing.rules)
  • 2044319 - ET PHISHING HiYu - Victim Enrichment Response M1 (phishing.rules)
  • 2044320 - ET PHISHING HiYu - Victim Enrichment Response M2 (phishing.rules)
  • 2044321 - ET PHISHING HiYu - Victim Enrichment Response M3 (phishing.rules)
  • 2044322 - ET PHISHING HiYu - Request for User Specific Landing Page (phishing.rules)
  • 2044323 - ET PHISHING TA453 Phishing Domain in DNS Lookup (phishing.rules)
  • 2044324 - ET PHISHING TA453 Phishing Domain in DNS Lookup (phishing.rules)
  • 2044325 - ET PHISHING TA453 Phishing Domain in DNS Lookup (phishing.rules)
  • 2044326 - ET PHISHING TA453 Phishing Domain in DNS Lookup (phishing.rules)
  • 2044327 - ET PHISHING TA453 Phishing Domain in DNS Lookup (phishing.rules)
  • 2044328 - ET INFO DYNAMIC_DNS Query to a *.100mountain .com Domain (info.rules)
  • 2044329 - ET INFO DYNAMIC_DNS HTTP Request to a *.100mountain .com Domain (info.rules)
  • 2044330 - ET INFO DYNAMIC_DNS Query to a *.litecsys .com Domain (info.rules)
  • 2044331 - ET INFO DYNAMIC_DNS HTTP Request to a *.litecsys .com Domain (info.rules)
  • 2044332 - ET INFO DYNAMIC_DNS Query to a *.itekgroup .com Domain (info.rules)
  • 2044333 - ET INFO DYNAMIC_DNS HTTP Request to a *.itekgroup .com Domain (info.rules)
  • 2044334 - ET INFO DYNAMIC_DNS Query to a *.apps .dj Domain (info.rules)
  • 2044335 - ET INFO DYNAMIC_DNS HTTP Request to a *.apps .dj Domain (info.rules)
  • 2044336 - ET INFO DYNAMIC_DNS Query to a *.kayanganmedia .com Domain (info.rules)
  • 2044337 - ET INFO DYNAMIC_DNS HTTP Request to a *.kayanganmedia .com Domain (info.rules)
  • 2044338 - ET MALWARE Gurcu Stealer Response (Inbound) (malware.rules)
  • 2044339 - ET MALWARE Observed NimPlant UA (NimPlant) (malware.rules)
  • 2044340 - ET MALWARE Observed NimPlant Server Response (Inbound) (malware.rules)
  • 2044341 - ET INFO HTTP Request to logo .clearbit .com (info.rules)
  • 2044342 - ET PHISHING Coinbase Credential Phish 2023-02-24 (phishing.rules)
  • 2044343 - ET MALWARE EvilExtractor Stealer CnC Domain (evilextractor .com) in DNS Lookup (malware.rules)
  • 2044344 - ET MALWARE Trojan/Win32.Agent Variant Checkin (malware.rules)
  • 2044345 - ET MALWARE PS1Loader Encoded Profiling POST (malware.rules)

Disabled and modified rules:

  • 2034962 - ET MALWARE Win32/Tiggre Variant Activity Sending System Files (POST) (malware.rules)
  • 2035006 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2035007 - ET MALWARE Gamaredon Related Maldoc Activity (GET) (malware.rules)
  • 2035210 - ET MALWARE MosesStaff APT Related Activity (POST) (malware.rules)
  • 2035370 - ET MALWARE Cobalt Strike Activity (GET) (malware.rules)
  • 2039027 - ET MALWARE TA569 Domain in DNS Lookup (luxury-limousine .com) (malware.rules)
  • 2039102 - ET MALWARE TA569 Fake Browser Update Domain in DNS Lookup (profi-stom .com) (malware.rules)
  • 2850961 - ETPRO PHISHING Successful Generic Phish 2022-01-28 (phishing.rules)