Ruleset Update Summary - 2023/02/28 - v10255

Summary:

42 new OPEN, 45 new PRO (42 + 3)

Thanks @cs0sf, @GGGGh0st, @sucurisecurity, @SentinelOne, @elastic, @Bitdefender, @AuCyble, @Cyber0verload, @MonThreat, @souiten

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

The mailing list is being retired on April 3, 2023.

Due to an internal company holiday there will be no rule release on Friday March 3rd, 2023.


Added rules:

Open:

  • 2044370 - ET HUNTING Likely Hex Encoded Executable as String - Pipe Separated (hunting.rules)
  • 2044371 - ET HUNTING Likely Hex Encoded Executable as String - Dash Separated (hunting.rules)
  • 2044372 - ET HUNTING Likely Hex Encoded Executable as String - Octothorp Separated (hunting.rules)
  • 2044373 - ET HUNTING Likely Hex Encoded Executable as String - Percent Separated (hunting.rules)
  • 2044374 - ET HUNTING Likely Hex Encoded Executable as String - Double Quote Separated (hunting.rules)
  • 2044375 - ET HUNTING Likely Hex Encoded Executable as String - Single Quote Separated (hunting.rules)
  • 2044376 - ET HUNTING Likely Hex Encoded Executable as String - Tilde Separated (hunting.rules)
  • 2044377 - ET HUNTING Likely Hex Encoded Executable as String - Backtick Separated (hunting.rules)
  • 2044378 - ET HUNTING Likely Hex Encoded Executable as String - Comma Separated (hunting.rules)
  • 2044379 - ET MALWARE ReverseRat 3.0 CnC Checkin M1 (malware.rules)
  • 2044380 - ET MALWARE ReverseRat 3.0 CnC Checkin M2 (malware.rules)
  • 2044381 - ET INFO Observed CheckMal AV/Anti-Ransomware Domain (www .checkmal .com in TLS SNI) (info.rules)
  • 2044382 - ET MALWARE Donot Group APT Related Domain in DNS Lookup (briefdeal .buzz) (malware.rules)
  • 2044383 - ET MALWARE Observed Donot Group APT Domain (briefdeal .buzz in TLS SNI) (malware.rules)
  • 2044384 - ET MALWARE Observed Donot Group APT Domain (winterhero .buzz in TLS SNI) (malware.rules)
  • 2044385 - ET MALWARE Donot Group APT Related Domain in DNS Lookup (winterhero .buzz) (malware.rules)
  • 2044386 - ET MALWARE Gamaredon APT Related Activity (GET) (malware.rules)
  • 2044387 - ET MALWARE Win32/BUGHATCH SpawnAgent Request (GET) M1 (malware.rules)
  • 2044388 - ET MALWARE Win32/BUGHATCH SpawnAgent Request (GET) M2 (malware.rules)
  • 2044389 - ET MALWARE Magecart Skimmer Domain in DNS Lookup (rithdigit .cyou) (malware.rules)
  • 2044390 - ET MALWARE Magecart Skimmer Domain in DNS Lookup (app-stat .com) (malware.rules)
  • 2044391 - ET MALWARE Magecart Skimmer Domain in DNS Lookup (yachtbars .fun) (malware.rules)
  • 2044392 - ET MALWARE Magecart Skimmer Domain in DNS Lookup (antohub .shop) (malware.rules)
  • 2044393 - ET MALWARE Magecart Skimmer Domain in DNS Lookup (okqtfc1 .org) (malware.rules)
  • 2044394 - ET MALWARE Magecart Skimmer Domain in DNS Lookup (nebiltech .shop) (malware.rules)
  • 2044395 - ET MALWARE Magecart Skimmer Domain in DNS Lookup (jquery-node .com) (malware.rules)
  • 2044396 - ET MALWARE Fake ChatGPT Domain in DNS Lookup (chat-gpt-pc .online) (malware.rules)
  • 2044397 - ET MALWARE Fake ChatGPT Domain in DNS Lookup (openai-pc-pro .online) (malware.rules)
  • 2044398 - ET MALWARE Fake ChatGPT Domain in DNS Lookup (chat-gpt-online-pc .com) (malware.rules)
  • 2044399 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (virga .pp .ua) (info.rules)
  • 2044400 - ET MALWARE IcedID CnC Domain (neonmilkustaers .com) in DNS Lookup (malware.rules)
  • 2044401 - ET MALWARE IcedID CnC Domain (whothitheka .com) in DNS Lookup (malware.rules)
  • 2044402 - ET MALWARE IcedID CnC Domain (trbiriumpa .com) in DNS Lookup (malware.rules)
  • 2044403 - ET MALWARE IcedID CnC Domain (svoykbragudern .com) in DNS Lookup (malware.rules)
  • 2044404 - ET MALWARE 8220 Gang CnC Domain (jira .letmaker .top) in DNS Lookup (malware.rules)
  • 2044405 - ET MALWARE 8220 Gang CnC Domain (dw .bpdeliver .ru) in DNS Lookup (malware.rules)
  • 2044406 - ET MALWARE 8220 Gang CnC Domain (fbi .su1001-2 .top) in DNS Lookup (malware.rules)
  • 2044407 - ET MALWARE SocGholish Domain in DNS Lookup (catalog .iroldzyn .com) (malware.rules)
  • 2044408 - ET MALWARE SocGholish Domain in DNS Lookup (accountability .thefenceanddeckguys .com) (malware.rules)
  • 2044409 - ET MALWARE SocGholish Domain in DNS Lookup (oxford .courstify .com) (malware.rules)
  • 2044410 - ET EXPLOIT_KIT NDSW/NDSX Javascript Inject (exploit_kit.rules)
  • 2044411 - ET PHISHING Successful Ionos Credential Phish 2023-02-28 (phishing.rules)

Pro:

  • 2853604 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Piom.auu CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853605 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Xhunter.a CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853606 - ETPRO MALWARE ReverseRAT Activity (POST) - Generic (malware.rules)

Removed rules:

  • 2851185 - ETPRO INFO Observed CheckMal AV/Anti-Ransomware Domain (www .checkmal .com in TLS SNI) (info.rules)