Ruleset Update Summary - 2023/03/02 - v10257

Ruleset Updates
1

Summary:

13 new OPEN, 26 new PRO (13 + 13)

Thanks @Mandiant, @0xToxin

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

The mailing list is being retired on April 3, 2023.

Due to an internal company holiday there will be no rule release on Friday March 3rd, 2023.

Added rules:

Open:

  • 2044421 - ET INFO DYNAMIC_DNS Query to a *.mollypornstar .com domain (info.rules)
  • 2044422 - ET INFO DYNAMIC_DNS HTTP Request to a *.mollypornstar .com domain (info.rules)
  • 2044423 - ET MALWARE Observed Gootloader Domain in DNS Lookup (jp .imonitorsoft .com) (malware.rules)
  • 2044424 - ET MALWARE Observed Gootloader Domain in DNS Lookup (kakiosk .adsparkdev .com) (malware.rules)
  • 2044425 - ET MALWARE Observed Gootloader Domain in DNS Lookup (kristinee .com) (malware.rules)
  • 2044426 - ET MALWARE Observed Gootloader Domain in DNS Lookup (jonathanbartz .com) (malware.rules)
  • 2044427 - ET MALWARE Observed Gootloader Domain in DNS Lookup (kepw .org) (malware.rules)
  • 2044428 - ET MALWARE Observed Gootloader Domain in DNS Lookup (lakeside-fishandchips .com) (malware.rules)
  • 2044429 - ET MALWARE Observed Gootloader Domain in DNS Lookup (junk-bros .com) (malware.rules)
  • 2044430 - ET ATTACK_RESPONSE VBS/TrojanDownloader.Agent.YLH Payload Inbound (attack_response.rules)
  • 2044431 - ET MALWARE MSIL/PSW.Agent.STP Data Exfiltration Attempt (malware.rules)
  • 2044432 - ET MALWARE Win32/GenKryptik.GCJX Data Exfiltration Attempt (malware.rules)
  • 2044433 - ET ADWARE_PUP Win32/Presenoker Checkin (adware_pup.rules)

Pro:

  • 2853616 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2853617 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2853618 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2853619 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2853620 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2853621 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2853622 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2853623 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2853624 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2853625 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2853626 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2853627 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2853628 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Modified inactive rules:

  • 2033185 - ET HUNTING Suspected DNS CnC via TXT queries (hunting.rules)
  • 2036077 - ET INFO DYNAMIC_DNS HTTP Request to a *.misecure .com Domain (info.rules)

Disabled and modified rules:

  • 2035473 - ET MALWARE Win32/PlugX Related Activity (malware.rules)
  • 2035517 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2035653 - ET MALWARE Cobalt Strike Related Activity (GET) (malware.rules)
  • 2035692 - ET MALWARE Suspected Lazarus APT Related Backdoor Activity (POST) M1 (malware.rules)
  • 2036590 - ET MALWARE Win32/Throwback CnC Activity (POST) (malware.rules)
  • 2039028 - ET MALWARE TA569 sczriptzzbn JavaScript Inject (malware.rules)
  • 2039029 - ET MALWARE TA569 Fake Captcha Download (malware.rules)
  • 2039031 - ET MALWARE TA569 Fake Browser Update (malware.rules)
  • 2039084 - ET MALWARE TA569 Obfuscated sczriptzzb JavaScript Inject (malware.rules)
  • 2043099 - ET MALWARE TA569 Domain in DNS Lookup (luxurycompare .com) (malware.rules)
  • 2043405 - ET MALWARE DOUBLEBACK Related Domain in DNS Lookup (barricks .org) (malware.rules)
  • 2043406 - ET MALWARE Observed DOUBLEBACK Related Domain (barricks .org in TLS SNI) (malware.rules)

Disabled rules:

  • 2029200 - ET MALWARE Observed Malicious SSL Cert (jssLoader CnC) (malware.rules)
  • 2029245 - ET MALWARE Observed Malicious SSL Cert (ServHelper CnC) (malware.rules)
  • 2029295 - ET MALWARE Observed Malicious SSL Cert (AZORult CnC) (malware.rules)
  • 2029296 - ET MALWARE Observed Malicious SSL Cert (AZORult CnC) (malware.rules)
  • 2035374 - ET MALWARE Kimsuky APT BabyShark/SHARPEXT Related Domain in DNS Lookup (worldinfocontact .club) (malware.rules)
  • 2035389 - ET MALWARE Cobalt Strike Activity (GET) (malware.rules)
  • 2035447 - ET PHISHING Successful Generic Phish 2022-03-11 (phishing.rules)
  • 2035471 - ET MALWARE Win32/44Caliber Stealer Discord Activity (POST) (malware.rules)
  • 2836358 - ETPRO MALWARE Win32.Raccoon Stealer Checkin Error Response M1 (malware.rules)
  • 2839970 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2840046 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC) (malware.rules)
  • 2840080 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2840114 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) (malware.rules)
  • 2840227 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) 2020-01-02 (malware.rules)
  • 2840228 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) 2020-01-02 (malware.rules)
  • 2840229 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) 2020-01-02 (malware.rules)
  • 2840357 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) (malware.rules)
  • 2840389 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2840390 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC) (malware.rules)
  • 2840417 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) 2020-01-13 (malware.rules)
  • 2840506 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2840507 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC) (malware.rules)
  • 2840508 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC) (malware.rules)
  • 2840547 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2840548 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) 2020-01-21 (malware.rules)
  • 2840618 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) (malware.rules)
  • 2840740 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC) (malware.rules)
  • 2840778 - ETPRO MALWARE Observed Malicious SSL Cert (DonotGroup CnC) (malware.rules)
  • 2840781 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) (malware.rules)
  • 2840868 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC) (malware.rules)
  • 2840869 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC) (malware.rules)