Ruleset Update Summary - 2023/03/07 - v10260

Summary:

65 new OPEN, 74 new PRO (65 + 9)

Thanks @morphisec, @sans_isc, @BlackLotusLabs

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

The mailing list is being retired on April 3, 2023.


Added rules:

Open:

  • 2044453 - ET INFO External IP Address Lookup - myip.ch (info.rules)
  • 2044454 - ET INFO DYNAMIC_DNS Query to a *.pagostepeapulco .gob .mx Domain (info.rules)
  • 2044455 - ET INFO DYNAMIC_DNS HTTP Request to a *.pagostepeapulco .gob .mx Domain (info.rules)
  • 2044456 - ET INFO DYNAMIC_DNS Query to a *.tecalideherrera .gob .mx Domain (info.rules)
  • 2044457 - ET INFO DYNAMIC_DNS HTTP Request to a *.tecalideherrera .gob .mx Domain (info.rules)
  • 2044458 - ET INFO DYNAMIC_DNS Query to a *.custom-gaming .net Domain (info.rules)
  • 2044459 - ET INFO DYNAMIC_DNS HTTP Request to a *.custom-gaming .net Domain (info.rules)
  • 2044460 - ET INFO DYNAMIC_DNS Query to a *.panel-laboralcj .gob .mx Domain (info.rules)
  • 2044461 - ET INFO DYNAMIC_DNS HTTP Request to a *.panel-laboralcj .gob .mx Domain (info.rules)
  • 2044462 - ET INFO DYNAMIC_DNS Query to a *.minecraft .id .lv Domain (info.rules)
  • 2044463 - ET INFO DYNAMIC_DNS HTTP Request to a *.minecraft .id .lv Domain (info.rules)
  • 2044464 - ET INFO DYNAMIC_DNS Query to a *.aneisa .com Domain (info.rules)
  • 2044465 - ET INFO DYNAMIC_DNS HTTP Request to a *.aneisa .com Domain (info.rules)
  • 2044466 - ET INFO DYNAMIC_DNS Query to a *.reason .org .nz Domain (info.rules)
  • 2044467 - ET INFO DYNAMIC_DNS HTTP Request to a *.reason .org .nz Domain (info.rules)
  • 2044468 - ET INFO DYNAMIC_DNS Query to a *.capim .com .mx Domain (info.rules)
  • 2044469 - ET INFO DYNAMIC_DNS HTTP Request to a *.capim .com .mx Domain (info.rules)
  • 2044470 - ET INFO DYNAMIC_DNS Query to a *.mcwrite .net Domain (info.rules)
  • 2044471 - ET INFO DYNAMIC_DNS HTTP Request to a *.mcwrite .net Domain (info.rules)
  • 2044472 - ET INFO DYNAMIC_DNS Query to a *.visorideags .gob .mx Domain (info.rules)
  • 2044473 - ET INFO DYNAMIC_DNS HTTP Request to a *.visorideags .gob .mx Domain (info.rules)
  • 2044474 - ET INFO DYNAMIC_DNS Query to a *.bbs .io Domain (info.rules)
  • 2044475 - ET INFO DYNAMIC_DNS HTTP Request to a *.bbs .io Domain (info.rules)
  • 2044476 - ET INFO DYNAMIC_DNS Query to a *.bbgc .com .my Domain (info.rules)
  • 2044477 - ET INFO DYNAMIC_DNS HTTP Request to a *.bbgc .com .my Domain (info.rules)
  • 2044478 - ET INFO DYNAMIC_DNS Query to a *.drtonywang .com Domain (info.rules)
  • 2044479 - ET INFO DYNAMIC_DNS HTTP Request to a *.drtonywang .com Domain (info.rules)
  • 2044480 - ET INFO DYNAMIC_DNS Query to a *.fernando-botero-sculpture .com Domain (info.rules)
  • 2044481 - ET INFO DYNAMIC_DNS HTTP Request to a *.fernando-botero-sculpture .com Domain (info.rules)
  • 2044482 - ET INFO DYNAMIC_DNS Query to a *.ku4oy .us Domain (info.rules)
  • 2044483 - ET INFO DYNAMIC_DNS HTTP Request to a *.ku4oy .us Domain (info.rules)
  • 2044484 - ET INFO DYNAMIC_DNS Query to a *.ireland .mx Domain (info.rules)
  • 2044485 - ET INFO DYNAMIC_DNS HTTP Request to a *.ireland .mx Domain (info.rules)
  • 2044486 - ET INFO DYNAMIC_DNS Query to a *.giseler .com Domain (info.rules)
  • 2044487 - ET INFO DYNAMIC_DNS HTTP Request to a *.giseler .com Domain (info.rules)
  • 2044488 - ET INFO DYNAMIC_DNS Query to a *.absl .ro Domain (info.rules)
  • 2044489 - ET INFO DYNAMIC_DNS HTTP Request to a *.absl .ro Domain (info.rules)
  • 2044490 - ET INFO DYNAMIC_DNS Query to a *.vix .ro Domain (info.rules)
  • 2044491 - ET INFO DYNAMIC_DNS HTTP Request to a *.vix .ro Domain (info.rules)
  • 2044492 - ET INFO DYNAMIC_DNS Query to a *.frostcatcher .com Domain (info.rules)
  • 2044493 - ET INFO DYNAMIC_DNS HTTP Request to a *.frostcatcher .com Domain (info.rules)
  • 2044494 - ET INFO DYNAMIC_DNS Query to a *.peeramidspirits .com Domain (info.rules)
  • 2044495 - ET INFO DYNAMIC_DNS HTTP Request to a *.peeramidspirits .com Domain (info.rules)
  • 2044496 - ET INFO DYNAMIC_DNS Query to a *.johanson .ee Domain (info.rules)
  • 2044497 - ET INFO DYNAMIC_DNS HTTP Request to a *.johanson .ee Domain (info.rules)
  • 2044498 - ET INFO Public Proxy Service Domain in DNS Lookup (api .proxyscrape .com) (info.rules)
  • 2044499 - ET INFO Observed Public Proxy Service Domain (api .proxyscrape .com in TLS SNI) (info.rules)
  • 2044500 - ET INFO Public Proxy Service Domain in DNS Lookup (89ip .cn) (info.rules)
  • 2044501 - ET INFO Observed Public Proxy Service Domain (www .89ip .cn in TLS SNI) (info.rules)
  • 2044502 - ET MALWARE Maldoc Retrieving Payload (malware.rules)
  • 2044503 - ET MALWARE Hiatus RAT CnC Checkin (malware.rules)
  • 2044504 - ET INFO Request for Visual Studio Code sftp.json - Possible Information Leak (info.rules)
  • 2044505 - ET MALWARE SYS01 Information Stealer - CnC Checkin (malware.rules)
  • 2044506 - ET MALWARE SYS01 Information Stealer CnC Domain (seemlabie .top) in DNS Lookup (malware.rules)
  • 2044507 - ET MALWARE SYS01 Information Stealer CnC Domain (craceruib .top) in DNS Lookup (malware.rules)
  • 2044508 - ET MALWARE SYS01 Information Stealer CnC Domain (oscarnaija .com) in DNS Lookup (malware.rules)
  • 2044509 - ET MALWARE SYS01 Information Stealer CnC Domain (caseiden .com) in DNS Lookup (malware.rules)
  • 2044510 - ET MALWARE SYS01 Information Stealer CnC Domain (mahinetain .top) in DNS Lookup (malware.rules)
  • 2044511 - ET MALWARE SYS01 Information Stealer CnC Domain (makananwisata .com) in DNS Lookup (malware.rules)
  • 2044512 - ET MALWARE SYS01 Information Stealer CnC Domain (graeslavur .com) in DNS Lookup (malware.rules)
  • 2044513 - ET MALWARE SYS01 Information Stealer CnC Domain (rapadtrai .com) in DNS Lookup (malware.rules)
  • 2044514 - ET MALWARE SYS01 Information Stealer CnC Domain (baglamanotalari .com) in DNS Lookup (malware.rules)
  • 2044515 - ET MALWARE SYS01 Information Stealer CnC Domain (seleriti .com) in DNS Lookup (malware.rules)
  • 2044516 - ET MALWARE SocGholish Domain in DNS Lookup (profit .3stepsprofit .com) (malware.rules)
  • 2044517 - ET MALWARE SocGholish Domain in DNS Lookup (use .solqueen .com) (malware.rules)

Pro:

  • 2853630 - ETPRO MOBILE_MALWARE Android.Spy.1030 CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853631 - ETPRO MOBILE_MALWARE Android/Harly.AF CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853632 - ETPRO MOBILE_MALWARE Android/Harly.AF CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853633 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Doina.C CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853634 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.FakeApp.r Checkin (mobile_malware.rules)
  • 2853635 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.adh CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853636 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Agent.ga CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853637 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Goatrat.a CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2853638 - ETPRO MALWARE DarkCloudBot Stealer Exfil via Telegram M3 (malware.rules)

Disabled and modified rules:

  • 2034099 - ET MALWARE Observed Cobalt Strike CnC Domain (yawero .com in TLS SNI) (malware.rules)
  • 2034100 - ET MALWARE Observed Cobalt Strike CnC Domain (sazoya .com in TLS SNI) (malware.rules)
  • 2034140 - ET MALWARE Observed Ursnif CnC Domain (Gloderuniok .website in TLS SNI) (malware.rules)
  • 2034141 - ET MALWARE Observed Ursnif CnC Domain (Vloderuniok .website in TLS SNI) (malware.rules)
  • 2034142 - ET MALWARE Observed Cobalt Strike CnC Domain (Gojihu .com in TLS SNI) (malware.rules)
  • 2034143 - ET MALWARE Observed Cobalt Strike CnC Domain (Yuxicu .com in TLS SNI) (malware.rules)
  • 2034441 - ET MALWARE Observed Compromised Domain (cryptoarenastore .com in TLS SNI) (2021-11-12) (malware.rules)
  • 2034880 - ET MALWARE Quasar CnC Domain in DNS Lookup (malware.rules)
  • 2035955 - ET EXPLOIT Razer Sila Router - Command Injection Attempt Inbound (No CVE) (exploit.rules)
  • 2035956 - ET EXPLOIT Razer Sila Router - LFI Attempt Inbound (No CVE) (exploit.rules)
  • 2042999 - ET MALWARE SocGholish Domain in DNS Lookup (group5 .corralphacap .com) (malware.rules)
  • 2044055 - ET MALWARE Observed DNS Query to IcedID Domain (alijhaborta .com) (malware.rules)
  • 2044057 - ET MALWARE Observed DNS Query to IcedID Domain (windmencherser .com) (malware.rules)
  • 2044058 - ET MALWARE Observed DNS Query to IcedID Domain (leftcatrheringg .com) (malware.rules)
  • 2044059 - ET MALWARE Observed DNS Query to IcedID Domain (yelsopotre .com) (malware.rules)
  • 2044060 - ET MALWARE Observed DNS Query to IcedID Domain (headertolz .com) (malware.rules)
  • 2044257 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .calendar .wishmarkets .com) (malware.rules)

Removed rules:

  • 2823420 - ETPRO POLICY External IP Address Lookup - myip.ch (policy.rules)