Ruleset Update Summary - 2023/03/08 - v10261

Summary:

19 new OPEN, 22 new PRO (19 + 3)

Thanks @bridewellsec, @suyog41, @ahnlab_secuinfo, @James_inthe_box

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

The mailing list is being retired on April 3, 2023.


Added rules:

Open:

  • 2044518 - ET MALWARE Observed Emotet Maldoc Retrieving Payload (2023-03-08) (malware.rules)
  • 2044519 - ET INFO DYNAMIC_DNS Query to a *.sweeny .us Domain (info.rules)
  • 2044520 - ET INFO DYNAMIC_DNS HTTP Request to a *.sweeny .us Domain (info.rules)
  • 2044521 - ET MALWARE TA444 Related Domain in DNS Lookup (azure .doc-view .cloud) (malware.rules)
  • 2044522 - ET MALWARE Gamaredon APT Related Activity (GET) (malware.rules)
  • 2044523 - ET MALWARE Gamaredon APT Related Activity (GET) (malware.rules)
  • 2044524 - ET MALWARE Win32/Luca Stealer Sending System Information via Telegram (GET) (malware.rules)
  • 2044525 - ET MALWARE PlugX Related Domain in DNS Lookup (cdn .imango .ink) (malware.rules)
  • 2044526 - ET MALWARE PlugX Related Domain in DNS Lookup (api .imango .ink) (malware.rules)
  • 2044527 - ET MALWARE Win32/Vector Stealer Sending System Information via Telegram (POST) (malware.rules)
  • 2044528 - ET MALWARE Hackt.be Pentesting CnC Activity (malware.rules)
  • 2044529 - ET MALWARE Observed DNS Query to NanoCore Domain (nanocore2023 .duckdns .org) (malware.rules)
  • 2044530 - ET EXPLOIT Razer Sila Router - Command Injection Attempt Inbound (wget) (No CVE) (exploit.rules)
  • 2044531 - ET EXPLOIT Razer Sila Router - Command Injection Attempt Inbound (curl) (No CVE) (exploit.rules)
  • 2044532 - ET EXPLOIT Razer Sila Router - Command Injection Attempt Inbound (find) (No CVE) (exploit.rules)
  • 2044533 - ET EXPLOIT Razer Sila Router - Command Injection Attempt Inbound (sh) (No CVE) (exploit.rules)
  • 2044534 - ET EXPLOIT Razer Sila Router - LFI Attempt Inbound (passwd) (No CVE) (exploit.rules)
  • 2044535 - ET MALWARE Win32/I’m_Better Stealer CnC Command - get_key (malware.rules)
  • 2044536 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .tool .pearldentalgroup .ca) (malware.rules)

Pro:

  • 2853639 - ETPRO MALWARE Emotet Payload Inbound - Highly Compressed ZIP containing a DLL (malware.rules)
  • 2853640 - ETPRO HUNTING Highly Compressed ZIP containing a DLL (hunting.rules)
  • 2853641 - ETPRO HUNTING Highly Compressed ZIP containing a EXE (hunting.rules)