Ruleset Update Summary - 2023/03/16 - v10269

Summary:

32 new OPEN, 66 new PRO (32 + 34)

Thanks @fmc_nan, @_CPResearch, @SentinelOne, @osipov_ar, @malPileDriver, @t3ft3lb, @StopMalvertisin

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

The mailing list is being retired on April 3, 2023.


Added rules:

Open:

  • 2044633 - ET INFO DYNAMIC_DNS Query to a *.stkhome .de Domain (info.rules)
  • 2044634 - ET INFO DYNAMIC_DNS HTTP Request to a *.stkhome .de Domain (info.rules)
  • 2044635 - ET MALWARE IcedID CnC Domain in DNS Lookup (applicatwindomz .com) (malware.rules)
  • 2044636 - ET MALWARE IcedID CnC Domain in DNS Lookup (skanfordiporka .com) (malware.rules)
  • 2044637 - ET MALWARE IcedID CnC Domain in DNS Lookup (avroralikhaem .com) (malware.rules)
  • 2044638 - ET MALWARE IcedID CnC Domain in DNS Lookup (villageskaier .com) (malware.rules)
  • 2044639 - ET MALWARE Mustang Panda APT Related Activity (GET) (malware.rules)
  • 2044640 - ET MALWARE Mustang Panda APT Related Activity (Response) (malware.rules)
  • 2044641 - ET MALWARE Mustang Panda APT Related Activity (POST) (malware.rules)
  • 2044642 - ET MALWARE Mustang Panda APT Related Activity M2 (Response) (malware.rules)
  • 2044643 - ET INFO OpenDrive Cloud Storage Domain in DNS Lookup (od .lk) (info.rules)
  • 2044644 - ET INFO Observed OpenDrive Cloud Storage SSL Cert (info.rules)
  • 2044645 - ET MALWARE Sidecopy APT Related Activity (POST) (malware.rules)
  • 2044646 - ET PHISHING EDD Credential Phish Landing Page 2023-03-16 M1 (phishing.rules)
  • 2044647 - ET PHISHING EDD Credential Phish Landing Page M2 2023-03-16 (phishing.rules)
  • 2044648 - ET PHISHING Generic Credential Phish Landing Page 2023-03-16 (phishing.rules)
  • 2044649 - ET MALWARE Observed DNS Query to Gamaredon Domain (talehgi .ru) (malware.rules)
  • 2044650 - ET MALWARE Observed DNS Query to Gamaredon Domain (ravaet .ru) (malware.rules)
  • 2044651 - ET MALWARE Observed DNS Query to Gamaredon Domain (talgatgi .ru) (malware.rules)
  • 2044652 - ET MALWARE Observed DNS Query to Gamaredon Domain (barakal .ru) (malware.rules)
  • 2044653 - ET MALWARE Observed DNS Query to Gamaredon Domain (taysirgi .ru) (malware.rules)
  • 2044654 - ET MALWARE Observed DNS Query to Gamaredon Domain (takyygi .ru) (malware.rules)
  • 2044655 - ET MOBILE_MALWARE Android/FakeCalls CnC Server Response (mobile_malware.rules)
  • 2044656 - ET MALWARE Wintern Vivern CnC Domain (bugiplaysec .com) in DNS Lookup (malware.rules)
  • 2044657 - ET MALWARE Wintern Vivern CnC Domain (marakanas .com) in DNS Lookup (malware.rules)
  • 2044658 - ET MALWARE Wintern Vivern CnC Domain (ocs-romastassec .com) in DNS Lookup (malware.rules)
  • 2044659 - ET MALWARE Wintern Vivern CnC Domain (troadsecow .com) in DNS Lookup (malware.rules)
  • 2044660 - ET MALWARE Wintern Vivern CnC Domain (ocspdep .com) in DNS Lookup (malware.rules)
  • 2044661 - ET MALWARE Wintern Vivern CnC Domain (security-ocsp .com) in DNS Lookup (malware.rules)
  • 2044662 - ET MALWARE Winter Vivern APT Aperetif CnC Checkin (malware.rules)
  • 2044663 - ET MALWARE Winter Vivern APT Aperetif Payload Retrieval Attempt M1 (malware.rules)
  • 2044664 - ET MALWARE Winter Vivern APT Aperetif Payload Retrieval Attempt M2 (malware.rules)

Pro:

  • 2853692 - ETPRO MALWARE Emotet Payload Inbound (2023-03-16) (malware.rules)
  • 2853693 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2853694 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2853695 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2853696 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2853697 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2853698 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2853699 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2853700 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2853701 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2853702 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2853703 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2853704 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2853705 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2853706 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2853707 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2853708 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2853709 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2853710 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2853711 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2853712 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2853713 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2853714 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2853715 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2853716 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2853717 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2853718 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2853719 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2853720 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2853721 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2853722 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2853723 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2853724 - ETPRO MALWARE LNK/Agent.XN Variant Payload Request (GET) (malware.rules)
  • 2853725 - ETPRO ATTACK_RESPONSE SnakeKeylogger Config Inbound (attack_response.rules)

Disabled and modified rules:

  • 2035598 - ET MALWARE Win32/CrimsonRAT Variant Sending Command (inbound) (malware.rules)
  • 2035599 - ET MALWARE Win32/CrimsonRAT Variant Sending Command M2 (inbound) (malware.rules)
  • 2035600 - ET MALWARE Win32/CrimsonRAT Variant Sending System Information (outbound) (malware.rules)
  • 2035603 - ET MALWARE GhostWriter APT Related Cobalt Strike Activity (GET) (malware.rules)
  • 2035624 - ET MALWARE TransparentTribe APT Related Activity (POST) (malware.rules)
  • 2035625 - ET MALWARE TransparentTribe APT Related Backdoor Activity (malware.rules)
  • 2035654 - ET INFO Abused Hosting Domain in DNS Lookup (digital-ministry .ru) (info.rules)
  • 2035682 - ET MALWARE MustangPanda APT Dropper Activity (POST) (malware.rules)
  • 2035689 - ET MALWARE Win32/PlugX/Talisman Activity (POST) (malware.rules)
  • 2035889 - ET INFO Observed Commonly Abused Domain in DNS Lookup (blogattach .naver .com) (info.rules)
  • 2035890 - ET INFO Observed Commonly Abused Domain (blogattach .naver .com in TLS SNI) (info.rules)
  • 2035915 - ET MALWARE Cobalt Strike Related Activity (GET) (malware.rules)
  • 2036210 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2036211 - ET MALWARE Malicious VBS Sending System Information (POST) (malware.rules)
  • 2036213 - ET MALWARE Gamaredon APT Related Activity (GET) (malware.rules)
  • 2036228 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET) (malware.rules)
  • 2036237 - ET USER_AGENTS Observed Bumblebee Loader User-Agent (bumblebee) (user_agents.rules)
  • 2036257 - ET MALWARE Suspected TA404 APT Related Activity M1 (malware.rules)
  • 2036258 - ET MALWARE Suspected TA404 APT Related Activity M2 (malware.rules)
  • 2036278 - ET MALWARE DPRK APT Related Domain in DNS Lookup (beastmodser .club) (malware.rules)