Ruleset Update Summary - 2023/03/22 - v10275

rulesbot · March 22, 2023, 10:28pm

Summary:

24 new OPEN, 45 new PRO (24 + 21)

Thanks @RedDrip7, @suyog41, @bzvr_, @Yeti_Sec, @crep1x

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

The mailing list is being retired on April 3, 2023.

Added rules:

Open:

2044723 - ET MOBILE_MALWARE Android/Spy.Banker.BTO CnC Domain in DNS Lookup (mobile_malware.rules)
2044724 - ET MALWARE QBot Payload Request (2023-03-21) M1 (malware.rules)
2044725 - ET MALWARE QBot Payload Request (2023-03-21) M2 (malware.rules)
2044726 - ET MALWARE QBot Payload Request (2023-03-21) M3 (malware.rules)
2044727 - ET MALWARE QBot Payload Request (2023-03-21) M4 (malware.rules)
2044728 - ET MALWARE QBot Payload Request (2023-03-21) M5 (malware.rules)
2044729 - ET MALWARE QBot Payload Request (2023-03-21) M6 (malware.rules)
2044730 - ET MALWARE QBot Payload Request (2023-03-21) M7 (malware.rules)
2044731 - ET MALWARE QBot Payload Request (2023-03-21) M8 (malware.rules)
2044732 - ET MALWARE QBot Payload Request (2023-03-21) M9 (malware.rules)
2044733 - ET MALWARE Donot Group Related Domain in DNS Lookup (roosterguy .online) (malware.rules)
2044734 - ET MALWARE Suspected Donot Group Maldoc Activity (GET) (malware.rules)
2044735 - ET MALWARE Win32/ZaRaza Stealer Activity via Telegram (Response) (malware.rules)
2044738 - ET MALWARE Xaview Stealer Admin Panel Inbound (malware.rules)
2044739 - ET INFO Chinese CDN Domain in DNS Lookup (ctcontents .com) (info.rules)
2044740 - ET MALWARE Win32/HookSpoofer Stealer Sending System Information via Telegram (GET) (malware.rules)
2044741 - ET MALWARE DarkCloud Stealer File Grabber Function Exfiltrating Data via Telegram (malware.rules)
2044742 - ET MALWARE DarkCloud Stealer FirefoxCookies.json Exfiltration via Telegram (malware.rules)
2044743 - ET MALWARE SOMNIRECORD CnC Domain in DNS Lookup (dafadfweer .top) (malware.rules)
2044744 - ET MALWARE SOMNIRECORD Backdoor PROBE Command in DNS Query (malware.rules)
2044745 - ET MALWARE SOMNIRECORD Backdoor CMD Command in DNS Query (malware.rules)
2044746 - ET MALWARE SOMNIRECORD Backdoor DATA Command in DNS Query (malware.rules)
2044747 - ET MALWARE Win64/TrojanDownloader.AHK.CH Checkin (malware.rules)
2044748 - ET MALWARE PennyWise Stealer Exfil (malware.rules)

Pro:

2853750 - ETPRO MOBILE_MALWARE Android/Spy.Agent.COX Checkin (mobile_malware.rules)
2853751 - ETPRO MOBILE_MALWARE Android/Spy.Agent.COX CnC Domain in DNS Lookup (mobile_malware.rules)
2853752 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CCM CnC Domain in DNS Lookup (mobile_malware.rules)
2853753 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Fakeapp.fa CnC Domain in DNS Lookup (mobile_malware.rules)
2853754 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Fakeapp.fa CnC Domain in DNS Lookup (mobile_malware.rules)
2853755 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Rewardsteal.n CnC Domain in DNS Lookup (mobile_malware.rules)
2853756 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CKR CnC Domain in DNS Lookup (mobile_malware.rules)
2853757 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CML CnC Domain in DNS Lookup (mobile_malware.rules)
2853758 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Piom.avcd CnC Domain in DNS Lookup (mobile_malware.rules)
2853759 - ETPRO MOBILE_MALWARE Android/Obfus.TQ CnC Domain in DNS Lookup (mobile_malware.rules)
2853760 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CNO CnC Domain in DNS Lookup (mobile_malware.rules)
2853761 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.td CnC Domain in DNS Lookup (mobile_malware.rules)
2853762 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.k CnC Domain in DNS Lookup (mobile_malware.rules)
2853763 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Fakecalls.at CnC Domain in DNS Lookup (mobile_malware.rules)
2853764 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Xhunter.a CnC Domain in DNS Lookup (mobile_malware.rules)
2853765 - ETPRO MOBILE_MALWARE Android/Spy.Gravity.A CnC Domain in DNS Lookup (mobile_malware.rules)
2853766 - ETPRO MOBILE_MALWARE Android/Spy.Vultur.D CnC Domain in DNS Lookup (mobile_malware.rules)
2853767 - ETPRO MALWARE Win32/Lucky Volunteer CnC Activity M1 (malware.rules)
2853768 - ETPRO MALWARE Win32/Lucky Volunteer CnC Activity M2 (malware.rules)
2853769 - ETPRO MALWARE Win32/Lucky Volunteer CnC Activity M3 (malware.rules)
2853770 - ETPRO MALWARE Win32/Lucky Volunteer CnC Activity M4 (malware.rules)

Disabled and modified rules:

2030055 - ET MALWARE NAZAR EYService Pong response (malware.rules)
2030056 - ET MALWARE NAZAR EYService OSInfo response (malware.rules)
2035292 - ET MALWARE Suspected PlugX Checkin Activity (GET) (malware.rules)
2036389 - ET INFO Commonly Abused SSL/TLS Certificate Observed (mylnavyfederal .com) (info.rules)
2036390 - ET MALWARE DPRK APT Related Maldoc Activity (POST) (malware.rules)
2036455 - ET MALWARE TeamTNT Related Domain in DNS Lookup (chimaera .cc) (malware.rules)
2044536 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .tool .pearldentalgroup .ca) (malware.rules)
2044630 - ET MALWARE SocGholish CnC Domain in DNS Lookup (*.favor.thehouseplantblog.com) (malware.rules)
2851530 - ETPRO MALWARE Maldoc Sending System Information (GET) (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/03/13 - v10266 Ruleset Updates	258	March 13, 2023
Ruleset Update Summary - 2023/01/05 - v10212 Ruleset Updates	323	January 5, 2023
Ruleset Update Summary - 2023/01/04 - v10211 Ruleset Updates	261	January 4, 2023
Ruleset Update Summary - 2023/01/09 - v10215 Ruleset Updates	324	January 9, 2023
Ruleset Update Summary - 2023/01/12 - v10219 Ruleset Updates	197	January 12, 2023