Ruleset Update Summary - 2023/03/27 - v10278

rulesbot · March 27, 2023, 9:11pm

Summary:

28 new OPEN, 29 new PRO (28 + 1)

Thanks @suyog41, @Cyber0verload, @uptycs

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

The mailing list is being retired on April 3, 2023.

Added rules:

Open:

2044766 - ET MALWARE WorldWind Stealer Checkin via Telegram (GET) (malware.rules)
2044767 - ET MALWARE Snake Keylogger Exfil via SMTP (malware.rules)
2044768 - ET MALWARE Suspected Muggle Stealer Activity M1 (malware.rules)
2044769 - ET MALWARE Suspected Muggle Stealer Activity M2 (malware.rules)
2044770 - ET HUNTING Whoami Command Inbound On High Port (hunting.rules)
2044771 - ET HUNTING PowerShell Command Prompt Outbound On High Port (hunting.rules)
2044772 - ET MALWARE Observed DNS Query to Gamaredon Domain (cumbersome .ru) (malware.rules)
2044773 - ET MALWARE Observed DNS Query to Gamaredon Domain (narutasx .ru) (malware.rules)
2044774 - ET MALWARE Observed DNS Query to Gamaredon Domain (vohod .ru) (malware.rules)
2044775 - ET MALWARE Observed DNS Query to Gamaredon Domain (highfalutin .ru) (malware.rules)
2044776 - ET MALWARE Observed DNS Query to Gamaredon Domain (parsimonious .ru) (malware.rules)
2044777 - ET MALWARE Observed DNS Query to Gamaredon Domain (caramelas .ru) (malware.rules)
2044778 - ET MALWARE Observed DNS Query to Gamaredon Domain (quizzical .ru) (malware.rules)
2044779 - ET MALWARE Observed DNS Query to Gamaredon Domain (heartbreaking .ru) (malware.rules)
2044780 - ET MALWARE Observed DNS Query to Gamaredon Domain (baoris .ru) (malware.rules)
2044781 - ET MALWARE Possible Bitter APT Activity (GET) (malware.rules)
2044782 - ET MALWARE Observed DNS Query to Gamaredon Domain (.ruzipo .ru) (malware.rules)
2044783 - ET MALWARE Observed DNS Query to Gamaredon Domain (narama .ru) (malware.rules)
2044784 - ET MALWARE Observed DNS Query to Gamaredon Domain (rustampo .ru) (malware.rules)
2044785 - ET MALWARE Observed DNS Query to Gamaredon Domain (sabihpo .ru) (malware.rules)
2044786 - ET MALWARE Observed DNS Query to Gamaredon Domain (savalanpo .ru) (malware.rules)
2044787 - ET MALWARE Observed DNS Query to Gamaredon Domain (ruslanpo .ru) (malware.rules)
2044788 - ET MALWARE Vidar Stealer CnC Checkin (malware.rules)
2044789 - ET MALWARE MacOS/MacStealer Data Exfiltration Attempt (malware.rules)
2044790 - ET MALWARE Win32/Inido!rts Checkin (malware.rules)
2044791 - ET MALWARE TA569 Keitaro TDS Domain in DNS Lookup (jsqur .com) (malware.rules)
2044792 - ET MALWARE TA569 Keitaro TDS Domain in DNS Lookup (jqueryh .org) (malware.rules)
2044793 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .lap .detroitdragway .com) (malware.rules)

Pro:

2853805 - ETPRO MALWARE TA551 Maldoc Payload Request (2023-03-23) (malware.rules)

Disabled and modified rules:

2037815 - ET MALWARE 8220 Gang Related Domain in DNS Lookup (onlypirate .top) (malware.rules)
2037816 - ET MALWARE 8220 Gang Related Domain in DNS Lookup (letmaker .top) (malware.rules)
2037817 - ET MALWARE 8220 Gang Related Domain in DNS Lookup (oracleservice .top) (malware.rules)
2038744 - ET PHISHING Successful Generic Credential Phish (.ngrok .io) (phishing.rules)
2038831 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (appledocs .ru) (malware.rules)
2038832 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (gurumades .ru) (malware.rules)
2038833 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (kinksdoc .ru) (malware.rules)
2038834 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (superdocs .ru) (malware.rules)
2038835 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (cosmodron .com) (malware.rules)
2038836 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (gismolow .com) (malware.rules)
2038837 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (melindas .ru) (malware.rules)
2038838 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (adobefile .ru) (malware.rules)
2038860 - ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-gov .com) (malware.rules)
2038914 - ET MALWARE DonotGroup Related Domain in DNS Lookup (furnish .spacequery .live) (malware.rules)

Topic		Replies	Views
Ruleset Update Summary - 2023/03/30 - v10281 Ruleset Updates	0	356	March 30, 2023
Ruleset Update Summary - 2023/04/04 - v10284 Ruleset Updates	0	240	April 4, 2023
Ruleset Update Summary - 2023/03/06 - v10259 Ruleset Updates	1	212	March 6, 2023
Ruleset Update Summary - 2023/03/21 - v10274 Ruleset Updates	0	234	March 21, 2023
Ruleset Update Summary - 2023/02/06 - v10237 Ruleset Updates	0	195	February 6, 2023