Ruleset Update Summary - 2023/06/02 - v10339

rgonzalez · June 3, 2023, 6:03am

Summary:

24 new OPEN, 35 new PRO (24 + 11)

Thanks Kevin, Ross, @_JohnHammond, @HuntressLabs, @nahamike01, @Cyber0verload

Added rules:

Open:

2046047 - ET WEB_SERVER LEMURLOOT WebShell Interaction Header (X-siLock-Comment) - Observed in MOVEit File Transfer - INBOUND (web_server.rules)
2046048 - ET WEB_SERVER LEMURLOOT WebShell Interaction Header (X-siLock-Comment) - Observed in MOVEit File Transfer - OUTBOUND (Active Compromise) (web_server.rules)
2046049 - ET WEB_SERVER LEMURLOOT WebShell Interaction Header - X-siLock-Step1 -1 Data Exfil Request - Observed in MOVEit File Transfer - INBOUND (web_server.rules)
2046050 - ET WEB_SERVER LEMURLOOT WebShell Interaction Header - X-siLock-Step1 -1 Data Exfil Response - Observed in MOVEit File Transfer - OUTBOUND (Active Compromise) (web_server.rules)
2046051 - ET WEB_SERVER LEMURLOOT WebShell Interaction Header - X-siLock-Step1 -2 Health Check User Delete Request - Observed in MOVEit File Transfer - INBOUND (web_server.rules)
2046052 - ET WEB_SERVER LEMURLOOT WebShell Interaction Header - X-siLock-Step2/3 File Retrieval Request- Observed in MOVEit File Transfer - INBOUND (web_server.rules)
2046053 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - HTTP POST to /moveitaspi.dll (CVE-2023-34362) (web_specific_apps.rules)
2046054 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - HTTP POST to /guessaccess.aspx (CVE-2023-34362) (web_specific_apps.rules)
2046055 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - HTTP POST to /api/v1/folders (CVE-2023-34362) (web_specific_apps.rules)
2046056 - ET MALWARE Redline Stealer Activity (Response) (malware.rules)
2046057 - ET USER_AGENTS Suspicious User Agent (Zadanie) (user_agents.rules)
2046058 - ET MALWARE Observed DNS Query to Gamaredon Domain (rashidiso .ru) (malware.rules)
2046059 - ET MALWARE Observed DNS Query to Gamaredon Domain (mhotepzi .ru) (malware.rules)
2046060 - ET MALWARE Observed DNS Query to Gamaredon Domain (neferzi .ru) (malware.rules)
2046061 - ET MALWARE Observed DNS Query to Gamaredon Domain (naborzi .ru) (malware.rules)
2046062 - ET MALWARE Observed DNS Query to Gamaredon Domain (minkazi .ru) (malware.rules)
2046063 - ET MALWARE Observed DNS Query to Gamaredon Domain (nahtizi .ru) (malware.rules)
2046064 - ET MALWARE Observed DNS Query to Gamaredon Domain (panahaziso .ru) (malware.rules)
2046065 - ET MALWARE Observed DNS Query to Gamaredon Domain (nebtoizi .ru) (malware.rules)
2046066 - ET MALWARE Observed DNS Query to Gamaredon Domain (nebibizi .ru) (malware.rules)
2046067 - ET MALWARE SocGholish Domain in DNS Lookup (failure .mathgeniusa .com) (malware.rules)
2046068 - ET MALWARE SocGholish Domain in DNS Lookup (static .laytonroadconstruction .com) (malware.rules)
2046069 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .nodes .gammalambdalambda .org) (malware.rules)
2046070 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (greedyfines .org) (exploit_kit.rules)

Pro:

2854475 - ETPRO MOBILE_MALWARE Observed Trojan-Banker.AndroidOS.Kokbot.n Domain in TLS SNI (mobile_malware.rules)
2854476 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Kokbot.n CnC Domain in DNS Lookup (mobile_malware.rules)
2854477 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Badpack.g CnC Domain in DNS Lookup (mobile_malware.rules)
2854478 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CFT DNS Lookup (mobile_malware.rules)
2854479 - ETPRO MOBILE_MALWARE Observed Android/Spy.Agent.CQK Domain in TLS SNI (mobile_malware.rules)
2854480 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CQK CnC Domain in DNS Lookup (mobile_malware.rules)
2854481 - ETPRO MOBILE_MALWARE Observed Android/Spy.Agent.CNA Domain in TLS SNI (mobile_malware.rules)
2854482 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CNA CnC Domain in DNS Lookup (mobile_malware.rules)
2854483 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CQT DNS Lookup (mobile_malware.rules)
2854484 - ETPRO MOBILE_MALWARE Observed Trojan-Banker.AndroidOS.Kokbot.n Domain in TLS SNI (mobile_malware.rules)
2854485 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Kokbot.n DNS Lookup (mobile_malware.rules)

Disabled and modified rules:

2045065 - ET MALWARE Observed DNSQuery to TA444 Domain (tet .dnx .capital) (malware.rules)
2045066 - ET MALWARE Observed DNSQuery to TA444 Domain (dmarc .onlineshares .cloud) (malware.rules)
2045067 - ET MALWARE Observed DNSQuery to TA444 Domain (onlineshares .cloud) (malware.rules)
2045068 - ET MALWARE Observed DNSQuery to TA444 Domain (cloud .azurehosting .co) (malware.rules)
2045071 - ET MALWARE Observed DNSQuery to TA444 Domain (doc .gdocshare .one) (malware.rules)
2045075 - ET MALWARE Observed DNSQuery to TA444 Domain (down .tomming .us) (malware.rules)
2045076 - ET MALWARE Observed DNSQuery to TA444 Domain (safe .doc-share .pro) (malware.rules)
2045078 - ET MALWARE Observed DNSQuery to TA444 Domain (cloud .j-ic .co) (malware.rules)
2045080 - ET MALWARE Observed DNSQuery to TA444 Domain (inter .gpmtreit .co) (malware.rules)
2045081 - ET MALWARE Observed DNSQuery to TA444 Domain (cloud .j-ic .com) (malware.rules)
2045082 - ET MALWARE Observed DNSQuery to TA444 Domain (fs .digiboxes .us) (malware.rules)
2045084 - ET MALWARE Observed DNSQuery to TA444 Domain (down .j-ic .com) (malware.rules)
2045085 - ET MALWARE Observed DNSQuery to TA444 Domain (internal .j-ic .co) (malware.rules)
2045086 - ET MALWARE Observed DNSQuery to TA444 Domain (down .j-ic .co) (malware.rules)
2045087 - ET MALWARE Observed DNSQuery to TA444 Domain (cloud .gpmtreit .co) (malware.rules)
2045090 - ET MALWARE Observed DNSQuery to TA444 Domain (cloud .mekongcapital .net) (malware.rules)
2045093 - ET MALWARE Observed DNSQuery to TA444 Domain (deck .toyota-ai .org) (malware.rules)
2045095 - ET MALWARE Observed DNSQuery to TA444 Domain (cloud .anobaka .info) (malware.rules)
2045096 - ET MALWARE Observed DNSQuery to TA444 Domain (safe .doc-share .top) (malware.rules)
2045100 - ET MALWARE Observed DNSQuery to TA444 Domain (ms .msteam .biz) (malware.rules)
2045101 - ET MALWARE Observed DNSQuery to TA444 Domain (share .1drvmicrosoft .com) (malware.rules)
2045102 - ET MALWARE Observed DNSQuery to TA444 Domain (down .gpmtreit .us) (malware.rules)
2045103 - ET MALWARE Observed DNSQuery to TA444 Domain (down .gpmtreit .co) (malware.rules)
2045106 - ET MALWARE Observed DNSQuery to TA444 Domain (site .siteshare .me) (malware.rules)
2045108 - ET MALWARE Observed DNSQuery to TA444 Domain (cloud .dnx .capital) (malware.rules)
2045167 - ET MALWARE DNS Query to Gamaredon Domain (bankoulpi .ru) (malware.rules)
2045168 - ET MALWARE DNS Query to Gamaredon Domain (barutipi .ru) (malware.rules)
2045169 - ET MALWARE DNS Query to Gamaredon Domain (apispi .ru) (malware.rules)
2045170 - ET MALWARE DNS Query to Gamaredon Domain (anherpi .ru) (malware.rules)
2045171 - ET MALWARE DNS Query to Gamaredon Domain (fushiguro .ru) (malware.rules)
2045172 - ET MALWARE DNS Query to Gamaredon Domain (22defeated .ayrympo .ru) (malware.rules)

Topic		Replies	Views
SIG: MoveIt File Transfer WebShell Interaction Rule Signatures	3	713	June 13, 2023
Ruleset Update Summary - 2023/06/12 - v10346 Ruleset Updates	0	1055	June 12, 2023
Ruleset Update Summary - 2024/05/21 - v10600 Ruleset Updates	0	226	May 21, 2024
Ruleset Update Summary - 2024/07/08 - v10640 Ruleset Updates	0	143	July 8, 2024
Ruleset Update Summary - 2024/01/16 - v10507 Ruleset Updates	0	542	January 16, 2024

Ruleset Update Summary - 2023/06/02 - v10339

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Related topics