Weekly Community Review - April 7, 2023

We’re wrapping up the week here and we want to thank the #infosec #suricata #IDS community for tips, tags, and public blogs that lent knowledge to the creation of 58 ET Open sigs! A sampling of that coverage…

With their daily #Gamaredon #APT domain drops and kind tags of @etlabs,@malPileDiver continues to contribute to #ETopen - this week SIDs 2044867-2044869 & 2044899-2044902.

From@1ZRR4H, a couple #NetSupport DNS SIDs, 2044890 and 2044891.

Reminder: #NetSupport is a remote access manager/tool (RAT) which can be abused for malicious purposes. While it has legitimate uses, when it comes to detection logic, signatures, and these DNS query alerts–these rule fires call for investigation.

Thanks to@tosscoinwitcher, 2 SIDs to identify #SnakeKeyLogger activity, with the payload request (2044887) and associated domain DNS query alert (2044888). Great @hatching_io run!

Our supported IDS engines (https://community.emergingthreats.net/t/supported-engines/71…) give us the ability to alert on both the presentation of a phishing landing page and credential submission. Thanks for 2044889,@ecarlesi, to catch this #credphish try!


From a @joe4securityrun, #JA3 has within SID 2044912 is courtesy of @malware_traffic and @Unit42_Intel for #STRRAT malware detection.

SIDs 2044903-2044905 are thanks to @trustwave for the Rilide Stealer they discovered! DNS IOCs from here:

From @unmaskparasites and @sucurisecurity, SID 2044913 for #BALADA #malware and the byte patterns enabling the content matches for the alert within:

Lastly,@Unit42_Intel’s blog (SID 2044908) and @urlscanio comprehensive information (2044907) enabling the Traffic Distribution Systems (TDS) landing page and subsequent request leading to #CryptoClipper!