Greetings - welcome to our summation walkthrough of the past week in #EmergingThreats Open signatures! We had 83 new rules added to the ruleset and we want to take some time to thank the researchers, analyst, and community partners who helped make that happen!
Thanks to @suyog41 for this share - now SID 2047681 can alert on this #SparkRAT checkin activity thanks to this hash share which we were able to model HTTP uri content patterns against!
https://twitter.com/suyog41/status/1693563144617206147
And more hash shares from @suyog41 - this enabled SID 2047716 to alert on HTTP POST content indicating #NewsRat C2 exfil activity via Telegram:
https://twitter.com/suyog41/status/1694238749688049738
SID 2047717 comes from @Gi7w0rmâs kind share of hatching runs allowing us to model this downloaderâs C2 checkin/outbound activity:
https://twitter.com/Gi7w0rm/status/1693432581583184029
Are these ET Open rules free? How can we get support for them? Why did you make the choices you made? The answers to all these questions and more are here, on our #Discourse site!
And speaking of that Discourse site - here, @Jane0sint enters a new sig into the record - this Mekotio banking trojan alert became SID 2047723. Thanks!
From their kind tweet and anyrun share, an alert on over-the-wire #AgentTesla binary encoded in a jpeg!
https://twitter.com/Jane_0sint/status/1694972207896699387
On the industry partners side, this @talossecurity blog provided the context for SID 2047726 - #TA430/Andrariel #CollectionRAT outbound activity:
This @SentinelOne #XLoader blog contained multiple IoCs in its reference and that enabled us to sig SID 2047686-2047701 alerting on DNS lookups against these associated domains!
From @symantec, a #Carderbee #APT blog and shared URLs, hashes, and domains informed us to write SID 2047715 to detect related outbound activity to 443:
And lastly, from @cyberuptive, a very comprehensive writeup (with mitigations and IOCs) for #FerestSmuggler #CredentialHarvesting led to 2047708-2047710 (redirects to various free URL shorteners for ubfuscation purposes) and 2047705-2047706 (actual outbound requests) to alert on this malicious credphish activity!