Weekly Community Review - January 19, 2024

Greetings all! We’re back to talk about all the kind contributions to our ET Open #IDS suricata and #Snort rulesets recently. As a reminder, we work to address threats on the landscape and construct detection logic from public disclosures (which go into ET Open) and the analysis (including malware reversing) of internally sourced samples and research (which go into ETPRO).

There are multiple ways to share with us - on twitter, on our Discord server (ask for an invite), here on our community discourse page (https://community.emergingthreats.net/), our mail alias (support at emergingthreats.net), our feedback forum (Feedback) or our new mastadon page (EmergingThreats (@EmergingThreats@infosec.exchange) - Infosec Exchange)

A bunch of researchers have helped us recently, and we’d love to give them some kudos. From @malwrhunterteam off a @MsftSecIntel share, this hash and analysis led to an additional method covered for #FalseFont backdoor within SID 2049963:

Old from of ET @tgreen shared this @foxit #blister writeup which contained CS C2 profiles for us to add to our detection coverage (SIDs 2049975-2049995) - these profiles exist to obfuscate C2 traffic, but our detections exist to thwart them!

Thanks to @asdasd13asbz and @jaydinbas for these shares (h/t @greglesnewich) allowing us to sig #TrollAgent domains alerting on on DNS lookup (SIDs 2049955, 2049962, 2049967-2049969) and TLS SNI connection alerts (2049970-2049973)

#SeaTurtle #APT checkin coverage in SID 2049974 from this @huntandhackett blog (h/t @threatinsight’s Josh Miller!)

Friend @naumovax shares this @SonicWall blog on this sneaky #CoinMiner framework masquerading as a game trainer for #Rust. SID 2050052 has the outbound C2 activity covered!

So many researchers and orgs sharing and helping us out - special thanks to @attcyber and more specifically @siderafer / Fernando Martinez for AsyncRAT research and detection aid!

We mentioned our #Discord earlier - friend @ViriBack teed up a hash and Virustotal analysis for #Neptune #Loader that became SID 2050109!

Thanks to @1ZRR4H and their share of this @sucurisecurity writeup - this enabled SIDs on DNS alerts (2050134 and 2050136) and TLS SNI connections (2050135 and 2050137) for identified #Balada domains as well as SID 2050138 catching on the JavaScript injection on a vulnerable page using #PopupBuilder!

Friend @naumovax linking multiple sandbox runs allowed SIDs 2050230 (client checkin) and 2050229 (C2 server response) for #AdAptertrAin backdoor. Check out their featured Base64 ‘encrypted’ traffic: it’s sending profile information for the compromised host back to its controller.

Lots happening here on our #Discourse always - here friend @Jane0sint shares #XenoRAT traffic and @app_anyrun analysis which allows us to model the check-in (2050110) and keep-alive (2050111) outbound activity:

Don’t forget to check out @dansomware and @adorais on the lastest #Discarded podcast talking about their 2024 cyber threat predictions!

Thanks all!