Weekly Community Review - January 27, 2023

Greetings all! Powered by your contributions and publicly available information we had almost 600 (!!) Suricata IDS rules added to ET Open this week. Here’s a breakdown…

Almost 500 of those signatures were INFO signatures alerting on outbound queries over HTTP from servers documented here: DNS over HTTPS · curl/curl Wiki · GitHub. It’s important to note: These are INFO sigs and their alerts are not indicative of maliciousness outside other contextual evidence!

We’ve also had SIDs 2043439-2043453 on Gigabud RAT derived from information posted by @AuCyble, on this blog:http://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/

Thanks to @James_inthe_box for https://twitter.com/James_inthe_box/status/1618370975523012608…, giving us SID 2044001…

SID 2043986, outbound POST to a c2 here, thanks @1ZRR4H!

From @jaydinbas, thanks for the tag which rendered SID 2043987, outbound connection using a suspect UA string associated with Win32/DoNot.

a @TrendMicro blog, https://trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html…, giving us #cobaltstrike C2s and SIDS 2043988-2043990.

For exploits,@bl4sty’s work here: http://github.com/blasty/lexmark enabling community detection for his discovered Lexmark vulnerability.

Our friends at @TheDFIRReport, posting http://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts… and giving us SID 2043996, “ET INFO Suspected Impacket WMIExec Activity”

And lets talk about tuning! After some noise report, we put tune of 2031193 - ET MALWARE Suspected Snugy DNS Backdoor Initial Beacon. Intial writeup was done by Unit42 (https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/…)…

Using the reference sample, (can be observed in this http://any.run https://app.any.run/tasks/9031305c-0ad3-4c07-804a-3d913251ad4b/…) our own @bmurphy stripped out everything not doing with the DGA for that initial checkin, then used “Try It Online” (@try_it_online) to run the code…

With the output of over 100 domains, using regex101 (@regex101) a new pattern was found which allowed for a tighter PCRE to detect the initial checkin subdomains! Less FPs! Victory!

And lastly for today, wonderful work by @greglesnewich on the @threatinsight #TA444 blog here, including free community ET Open sigs alerting on associated domains! Have a great weekend all!