Weekly Community Review - March 10, 2023

It’s (almost) the weekend. Thanks to the suricata IDS infosec community we had 131 signatures added to ET Open in the last 5 days–and they’re there for you to use with thousands more! Take a look here, https://rules.emergingthreatspro.com/open/, and lets go over a few…

First I want to shout-out the researchers who work so hard to share their good work on #Gamaredon–particularly @StopMalvertisin,@Cyber0verload,@500mk500, and @malPileDiver.

First up is@Cyber0verload (2044523) - with a hash and a sample that allowed us to model detection logic after content in the user agent field.

They also tipped up multiple #Gamaredon domains that we sig’d up to provide notification of DNS queries - potential indicators querying hosts may be compromised. SIDs 2044441-2044445 will let you know.

Next, thanks to @malPileDiver for the shout-out to identify a couple more #Gamaredon-involved domains - these are SIDs 2044439 and 2044440.

Remember, there are many ways to reach out to us with a tip-up on an interesting hash, article, or even detection logic you’ve created: Twitter, here on https://community.emergingthreats.net, on our mailing list via support[at]emergingthreats[dot]net or on our Discord (DM for an invite!).

Back to the week - from @h2jazi, with a hash and analysis that allowed us to model the network traffic of a backdoor exfiltrating data! SIDs 2044437 (DNS lookup for malicious domain) and 2044438 (Data exfil!)

More data exfil via Telegram from @suyog42, #LucaStealer Sending System Information (SID 2044524):

From @James_inthe_box, still more Telegram exfil: SID 2044527 for #vectorstealer - thanks for the tweet!

Industry time - here’s a few blogs and such that tipped us up to techniques and detection logic.@uptycs, thanks for SIDs 2044449 and 2044450 - call and response alerts for Parallax RAT from here:

From @morphisec, C2 traffic and malicious domain information that led us to 2044505-2044515. Sourced from:

Hiatus RAT c2 coverage (SID 2044503), thanks to @BlackLotusLabs and this blog:

An inbound C2 GET alert modeled from this @bridewellsec blog content, thanks for 2044535!

And lastly, from @CPResearch, a sig alerting on #SharpPanda Soul Framework activity, SID 2044564. Thanks for sharing!

That’s all for this week everyone - be well and enjoy the weekend.