Weekly Community Review - March 17, 2023

Happy St. Patrick’s Day all - greetings on another Friday. Big week for us in the Suricata IDS community with over 100 (113!) signatures added to ET Open! Check them out here and lets chat on a few.

From @Gi7w0rm, a tip-up and a @hatching_io run allowing us to sig on Amadey bot POSTs in 2044597 and 2044623 - thanks!

Coverage for exfils viaTelegram, a couple sigs from this @suyog41 tweet on a Rust stealer. SIDs 2044598 and 2044599.

Friend of ET @malwareforme contributes towards SID 2044625 - bolstering our sidecopy APT coverage with this alert on system info being sent outward for recon and data leakage. Thanks and hope you’re well!

On sidecopy APT POST activity, we’ve also got 2044645 from @fmc_nan. Thanks for the tweet!

Old home week continues with good friend contributing on our Emerging Threats Discord 2044600 for a sideshow outbound CnC Auth. DM for an invite and thank you @travisbgreen!

Tip-ups and feedback can help us see where existing coverage can be tuned. For @0xrb, their tweet let us tidy up Android/SOVA sigs (2033940, 2033941, 2033942, 2033943, 2033944) that were FN due to some user-agent filtering. Thanks for the tag!

Both @StopMalvertisin and @t3ft3lb taking it to MustangPanda APT - alerts on both inbound and outbound activity. Thanks for your work that led to SIDs 2044640-2044642.


The industry helped contribute tips to ET Open this week as well - here’s @Mandiant with their Lightshow blog writeup giving us domains for these DNS query SIDs: 2044601-2044613 from here:

From @SentinelOne, more than a few DNS sigs on Winter Vivern APT (SIDs 2044656-2044661) as well as C2 Check-in (2044662) and payload retrieval (2044663-2044664) - all from here:

Lastly, unfortunately as with any crisis threat actors seek to capitalize on misery for their own gain - we’ve released SIDs 2044674-2044676 to help protect against those that would phish targets based on the recent collapse of SVB.

That’s all for this week - enjoy the weekend and be careful out there!