Weekly Community Review - March 31, 2023

It’s a rainy Friday to close out the week here at @et_labs- with your help we released 93 sigs out into the ET Open ruleset - lets chat on them and thank those that contributed to their existence! https://rules.emergingthreatspro.com/open/

The infosec researcher community continues to tip us up to Gamaredon APT activity daily! This is a great resource for giving us visibility and is such a timely heads-up to new domains and activity.

From @malPileDiver, thanks on the tags that led to 2044782-2044786 & 2044836-2044839. These domain alerts will let our users know whether assets within their networks are making DNS requests against comprised domains - an indicator of potential compromise.

And from @Cyber0verload a kind tag with domain tips leading to SIDs 2044826, 2044772-2044780, as well as a hash that allowed us to model Gamaredon C2 recon callback activity in SIDs 2044827-2044829!

On that note, remember there are many ways to reach out to us with a tip-up on a hash, intel, or detection logic you’ve created. Here on twitter, here on our Discourse on our mailing list via support[at]emergingthreats[dot]net, or on our Discord (his us up via DM for an invite!)

Here’s the origin of SID 2044768 from this tweet by @suyog41, giving us a URI pattern and PCRE match guidance to fire on this mugglestealer outbound activity:

SID 2044796 from this@James_inthe_box tweet - pswstealer exfil guidance from an @anyrun_app. Thanks for sharing with the suricata IDS community!

Good friend of @ET_Labs @tgreen contributes SID 2044825 for CVE-2022-25237 SCADA Altenergy Power Control Software Command Injection Attempt modeled from the exploit here:

Thanks for the twitter tag@Gi7w0rm, which led to Hunting SID 2044835 - their analysis shows Raccoonv2 RecordBreaker loading a malicious binary which grabs google account details and exfils!

All week the infosec landscape has been working hard to cover the potentialities of the #3CX / #3CXpocalypse - we’d particularly like to thank @patrickwardle, @objective_see, and @Volexity

…for the work they’ve shared - this helped us not only release alerts for DNS queries for the observed domains (2044802-2044822) but today detection logic around the user agents and other related http header information! (SIDs 2044857, 2044848-2044849)

From our industry friends, this @zscaler blog, providing guidance for 2044842, firing alerts on a c2 domain called out in their posting.

SID 2044824 is from this @Mandiant APT43 report - BRAVEPRINCE outbound/GET activity:


On the homefront,@aRtAGGI and his research on WinterVivern and CVE-2022027926 - wonderful insight on TA473, phishing, and the malicious actor standby of exploiting unpatched vulnerabilities. With @ET_Labs signatures for reference and visibility!

And also don’t forget to check out the great @threatinsight blog on IcedID from the wonderful Threat Research team here - with extra @ET_Labs signature coverage goodness at the end!