Weekly Community Review - May 26, 2023

Greetings all! Hello from the end of a week where we almost touched 100 (good thinking, 99!) new #IDS signatures into #ETOpen. It wouldn’t happen without the collaboration of our #suricata community and industry partners who so generously share their insight and abilities. Lets talk about a few of them and shout-out those who helped.

A kind tag from @MavericksInt and some VT and hatching_triage runs from @DSLab_Ukraine provided the detection logic ‘meat’ to SID 2045809 on #Gamaredon #APT GET activity in the form of identified infrastructure and filename patterns.

SIDs 2045796-2045805 from this @h2jazi tweet and @500mk500 further info which represent #TA427 DNS signatures alerting on lookups potentially indicative of compromise.

Tags and tweets are a great way to get our attention - but there’s many others as well. Reach us by posts on our #Discourse page (where are are building a great community) or our support mail (support[at]emergingthreats[dot]net) as well.


And speaking of that Discourse site, a couple great posts here led to a couple great SIDs thanks to @Jane0sint Firstly, #void #ransomware SID 2045821 with rule syntax contributed directly!

And next up, #Gurcu #stealer with SIDs 2045868 (WhiteSnake reporting request) and 2045869 (WhiteSnake Stealer Telegram Checkin) - check out the thread and follow along with the collaboration process: Gurcu stealer report outbound - #3 by Jane0sint

More great #Gameredon infrastructure research from @malpilediver - SIDs 2045834-2045840 for DNS alerts against these domains are in the ruleset now, thanks to you!

from @malwrhunterteam, SID 2045830, Win64/Rozena.TD Variant outbound C2 activity modeled from their tweet and hash here:

Great work on a KrakenKeylogger deep dive by @0xToxin, SID 2045841 now fires on via data exfil via SMTP: Kraken - The Deep Sea Lurker Part 1 - Toxin Labs

A new blog this week from our friends at DFIR report - IcedID–>CobaltStrike–>Nokoyawa Ransomware both featured ET signatures (check the network detections section) and inspired SIDs 2045849-2045856 which report on DNS lookups against identified malicious infrastructure by hosts.

That’s it for this week! There’ll be no rule release on Monday, January 29 due to the US and UK holiday but we’ll be back and Tuesday and we hope you’ll be there to help us again. Thanks all and be well.