Greetings all! Welcome to our weekly review - where we take a look at the kind sharing efforts and rule feedback that powered the 123 new rules that made their way into our etopen#IDS ruleset last week! We’d like to cite a few here…
From @x3ph1, #Atomic#MacOS#Stealer shared with hash @abuse_ch and @virustotal reference leading to sig cover on the related domain (SID 2048101 DNS, 2048102 TLS SNI) and the outbound HTTP POST to exfil to C2 (SID 2048103):
AA outbound checkin (SID 2048128) and inbound response (SID 2048129) for #Gh0st#RAT from this @naumovax share - we love pcaps in wireshark - even in screenshot form!
These came via our twitter observations, but you may (frequently) ask yourself - how can you get something into our view? Here’s three ways! A post here at our #Discourse site, an email to support(at)emergingthreats(dot)net, or tweeting us @et_labs.
What can be found here? Here’s one example! In various threads, community user @vpx gives tips on triaging you can do when several of our INFO categorized alerts fire:
Rule submissions are welcome too! Friend @Jane0sint posts a follow-up in the comments to send SID 2048130 to account for DarkCrystal RAT’s exfil. Check out the collaboration with our own @ishaughnessy ! This is great to see and exactly why we maintain and support that site!
Lots of shared research and analysis from industry partners this week. From @SentinelOne, SIDs 2048106-2048108 covering DNS lookups against domains shared as reference:
This @TrendMicro shared gave us data for a couple DNS signatures (2048104 & 2048105) and also outbount C2 checkin (2048118) alerting for #EarthLusca/#SprySOCKS targeting Linux hosts!
Our friends at the DFIR report released their latest case investigation - Attackers vectoring a maliciou file to a target leading to a ScreenConnect installation (a remote management and monitoring tool) eventually resulting in a #hive ransomware infection. etopen rules fire throughout!
ET’s @trobinson667 and the @threatinsight team present this #ZenRAT blog - modular RAT working as an #infostealer. The released etopen detection rules are referenced at the end!