Daily Ruleset Update Summary 2022/09/21

[***] Summary: [***]

17 new OPEN, 19 new PRO (17 + 2) DonotGroup,
RecordBreaker/RaccoonV2, TA444, and Remcos.

Today we introduced a new "deployment" metadata tag of "alert_only".
This deployment value indicates the rule should not be placed in a
"blocking" mode and the rule action* in the rule should only ever be
"alert". Population of this deployment metadata tag will continue as
new rules are written.

* http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node29.html#…
* https://suricata.readthedocs.io/en/latest/rules/intro.html#action

Thank @abuse_ch, @benkow_, @ShadowChasing1

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2038913 - ET MALWARE DonotGroup Activity (GET) (malware.rules)
2038914 - ET MALWARE DonotGroup Related Domain in DNS Lookup
(furnish .spacequery .live) (malware.rules)
2038915 - ET MALWARE Observed DonotGroup Related Domain (furnish
.spacequery .live in TLS SNI) (malware.rules)
2038916 - ET MALWARE Win32/RecordBreaker - Observed UA M3
(TakeMyPainBack) (malware.rules)
2038917 - ET MALWARE Win32/RecordBreaker CnC Checkin - Server
Response M2 (malware.rules)
2038918 - ET MALWARE Win32/Cryptbotv2 Activity (POST) (malware.rules)
2038919 - ET MALWARE Observed DNS Query to TA444 Domain (docuprivacy
.com) (malware.rules)
2038920 - ET MALWARE Observed DNS Query to TA444 Domain (share
.anobaka .info) (malware.rules)
2038921 - ET MALWARE Observed DNS Query to TA444 Domain (privacysign
.org) (malware.rules)
2038922 - ET MALWARE Observed DNS Query to TA444 Domain (ms
.onlineshares .cloud) (malware.rules)
2038923 - ET MALWARE Observed DNS Query to TA444 Domain (team
.msteam .biz) (malware.rules)
2038924 - ET MALWARE Observed DNS Query to TA444 Domain (mizuhogroup
.us) (malware.rules)
2038925 - ET MALWARE Observed DNS Query to TA444 Domain (docs
.azurehosting .co) (malware.rules)
2038926 - ET MALWARE Observed DNS Query to TA444 Domain (tptf .fund)
(malware.rules)
2038927 - ET MALWARE Observed DNS Query to TA444 Domain (perseus
.bond) (malware.rules)
2038928 - ET MALWARE Observed DNS Query to TA444 Domain (smbcgroup
.us) (malware.rules)
2038929 - ET MALWARE Observed DNS Query to TA444 Domain (tptf
.cloud) (malware.rules)

Pro:

2852394 - ETPRO MALWARE Win32/Remcos RAT Checkin 837 (malware.rules)

[///] Modified active rules: [///]

2012252 - ET SHELLCODE Common 0a0a0a0a Heap Spray String (shellcode.rules)
2035463 - ET INFO Observed Discord Domain (discord .com in TLS SNI)
(info.rules)
2035464 - ET INFO Observed Discord Domain (discordapp .com in TLS
SNI) (info.rules)
2035465 - ET INFO Observed Discord Domain in DNS Lookup (discord
.com) (info.rules)
2035466 - ET INFO Observed Discord Domain in DNS Lookup (discordapp
.com) (info.rules)
2036269 - ET ADWARE_PUP Win/Malware.Filetour Variant Checkin M1
(adware_pup.rules)
2803758 - ETPRO MALWARE Covert DNS Channel Query (ipcheker .com)
(malware.rules)
2038904 - ET PHISHING TA398 Phishing Kit URI Pattern M1 (phishing.rules)
2038905 - ET PHISHING TA398 Phishing Kit URI Pattern M2 (phishing.rules)

[///] Modified inactive rules: [///]

2015736 - ET MALWARE DNS Query to Unknown CnC DGA Domain (defmaybe
.com) 09/25/12 (malware.rules)
2803759 - ETPRO MALWARE Covert DNS Channel Query (ipgreat .com)
(malware.rules)
2849665 - ETPRO HUNTING Observed Suspicious URI Structure with
Common Escape Character - Possible Exploit (hunting.rules)

Date:

Wednesday, September 21, 2022

Summary title:

17 new OPEN, 19 new PRO (17 + 2) DonotGroup, RecordBreaker/RaccoonV2, TA444, and Remcos.