[***] Summary: [***]

128 new OPEN, 128 new PRO (128 + 0). TA444, Win32/Valyria, Various
Dynamic DNS Hosts, Others.

Thanks @h2jazi @_CERT_UA @securityshrimp

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2042543 - ET INFO DYNAMIC_DNS Query to a *.erke .biz .tr Domain
(emerging-info.rules)
2042544 - ET INFO DYNAMIC_DNS HTTP Request to a *.erke .biz .tr Domain
(emerging-info.rules)
2042545 - ET INFO DYNAMIC_DNS Query to a *.francemacau .com Domain
(emerging-info.rules)
2042546 - ET INFO DYNAMIC_DNS HTTP Request to a *.francemacau .com Domain
(emerging-info.rules)
2042547 - ET INFO DYNAMIC_DNS Query to a *.homelinux .net Domain
(emerging-info.rules)
2042548 - ET INFO DYNAMIC_DNS HTTP Request to a *.homelinux .net Domain
(emerging-info.rules)
2042549 - ET INFO DYNAMIC_DNS Query to a *.from-nm .com Domain
(emerging-info.rules)
2042550 - ET INFO DYNAMIC_DNS HTTP Request to a *.from-nm .com Domain
(emerging-info.rules)
2042551 - ET INFO DYNAMIC_DNS Query to a *.dyndns-wiki .com Domain
(emerging-info.rules)
2042552 - ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-wiki .com Domain
(emerging-info.rules)
2042553 - ET INFO DYNAMIC_DNS Query to a *.kicks-ass .org Domain
(emerging-info.rules)
2042554 - ET INFO DYNAMIC_DNS HTTP Request to a *.kicks-ass .org Domain
(emerging-info.rules)
2042555 - ET INFO DYNAMIC_DNS Query to a *.groks-this .info Domain
(emerging-info.rules)
2042556 - ET INFO DYNAMIC_DNS HTTP Request to a *.groks-this .info Domain
(emerging-info.rules)
2042557 - ET INFO DYNAMIC_DNS Query to a *.is-leet .com Domain
(emerging-info.rules)
2042558 - ET INFO DYNAMIC_DNS HTTP Request to a *.is-leet .com Domain
(emerging-info.rules)
2042559 - ET INFO DYNAMIC_DNS Query to a *.webhop .org Domain
(emerging-info.rules)
2042560 - ET INFO DYNAMIC_DNS HTTP Request to a *.webhop .org Domain
(emerging-info.rules)
2042561 - ET INFO DYNAMIC_DNS Query to a *.is-a-guru .com Domain
(emerging-info.rules)
2042562 - ET INFO DYNAMIC_DNS HTTP Request to a *.is-a-guru .com Domain
(emerging-info.rules)
2042563 - ET INFO DYNAMIC_DNS Query to a *.from-ne .com Domain
(emerging-info.rules)
2042564 - ET INFO DYNAMIC_DNS HTTP Request to a *.from-ne .com Domain
(emerging-info.rules)
2042565 - ET INFO DYNAMIC_DNS Query to a *.from-ny .net Domain
(emerging-info.rules)
2042566 - ET INFO DYNAMIC_DNS HTTP Request to a *.from-ny .net Domain
(emerging-info.rules)
2042567 - ET INFO DYNAMIC_DNS Query to a *.is-a-bulls-fan .com Domain
(emerging-info.rules)
2042568 - ET INFO DYNAMIC_DNS HTTP Request to a *.is-a-bulls-fan .com
Domain (emerging-info.rules)
2042569 - ET INFO DYNAMIC_DNS Query to a *.likes-pie .com Domain
(emerging-info.rules)
2042570 - ET INFO DYNAMIC_DNS HTTP Request to a *.likes-pie .com Domain
(emerging-info.rules)
2042571 - ET INFO DYNAMIC_DNS Query to a *.dnsdojo .org Domain
(emerging-info.rules)
2042572 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsdojo .org Domain
(emerging-info.rules)
2042573 - ET INFO DYNAMIC_DNS Query to a *.here-for-more .info Domain
(emerging-info.rules)
2042574 - ET INFO DYNAMIC_DNS HTTP Request to a *.here-for-more .info
Domain (emerging-info.rules)
2042575 - ET INFO DYNAMIC_DNS Query to a *.is-a-nurse .com Domain
(emerging-info.rules)
2042576 - ET INFO DYNAMIC_DNS HTTP Request to a *.is-a-nurse .com Domain
(emerging-info.rules)
2042577 - ET INFO DYNAMIC_DNS Query to a *.is-a-rockstar .com Domain
(emerging-info.rules)
2042578 - ET INFO DYNAMIC_DNS HTTP Request to a *.is-a-rockstar .com
Domain (emerging-info.rules)
2042579 - ET INFO DYNAMIC_DNS Query to a *.is-saved .org Domain
(emerging-info.rules)
2042580 - ET INFO DYNAMIC_DNS HTTP Request to a *.is-saved .org Domain
(emerging-info.rules)
2042581 - ET INFO DYNAMIC_DNS Query to a *.doomdns .org Domain
(emerging-info.rules)
2042582 - ET INFO DYNAMIC_DNS HTTP Request to a *.doomdns .org Domain
(emerging-info.rules)
2042583 - ET INFO DYNAMIC_DNS Query to a *.shacknet .biz Domain
(emerging-info.rules)
2042584 - ET INFO DYNAMIC_DNS HTTP Request to a *.shacknet .biz Domain
(emerging-info.rules)
2042585 - ET INFO DYNAMIC_DNS Query to a *.is-a-libertarian .com Domain
(emerging-info.rules)
2042586 - ET INFO DYNAMIC_DNS HTTP Request to a *.is-a-libertarian .com
Domain (emerging-info.rules)
2042587 - ET INFO DYNAMIC_DNS Query to a *.selfip .info Domain
(emerging-info.rules)
2042588 - ET INFO DYNAMIC_DNS HTTP Request to a *.selfip .info Domain
(emerging-info.rules)
2042589 - ET INFO DYNAMIC_DNS Query to a *.is-a-socialist .com Domain
(emerging-info.rules)
2042590 - ET INFO DYNAMIC_DNS HTTP Request to a *.is-a-socialist .com
Domain (emerging-info.rules)
2042591 - ET INFO DYNAMIC_DNS Query to a *.is-a-blogger .com Domain
(emerging-info.rules)
2042592 - ET INFO DYNAMIC_DNS HTTP Request to a *.is-a-blogger .com Domain
(emerging-info.rules)
2042593 - ET INFO DYNAMIC_DNS Query to a *.from-il .com Domain
(emerging-info.rules)
2042594 - ET INFO DYNAMIC_DNS HTTP Request to a *.from-il .com Domain
(emerging-info.rules)
2042595 - ET INFO DYNAMIC_DNS Query to a *.dyndns-office .com Domain
(emerging-info.rules)
2042596 - ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-office .com
Domain (emerging-info.rules)
2042597 - ET INFO DYNAMIC_DNS Query to a *.from-pr .com Domain
(emerging-info.rules)
2042598 - ET INFO DYNAMIC_DNS HTTP Request to a *.from-pr .com Domain
(emerging-info.rules)
2042599 - ET INFO DYNAMIC_DNS Query to a *.game-server .cc Domain
(emerging-info.rules)
2042600 - ET INFO DYNAMIC_DNS HTTP Request to a *.game-server .cc Domain
(emerging-info.rules)
2042601 - ET INFO DYNAMIC_DNS Query to a *.is-a-celticsfan .org Domain
(emerging-info.rules)
2042602 - ET INFO DYNAMIC_DNS HTTP Request to a *.is-a-celticsfan .org
Domain (emerging-info.rules)
2042603 - ET INFO DYNAMIC_DNS Query to a *.is-slick .com Domain
(emerging-info.rules)
2042604 - ET INFO DYNAMIC_DNS HTTP Request to a *.is-slick .com Domain
(emerging-info.rules)
2042605 - ET INFO DYNAMIC_DNS Query to a *.from-wi .com Domain
(emerging-info.rules)
2042606 - ET INFO DYNAMIC_DNS HTTP Request to a *.from-wi .com Domain
(emerging-info.rules)
2042607 - ET INFO DYNAMIC_DNS Query to a *.likescandy .com Domain
(emerging-info.rules)
2042608 - ET INFO DYNAMIC_DNS HTTP Request to a *.likescandy .com Domain
(emerging-info.rules)
2042609 - ET INFO DYNAMIC_DNS Query to a *.dynalias .net Domain
(emerging-info.rules)
2042610 - ET INFO DYNAMIC_DNS HTTP Request to a *.dynalias .net Domain
(emerging-info.rules)
2042611 - ET INFO DYNAMIC_DNS Query to a *.dyndns-pics .com Domain
(emerging-info.rules)
2042612 - ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-pics .com Domain
(emerging-info.rules)
2042613 - ET INFO DYNAMIC_DNS Query to a *.from-in .com Domain
(emerging-info.rules)
2042614 - ET INFO DYNAMIC_DNS HTTP Request to a *.from-in .com Domain
(emerging-info.rules)
2042615 - ET INFO DYNAMIC_DNS Query to a *.gotdns .org Domain
(emerging-info.rules)
2042616 - ET INFO DYNAMIC_DNS HTTP Request to a *.gotdns .org Domain
(emerging-info.rules)
2042617 - ET INFO DYNAMIC_DNS Query to a *.lebtimnetz .de Domain
(emerging-info.rules)
2042618 - ET INFO DYNAMIC_DNS HTTP Request to a *.lebtimnetz .de Domain
(emerging-info.rules)
2042619 - ET INFO DYNAMIC_DNS Query to a *.is-an-artist .com Domain
(emerging-info.rules)
2042620 - ET INFO DYNAMIC_DNS HTTP Request to a *.is-an-artist .com Domain
(emerging-info.rules)
2042621 - ET INFO DYNAMIC_DNS Query to a *.buyshouses .net Domain
(emerging-info.rules)
2042622 - ET INFO DYNAMIC_DNS HTTP Request to a *.buyshouses .net Domain
(emerging-info.rules)
2042623 - ET INFO DYNAMIC_DNS Query to a *.isa-hockeynut .com Domain
(emerging-info.rules)
2042624 - ET INFO DYNAMIC_DNS HTTP Request to a *.isa-hockeynut .com
Domain (emerging-info.rules)
2042625 - ET INFO DYNAMIC_DNS Query to a *.forgot .his .name Domain
(emerging-info.rules)
2042626 - ET INFO DYNAMIC_DNS HTTP Request to a *.forgot .his .name Domain
(emerging-info.rules)
2042627 - ET INFO DYNAMIC_DNS Query to a *.from-me .org Domain
(emerging-info.rules)
2042628 - ET INFO DYNAMIC_DNS HTTP Request to a *.from-me .org Domain
(emerging-info.rules)
2042629 - ET INFO DYNAMIC_DNS Query to a *.isa-geek .org Domain
(emerging-info.rules)
2042630 - ET INFO DYNAMIC_DNS HTTP Request to a *.isa-geek .org Domain
(emerging-info.rules)
2042631 - ET INFO DYNAMIC_DNS Query to a *.for-the .biz Domain
(emerging-info.rules)
2042632 - ET INFO DYNAMIC_DNS HTTP Request to a *.for-the .biz Domain
(emerging-info.rules)
2042633 - ET INFO DYNAMIC_DNS Query to a *.readmyblog .org Domain
(emerging-info.rules)
2042634 - ET INFO DYNAMIC_DNS HTTP Request to a *.readmyblog .org Domain
(emerging-info.rules)
2042635 - ET INFO DYNAMIC_DNS Query to a *.is-a-therapist .com Domain
(emerging-info.rules)
2042636 - ET INFO DYNAMIC_DNS HTTP Request to a *.is-a-therapist .com
Domain (emerging-info.rules)
2042637 - ET INFO DYNAMIC_DNS Query to a *.traeumtgerade .de Domain
(emerging-info.rules)
2042638 - ET INFO DYNAMIC_DNS HTTP Request to a *.traeumtgerade .de Domain
(emerging-info.rules)
2042639 - ET INFO DYNAMIC_DNS Query to a *.kicks-ass .net Domain
(emerging-info.rules)
2042640 - ET INFO DYNAMIC_DNS HTTP Request to a *.kicks-ass .net Domain
(emerging-info.rules)
2042641 - ET INFO DYNAMIC_DNS Query to a *.sells-it .net Domain
(emerging-info.rules)
2042642 - ET INFO DYNAMIC_DNS HTTP Request to a *.sells-it .net Domain
(emerging-info.rules)
2042643 - ET MALWARE Observed TA444/Lazarus Domain (one .microshare
.cloud) in TLS SNI (emerging-malware.rules)
2042644 - ET MALWARE TA444/Lazarus Related Domain in DNS Lookup
(microshare .cloud) (emerging-malware.rules)
2042645 - ET MALWARE TA444 Related Domain in DNS Lookup (docs-view .cloud)
(emerging-malware.rules)
2042646 - ET MALWARE TA444 Related Domain in DNS Lookup (microshare
.cloud) (emerging-malware.rules)
2042647 - ET MALWARE TA444 Related Domain in DNS Lookup (mufg .college)
(emerging-malware.rules)
2042648 - ET MALWARE TA444 Related Domain in DNS Lookup (auto-protection
.cloud) (emerging-malware.rules)
2042649 - ET MALWARE TA444 Related Domain in DNS Lookup (prosec .ink)
(emerging-malware.rules)
2042650 - ET MALWARE TA444 Related Domain in DNS Lookup (smbc-vc .com)
(emerging-malware.rules)
2042651 - ET MALWARE TA444 Related Domain in DNS Lookup (angelbridge
.capital) (emerging-malware.rules)
2042652 - ET MALWARE TA444 Related Domain in DNS Lookup (meeting .work
.gd) (emerging-malware.rules)
2042653 - ET MALWARE DangerousPassword APT Related Domain in DNS Lookup
(thecloudnet .org) (emerging-malware.rules)
2042654 - ET MALWARE Observed DangerousPassword Related Domain (www
.thecloudnet .org in TLS SNI) (emerging-malware.rules)
2042655 - ET MALWARE DangerousPassword APT Style Request (GET)
(emerging-malware.rules)
2042656 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup
(emerging-malware.rules)
2042657 - ET MALWARE Observed Gamaredon APT Related Domain (dwn-files
.shop in TLS SNI) (emerging-malware.rules)
2042658 - ET MALWARE Win32/Valyria Maldoc Payload Request M1
(emerging-malware.rules)
2042659 - ET MALWARE Win32/Valyria Maldoc Payload Request M2
(emerging-malware.rules)
2042660 - ET PHISHING ING Banking Credential Phish Landing Page 2022-12-12
(emerging-phishing.rules)
2042661 - ET PHISHING Successful ING Banking Credential Phish 2022-12-12
(emerging-phishing.rules)
2042662 - ET PHISHING e-Orico Credential Phish Landing Page 2022-12-12
(emerging-phishing.rules)
2042664 - ET PHISHING Successful PostBank Credential Phish 2022-12-12
(emerging-phishing.rules)

[///] Modified inactive rules: [///]

2039685 - ET INFO localhost .run Domain in DNS Lookup DNS Lookup (.lhr
.rocks) (emerging-info.rules)

[---] Disabled and modified rules: [---]

2039010 - ET MALWARE SocGholish Domain in DNS Lookup (people .zonashoppers
.com) (emerging-malware.rules)
2039032 - ET MALWARE SocGholish Domain in DNS Lookup (training
.c1ypsilanti .org) (emerging-malware.rules)
2039033 - ET MALWARE SocGholish Domain in DNS Lookup (engine
.discoveryhypnosis .com) (emerging-malware.rules)
2039034 - ET MALWARE SocGholish Domain in DNS Lookup (fundraising
.mystylingmylife .xyz) (emerging-malware.rules)
2039035 - ET MALWARE SocGholish Domain in DNS Lookup (resale .adkelly
.com) (emerging-malware.rules)
2039036 - ET MALWARE SocGholish Domain in DNS Lookup (auction
.wonderwomanquilts .com) (emerging-malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
128 new OPEN, 128 new PRO (128 + 0). TA444, Win32/Valyria, Various Dynamic DNS Hosts, Others.