Daily Ruleset Update Summary 2022/12/13

Daily Ruleset Update Summary

[***] Summary: [***]

110 new OPEN, 110 new PRO (110 + 0). Win32/SocksTroy, SocGholish,
Various Dynamic DNS Hosts, Others.

Thanks @fr0s7_, @James_inthe_box

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2042665 - ET INFO DYNAMIC_DNS Query to a *.stuff-4-sale .us Domain
(info.rules)
2042666 - ET INFO DYNAMIC_DNS HTTP Request to a *.stuff-4-sale .us Domain
(info.rules)
2042667 - ET INFO DYNAMIC_DNS Query to a *.is-into-games .com Domain
(info.rules)
2042668 - ET INFO DYNAMIC_DNS HTTP Request to a *.is-into-games .com
Domain (info.rules)
2042669 - ET INFO DYNAMIC_DNS Query to a *.homeunix .org Domain
(info.rules)
2042670 - ET INFO DYNAMIC_DNS HTTP Request to a *.homeunix .org Domain
(info.rules)
2042671 - ET INFO DYNAMIC_DNS Query to a *.worse-than .tv Domain
(info.rules)
2042672 - ET INFO DYNAMIC_DNS HTTP Request to a *.worse-than .tv Domain
(info.rules)
2042673 - ET INFO DYNAMIC_DNS Query to a *.is-very-sweet .org Domain
(info.rules)
2042674 - ET INFO DYNAMIC_DNS HTTP Request to a *.is-very-sweet .org
Domain (info.rules)
2042675 - ET INFO DYNAMIC_DNS Query to a *.at-band-camp .net Domain
(info.rules)
2042676 - ET INFO DYNAMIC_DNS HTTP Request to a *.at-band-camp .net
Domain (info.rules)
2042677 - ET INFO DYNAMIC_DNS Query to a *.sells-for-less .com Domain
(info.rules)
2042678 - ET INFO DYNAMIC_DNS HTTP Request to a *.sells-for-less .com
Domain (info.rules)
2042679 - ET INFO DYNAMIC_DNS Query to a *.serveftp .net Domain
(info.rules)
2042680 - ET INFO DYNAMIC_DNS HTTP Request to a *.serveftp .net Domain
(info.rules)
2042681 - ET INFO DYNAMIC_DNS Query to a *.selfip .org Domain (info.rules)
2042682 - ET INFO DYNAMIC_DNS HTTP Request to a *.selfip .org Domain
(info.rules)
2042683 - ET INFO DYNAMIC_DNS Query to a *.is-by .us Domain (info.rules)
2042684 - ET INFO DYNAMIC_DNS HTTP Request to a *.is-by .us Domain
(info.rules)
2042685 - ET INFO DYNAMIC_DNS Query to a *.dyndns-at-home .com Domain
(info.rules)
2042686 - ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-at-home .com
Domain (info.rules)
2042687 - ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain (info.rules)
2042688 - ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain
(info.rules)
2042689 - ET INFO DYNAMIC_DNS Query to a *.dynalias .org Domain
(info.rules)
2042690 - ET INFO DYNAMIC_DNS HTTP Request to a *.dynalias .org Domain
(info.rules)
2042691 - ET INFO DYNAMIC_DNS Query to a *.dnsdojo .com Domain
(info.rules)
2042692 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsdojo .com Domain
(info.rules)
2042693 - ET INFO DYNAMIC_DNS Query to a *.from-co .net Domain
(info.rules)
2042694 - ET INFO DYNAMIC_DNS HTTP Request to a *.from-co .net Domain
(info.rules)
2042695 - ET INFO DYNAMIC_DNS Query to a *.doomdns .com Domain
(info.rules)
2042696 - ET INFO DYNAMIC_DNS HTTP Request to a *.doomdns .com Domain
(info.rules)
2042697 - ET INFO DYNAMIC_DNS Query to a *.groks-the .info Domain
(info.rules)
2042698 - ET INFO DYNAMIC_DNS HTTP Request to a *.groks-the .info Domain
(info.rules)
2042699 - ET INFO DYNAMIC_DNS Query to a *.office-on-the .net Domain
(info.rules)
2042700 - ET INFO DYNAMIC_DNS HTTP Request to a *.office-on-the .net
Domain (info.rules)
2042701 - ET INFO DYNAMIC_DNS Query to a *.doesntexist .org Domain
(info.rules)
2042702 - ET INFO DYNAMIC_DNS HTTP Request to a *.doesntexist .org Domain
(info.rules)
2042703 - ET INFO DYNAMIC_DNS Query to a *.dyndns .tv Domain (info.rules)
2042704 - ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .tv Domain
(info.rules)
2042705 - ET INFO DYNAMIC_DNS Query to a *.endofinternet .net Domain
(info.rules)
2042706 - ET INFO DYNAMIC_DNS HTTP Request to a *.endofinternet .net
Domain (info.rules)
2042707 - ET INFO DYNAMIC_DNS Query to a *.getmyip .com Domain
(info.rules)
2042708 - ET INFO DYNAMIC_DNS HTTP Request to a *.getmyip .com Domain
(info.rules)
2042709 - ET INFO DYNAMIC_DNS Query to a *.is-a-chef .org Domain
(info.rules)
2042710 - ET INFO DYNAMIC_DNS HTTP Request to a *.is-a-chef .org Domain
(info.rules)
2042711 - ET INFO DYNAMIC_DNS Query to a *.dynamicdns .biz Domain
(info.rules)
2042712 - ET INFO DYNAMIC_DNS Query to a *.freewww .biz Domain
(info.rules)
2042713 - ET INFO DYNAMIC_DNS Query to a *.dns1 .us Domain (info.rules)
2042714 - ET INFO DYNAMIC_DNS Query to a *.ddns .mobi Domain (info.rules)
2042715 - ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .mobi Domain
(info.rules)
2042716 - ET INFO DYNAMIC_DNS HTTP Request to a *.gr8domain .biz Domain
(info.rules)
2042717 - ET INFO DYNAMIC_DNS Query to a *.bigmoney .biz Domain
(info.rules)
2042718 - ET INFO DYNAMIC_DNS Query to a *.zyns .com Domain (info.rules)
2042719 - ET INFO DYNAMIC_DNS Query to a *.dns-report .com Domain
(info.rules)
2042720 - ET INFO DYNAMIC_DNS Query to a *.otzo .com Domain (info.rules)
2042721 - ET INFO DYNAMIC_DNS Query to a *.freetcp .com Domain
(info.rules)
2042722 - ET INFO DYNAMIC_DNS Query to a *.proxydns .com Domain
(info.rules)
2042723 - ET INFO DYNAMIC_DNS Query to a *.myddns .com Domain (info.rules)
2042724 - ET INFO DYNAMIC_DNS HTTP Request to a *.myddns .com Domain
(info.rules)
2042725 - ET INFO DYNAMIC_DNS HTTP Request to a *.misecure .com Domain
(info.rules)
2042726 - ET INFO DYNAMIC_DNS HTTP Request to a *.dns-stuff .com Domain
(info.rules)
2042727 - ET INFO DYNAMIC_DNS Query to a *.zzux .com Domain (info.rules)
2042728 - ET INFO DYNAMIC_DNS HTTP Request to a *.dynns .com Domain
(info.rules)
2042729 - ET INFO DYNAMIC_DNS HTTP Request to a *.serveblog .net Domain
(info.rules)
2042730 - ET INFO DYNAMIC_DNS HTTP Request to a *.net-freaks .com Domain
(info.rules)
2042731 - ET INFO DYNAMIC_DNS HTTP Request to a *.myvnc .com Domain
(info.rules)
2042732 - ET INFO DYNAMIC_DNS HTTP Request to a *.freedynamicdns .net
Domain (info.rules)
2042733 - ET INFO DYNAMIC_DNS HTTP Request to a *.ditchyourip .com Domain
(info.rules)
2042734 - ET INFO DYNAMIC_DNS HTTP Request to a *.servehumour .com Domain
(info.rules)
2042735 - ET INFO DYNAMIC_DNS HTTP Request to a *.servebeer .com Domain
(info.rules)
2042736 - ET INFO DYNAMIC_DNS HTTP Request to a *.mypsx .net Domain
(info.rules)
2042737 - ET INFO DYNAMIC_DNS HTTP Request to a *.ufcfan .org Domain
(info.rules)
2042738 - ET INFO DYNAMIC_DNS HTTP Request to a *.mmafan .biz Domain
(info.rules)
2042739 - ET INFO DYNAMIC_DNS HTTP Request to a
*.privatizehealthinsurance .net Domain (info.rules)
2042740 - ET INFO DYNAMIC_DNS Query to a *.gotdns .ch Domain (info.rules)
2042741 - ET INFO DYNAMIC_DNS HTTP Request to a *.gotdns .ch Domain
(info.rules)
2042742 - ET INFO DYNAMIC_DNS HTTP Request to a *.read-books .org Domain
(info.rules)
2042743 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsiskinky .com Domain
(info.rules)
2042744 - ET INFO DYNAMIC_DNS HTTP Request to a *.mlbfan .org Domain
(info.rules)
2042745 - ET INFO DYNAMIC_DNS HTTP Request to a *.myeffect .net Domain
(info.rules)
2042746 - ET INFO DYNAMIC_DNS HTTP Request to a *.access .ly Domain
(info.rules)
2042747 - ET INFO DYNAMIC_DNS HTTP Request to a *.health-carereform .com
Domain (info.rules)
2042748 - ET INFO DYNAMIC_DNS HTTP Request to a *.pgafan .net Domain
(info.rules)
2042749 - ET INFO DYNAMIC_DNS HTTP Request to a *.dvrcam .info Domain
(info.rules)
2042750 - ET INFO DYNAMIC_DNS HTTP Request to a *.cable-modem .org Domain
(info.rules)
2042751 - ET INFO DYNAMIC_DNS HTTP Request to a *.hopto .me Domain
(info.rules)
2042752 - ET INFO DYNAMIC_DNS HTTP Request to a *.quicksytes .com Domain
(info.rules)
2042753 - ET INFO DYNAMIC_DNS HTTP Request to a *.mydissent .net Domain
(info.rules)
2042754 - ET INFO DYNAMIC_DNS HTTP Request to a *.freedynamicdns .org
Domain (info.rules)
2042755 - ET INFO DYNAMIC_DNS HTTP Request to a *.hopto .org Domain
(info.rules)
2042756 - ET INFO DYNAMIC_DNS HTTP Request to a *.homesecuritypc .com
Domain (info.rules)
2042757 - ET INFO DYNAMIC_DNS HTTP Request to a *.myactivedirectory .com
Domain (info.rules)
2042758 - ET INFO DYNAMIC_DNS HTTP Request to a *.ciscofreak .com Domain
(info.rules)
2042759 - ET INFO DYNAMIC_DNS HTTP Request to a *.pointto .us Domain
(info.rules)
2042760 - ET INFO DYNAMIC_DNS HTTP Request to a *.brasilia .me Domain
(info.rules)
2042761 - ET INFO DYNAMIC_DNS HTTP Request to a *.damnserver .com Domain
(info.rules)
2042762 - ET INFO DYNAMIC_DNS HTTP Request to a *.servemp3 .com Domain
(info.rules)
2042763 - ET INFO DYNAMIC_DNS HTTP Request to a *.servecounterstrike .com
Domain (info.rules)
2042764 - ET INFO DYNAMIC_DNS HTTP Request to a *.workisboring .com
Domain (info.rules)
2042765 - ET INFO localtunnel Tunneling Domain in DNS Lookup (loca .lt)
(info.rules)
2042766 - ET INFO localtunnel Tunneling Domain in DNS Lookup (localtunnel
.me) (info.rules)
2042767 - ET MALWARE 7ev3n Ransomware Related Activity (GET)
(malware.rules)
2042768 - ET MALWARE DOC/TrojanDownloader.Agent.ARJ Payload Request
(malware.rules)
2042769 - ET MALWARE PSRansom File Exfiltration (POST) (malware.rules)
2042770 - ET MALWARE Villain C2 Framework HTTP Server Response
(malware.rules)
2042771 - ET MALWARE Win32/SocksTroy Session Initiation Attempt M1
(malware.rules)
2042772 - ET MALWARE Win32/SocksTroy Session Initiation Attempt M2
(malware.rules)
2042773 - ET MALWARE SocGholish Domain in DNS Lookup (modernism
.designpaw .com) (malware.rules)
2042774 - ET MALWARE SocGholish Domain in DNS Lookup (library .covebooks
.com) (malware.rules)

[///] Modified active rules: [///]

2029705 - ET HUNTING Possible COVID-19 Domain in SSL Certificate M1
(hunting.rules)
2029708 - ET HUNTING Suspicious TLS SNI Request for Possible COVID-19
Domain M2 (hunting.rules)
2029710 - ET HUNTING Suspicious Domain Request for Possible COVID-19
Domain M2 (hunting.rules)
2029712 - ET HUNTING Suspicious GET Request with Possible COVID-19 Domain
M2 (hunting.rules)
2039078 - ET MALWARE SocGholish Domain in DNS Lookup (premiere
.4tosocialbeginners .com) (malware.rules)
2042189 - ET MALWARE Impersoni-fake-ator backdoor CnC Checkin
(malware.rules)
2042663 - ET MALWARE Villain C2 Framework HTTP Command Response
(malware.rules)
2845553 - ETPRO PHISHING Suspected GoPhish Phishing Landing M1
(phishing.rules)

[---] Disabled and modified rules: [---]

2809148 - ETPRO WEB_CLIENT Microsoft Word RCE (CVE-2014-6333)
(web_client.rules)
2809149 - ETPRO WEB_CLIENT Microsoft Word RCE (CVE-2014-6334)
(web_client.rules)
2809152 - ETPRO WEB_CLIENT Microsoft Internet Explorer Memory Corruption
Vulnerability CVE-2014-6337 (web_client.rules)
2809154 - ETPRO WEB_CLIENT Possible Internet Explorer Cross-domain
Information Disclosure CVE-2014-6340 (web_client.rules)
2809158 - ETPRO WEB_CLIENT IE Memory Corruption Vulnerability
CVE-2014-6347 (web_client.rules)
2809160 - ETPRO WEB_CLIENT IE Memory Corruption Vulnerability
CVE-2014-6347 (web_client.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Tuesday, December 13, 2022

Summary title:

110 new OPEN, 110 new PRO (110 + 0). Win32/SocksTroy, SocGholish, Various Dynamic DNS Hosts, Others.