[***] Summary: [***]
119 new OPEN, 120 new PRO (119 + 1). RedditC2, Cobalt Strike, Various
Dynamic DNS Hosts, Others.
Thanks NoahWolf, @Slash30Miata, @Unit42_Intel
The Emerging Threats mailing list is migrating to Discourse. Please visit
us at https://community.emergingthreats.net
We will announce the mailing list retirement date in the near future.
[+++] Added rules: [+++]
Open:
2042775 - ET MALWARE Filez Downloader Checkin (malware.rules)
2042776 - ET INFO DYNAMIC_DNS Query to a *.ndra .biz Domain (info.rules)
2042777 - ET INFO DYNAMIC_DNS HTTP Request to a *.ndra .biz Domain
(info.rules)
2042778 - ET INFO DYNAMIC_DNS HTTP Request to a *.stufftoread .com Domain
(info.rules)
2042779 - ET INFO DYNAMIC_DNS HTTP Request to a *.hosthampster .com
Domain (info.rules)
2042780 - ET INFO DYNAMIC_DNS HTTP Request to a *.collegefan .org Domain
(info.rules)
2042781 - ET INFO DYNAMIC_DNS HTTP Request to a *.mysecuritycamera .org
Domain (info.rules)
2042782 - ET INFO DYNAMIC_DNS HTTP Request to a *.servesarcasm .com
Domain (info.rules)
2042783 - ET INFO DYNAMIC_DNS HTTP Request to a *.golffan .us Domain
(info.rules)
2042784 - ET INFO DYNAMIC_DNS HTTP Request to a *.viewdns .net Domain
(info.rules)
2042785 - ET INFO DYNAMIC_DNS HTTP Request to a *.mysecuritycamera .com
Domain (info.rules)
2042786 - ET INFO DYNAMIC_DNS HTTP Request to a *.serveexchange .com
Domain (info.rules)
2042787 - ET INFO DYNAMIC_DNS HTTP Request to a *.nhlfan .net Domain
(info.rules)
2042788 - ET INFO DYNAMIC_DNS HTTP Request to a *.serveminecraft .net
Domain (info.rules)
2042789 - ET INFO DYNAMIC_DNS HTTP Request to a *.onthewifi .com Domain
(info.rules)
2042790 - ET INFO DYNAMIC_DNS HTTP Request to a *.serveftp .com Domain
(info.rules)
2042791 - ET INFO DYNAMIC_DNS HTTP Request to a *.myftp .org Domain
(info.rules)
2042792 - ET INFO DYNAMIC_DNS HTTP Request to a *.zapto .org Domain
(info.rules)
2042793 - ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .me Domain
(info.rules)
2042794 - ET INFO DYNAMIC_DNS HTTP Request to a *.mymediapc .net Domain
(info.rules)
2042795 - ET INFO DYNAMIC_DNS HTTP Request to a *.ddnsking .com Domain
(info.rules)
2042796 - ET INFO DYNAMIC_DNS HTTP Request to a *.bounceme .net Domain
(info.rules)
2042797 - ET INFO DYNAMIC_DNS HTTP Request to a *.3utilities .com Domain
(info.rules)
2042798 - ET INFO DYNAMIC_DNS HTTP Request to a *.point2this .com Domain
(info.rules)
2042799 - ET INFO DYNAMIC_DNS HTTP Request to a *.servehttp .com Domain
(info.rules)
2042800 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsfor .me Domain
(info.rules)
2042801 - ET INFO DYNAMIC_DNS HTTP Request to a *.eating-organic .net
Domain (info.rules)
2042802 - ET INFO DYNAMIC_DNS HTTP Request to a *.unusualperson .com
Domain (info.rules)
2042803 - ET INFO DYNAMIC_DNS HTTP Request to a *.servehalflife .com
Domain (info.rules)
2042804 - ET INFO DYNAMIC_DNS HTTP Request to a *.loginto .me Domain
(info.rules)
2042805 - ET INFO DYNAMIC_DNS HTTP Request to a *.myftp .biz Domain
(info.rules)
2042806 - ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
(info.rules)
2042807 - ET INFO DYNAMIC_DNS HTTP Request to a *.servepics .com Domain
(info.rules)
2042808 - ET INFO DYNAMIC_DNS HTTP Request to a *.mysecuritycamera .net
Domain (info.rules)
2042809 - ET INFO DYNAMIC_DNS HTTP Request to a *.geekgalaxy .com Domain
(info.rules)
2042810 - ET INFO DYNAMIC_DNS HTTP Request to a *.ilovecollege .info
Domain (info.rules)
2042811 - ET INFO DYNAMIC_DNS HTTP Request to a *.fantasyleague .cc
Domain (info.rules)
2042812 - ET INFO DYNAMIC_DNS HTTP Request to a *.homesecuritymac .com
Domain (info.rules)
2042813 - ET INFO DYNAMIC_DNS HTTP Request to a *.blogsyte .com Domain
(info.rules)
2042814 - ET INFO DYNAMIC_DNS HTTP Request to a *.nflfan .org Domain
(info.rules)
2042815 - ET INFO DYNAMIC_DNS HTTP Request to a *.webhop .me Domain
(info.rules)
2042816 - ET INFO DYNAMIC_DNS HTTP Request to a *.couchpotatofries .org
Domain (info.rules)
2042817 - ET INFO DYNAMIC_DNS HTTP Request to a *.servequake .com Domain
(info.rules)
2042818 - ET INFO DYNAMIC_DNS HTTP Request to a *.servep2p .com Domain
(info.rules)
2042819 - ET INFO DYNAMIC_DNS HTTP Request to a *.serveirc .com Domain
(info.rules)
2042820 - ET INFO DYNAMIC_DNS HTTP Request to a *.servegame .com Domain
(info.rules)
2042821 - ET INFO DYNAMIC_DNS HTTP Request to a *.securitytactics .com
Domain (info.rules)
2042822 - ET INFO DYNAMIC_DNS HTTP Request to a *.redirectme .net Domain
(info.rules)
2042823 - ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain
(info.rules)
2042824 - ET INFO DYNAMIC_DNS Query to a *.line .pm Domain (info.rules)
2042825 - ET INFO DYNAMIC_DNS HTTP Request to a *.line .pm Domain
(info.rules)
2042826 - ET INFO DYNAMIC_DNS Query to a *.work .gd Domain (info.rules)
2042827 - ET INFO DYNAMIC_DNS HTTP Request to a *.work .gd Domain
(info.rules)
2042828 - ET INFO DYNAMIC_DNS HTTP Request to a *.linkpc .net Domain
(info.rules)
2042829 - ET INFO DYNAMIC_DNS Query to a *.run .place Domain (info.rules)
2042830 - ET INFO DYNAMIC_DNS HTTP Request to a *.run .place Domain
(info.rules)
2042831 - ET INFO DYNAMIC_DNS Query to a *.dns .army Domain (info.rules)
2042832 - ET INFO DYNAMIC_DNS HTTP Request to a *.dns .army Domain
(info.rules)
2042833 - ET INFO DYNAMIC_DNS Query to a *.v6 .army Domain (info.rules)
2042834 - ET INFO DYNAMIC_DNS HTTP Request to a *.v6 .army Domain
(info.rules)
2042835 - ET INFO DYNAMIC_DNS Query to a *.v6 .navy Domain (info.rules)
2042836 - ET INFO DYNAMIC_DNS HTTP Request to a *.v6 .navy Domain
(info.rules)
2042837 - ET INFO DYNAMIC_DNS Query to a *.dynv6 .net Domain (info.rules)
2042838 - ET INFO DYNAMIC_DNS HTTP Request to a *.dynv6 .net Domain
(info.rules)
2042839 - ET INFO DYNAMIC_DNS Query to a *.dns .navy Domain (info.rules)
2042840 - ET INFO DYNAMIC_DNS HTTP Request to a *.dns .navy Domain
(info.rules)
2042841 - ET INFO DYNAMIC_DNS Query to a *.v6 .rocks Domain (info.rules)
2042842 - ET INFO DYNAMIC_DNS HTTP Request to a *.v6 .rocks Domain
(info.rules)
2042843 - ET INFO DYNAMIC_DNS Query to a *.16-b .it Domain (info.rules)
2042844 - ET INFO DYNAMIC_DNS HTTP Request to a *.16-b .it Domain
(info.rules)
2042845 - ET INFO DYNAMIC_DNS Query to a *.freeddns .uk Domain
(info.rules)
2042846 - ET INFO DYNAMIC_DNS HTTP Request to a *.freeddns .uk Domain
(info.rules)
2042847 - ET INFO DYNAMIC_DNS Query to a *.001www .com Domain (info.rules)
2042848 - ET INFO DYNAMIC_DNS HTTP Request to a *.001www .com Domain
(info.rules)
2042849 - ET INFO DYNAMIC_DNS Query to a *.x443 .pw Domain (info.rules)
2042850 - ET INFO DYNAMIC_DNS HTTP Request to a *.x443 .pw Domain
(info.rules)
2042851 - ET INFO DYNAMIC_DNS Query to a *.myiphost .com Domain
(info.rules)
2042852 - ET INFO DYNAMIC_DNS HTTP Request to a *.myiphost .com Domain
(info.rules)
2042853 - ET INFO DYNAMIC_DNS Query to a *.dnsup .net Domain (info.rules)
2042854 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsup .net Domain
(info.rules)
2042855 - ET INFO DYNAMIC_DNS Query to a *.dnslive .net Domain
(info.rules)
2042856 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnslive .net Domain
(info.rules)
2042857 - ET INFO DYNAMIC_DNS Query to a *.vpndns .net Domain (info.rules)
2042858 - ET INFO DYNAMIC_DNS HTTP Request to a *.vpndns .net Domain
(info.rules)
2042859 - ET INFO DYNAMIC_DNS Query to a *.dnsget .org Domain (info.rules)
2042860 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsget .org Domain
(info.rules)
2042861 - ET INFO DYNAMIC_DNS Query to a *.dynip .org Domain (info.rules)
2042862 - ET INFO DYNAMIC_DNS HTTP Request to a *.dynip .org Domain
(info.rules)
2042863 - ET INFO DYNAMIC_DNS Query to a *.dynserv .org Domain
(info.rules)
2042864 - ET INFO DYNAMIC_DNS HTTP Request to a *.dynserv .org Domain
(info.rules)
2042865 - ET INFO DYNAMIC_DNS Query to a *.hicam .net Domain (info.rules)
2042866 - ET INFO DYNAMIC_DNS HTTP Request to a *.hicam .net Domain
(info.rules)
2042867 - ET INFO DYNAMIC_DNS Query to a *.mypi .co Domain (info.rules)
2042868 - ET INFO DYNAMIC_DNS HTTP Request to a *.mypi .co Domain
(info.rules)
2042869 - ET INFO DYNAMIC_DNS Query to a *.dnsking .ch Domain (info.rules)
2042870 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsking .ch Domain
(info.rules)
2042871 - ET INFO DYNAMIC_DNS Query to a *.now-dns .org Domain
(info.rules)
2042872 - ET INFO DYNAMIC_DNS HTTP Request to a *.now-dns .org Domain
(info.rules)
2042873 - ET INFO DYNAMIC_DNS Query to a *.ownip .net Domain (info.rules)
2042874 - ET INFO DYNAMIC_DNS HTTP Request to a *.ownip .net Domain
(info.rules)
2042875 - ET INFO DYNAMIC_DNS Query to a *.tftpd .net Domain (info.rules)
2042876 - ET INFO DYNAMIC_DNS HTTP Request to a *.tftpd .net Domain
(info.rules)
2042877 - ET INFO Observed SyncroMSP Remote Management Software Domain in
DNS Lookup (kabutoservices .com) (info.rules)
2042878 - ET INFO Observed SyncroMSP Remote Management Software Domain in
DNS Lookup (repairshopr .com) (info.rules)
2042879 - ET INFO Observed SyncroMSP Remote Management Software Domain
(repairshopr .com in TLS SNI) (info.rules)
2042880 - ET INFO Observed SyncroMSP Remote Management Software Domain
(kabutoservices .com in TLS SNI) (info.rules)
2042881 - ET INFO SyncroMSP Remote Remote Management Software Install
Registration (info.rules)
2042882 - ET INFO SyncroMSP Remote Remote Management Software Install
Checkin (info.rules)
2042883 - ET HUNTING RedditSharp UA in POST (POST) (hunting.rules)
2042884 - ET MALWARE RedditC2 Related Activity (POST) (malware.rules)
2042885 - ET MALWARE Cobalt Strike Related Activity (GET) (malware.rules)
2042886 - ET MALWARE Cobalt Strike Related Activity (GET) (malware.rules)
2042887 - ET MALWARE PS/PSRansom Client Checkin (GET) (malware.rules)
2042888 - ET MALWARE PS/PSRansom Server Status Check (GET) (malware.rules)
2042889 - ET INFO Online Code Editor Domain in DNS Lookup (trinket .io)
(info.rules)
2042890 - ET MALWARE Win32/Khaosz.A!MTB Checkin - Command Retrieval
(malware.rules)
2042891 - ET MALWARE Win32/Sality.NBA Exfil (malware.rules)
2042892 - ET PHISHING Successful Australian Government myGov Credential
Phish 2022-12-14 (phishing.rules)
2042893 - ET PHISHING Successful America First CU Credential Phish
2022-12-14 (phishing.rules)
Pro:
2852949 - ETPRO MALWARE Win32/Remcos RAT Checkin 855 (malware.rules)
[///] Modified active rules: [///]
2852922 - ETPRO MALWARE Win32/Screenshotter Backdoor Sending Screenshot
(POST) (malware.rules)
[---] Removed rules: [---]
2845553 - ETPRO PHISHING Suspected GoPhish Phishing Landing M1
(phishing.rules)
2851692 - ETPRO MALWARE Filez Downloader Checkin (malware.rules)
---------------------------------------
James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team