[***] Summary: [***]

62 new OPEN, 67 new PRO (62 + 5). Win32/Goofy, SocGholish, Various
Dynamic DNS Hosts, Others.

Thanks @Phylum_IO, @Fortinet, @NCSCgov

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2042894 - ET INFO DYNAMIC_DNS Query to a *.2mydns .net Domain (info.rules)
2042895 - ET INFO DYNAMIC_DNS HTTP Request to a *.2mydns .net Domain
(info.rules)
2042896 - ET INFO DYNAMIC_DNS Query to a *.dtdns .org Domain (info.rules)
2042897 - ET INFO DYNAMIC_DNS HTTP Request to a *.dtdns .org Domain
(info.rules)
2042898 - ET INFO DYNAMIC_DNS Query to a *.myddns .biz Domain (info.rules)
2042899 - ET INFO DYNAMIC_DNS HTTP Request to a *.myddns .biz Domain
(info.rules)
2042900 - ET INFO DYNAMIC_DNS Query to a *.wifizone .org Domain
(info.rules)
2042901 - ET INFO DYNAMIC_DNS HTTP Request to a *.wifizone .org Domain
(info.rules)
2042902 - ET INFO DYNAMIC_DNS Query to a *.32-b .it Domain (info.rules)
2042903 - ET INFO DYNAMIC_DNS HTTP Request to a *.32-b .it Domain
(info.rules)
2042904 - ET INFO DYNAMIC_DNS Query to a *.ntdll .top Domain (info.rules)
2042905 - ET INFO DYNAMIC_DNS HTTP Request to a *.ntdll .top Domain
(info.rules)
2042906 - ET INFO DYNAMIC_DNS Query to a *.soundcast .me Domain
(info.rules)
2042907 - ET INFO DYNAMIC_DNS HTTP Request to a *.soundcast .me Domain
(info.rules)
2042908 - ET INFO DYNAMIC_DNS Query to a *.tcp4 .me Domain (info.rules)
2042909 - ET INFO DYNAMIC_DNS HTTP Request to a *.tcp4 .me Domain
(info.rules)
2042910 - ET INFO DYNAMIC_DNS Query to a *.forumz .info Domain
(info.rules)
2042911 - ET INFO DYNAMIC_DNS HTTP Request to a *.forumz .info Domain
(info.rules)
2042912 - ET INFO DYNAMIC_DNS Query to a *.freeddns .us Domain
(info.rules)
2042913 - ET INFO DYNAMIC_DNS HTTP Request to a *.freeddns .us Domain
(info.rules)
2042914 - ET INFO DYNAMIC_DNS Query to a *.dnsdyn .net Domain (info.rules)
2042915 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsdyn .net Domain
(info.rules)
2042916 - ET INFO DYNAMIC_DNS Query to a *.64-b .it Domain (info.rules)
2042917 - ET INFO DYNAMIC_DNS HTTP Request to a *.64-b .it Domain
(info.rules)
2042918 - ET INFO DYNAMIC_DNS Query to a *.now-dns .net Domain
(info.rules)
2042919 - ET INFO DYNAMIC_DNS HTTP Request to a *.now-dns .net Domain
(info.rules)
2042920 - ET INFO DYNAMIC_DNS Query to a *.nowddns .com Domain
(info.rules)
2042921 - ET INFO DYNAMIC_DNS HTTP Request to a *.nowddns .com Domain
(info.rules)
2042922 - ET INFO DYNAMIC_DNS Query to a *.ddns .cam Domain (info.rules)
2042923 - ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .cam Domain
(info.rules)
2042924 - ET INFO DYNAMIC_DNS Query to a *.ddnslive .com Domain
(info.rules)
2042925 - ET INFO DYNAMIC_DNS HTTP Request to a *.ddnslive .com Domain
(info.rules)
2042926 - ET INFO DYNAMIC_DNS Query to a *.clickip .de Domain (info.rules)
2042927 - ET INFO DYNAMIC_DNS HTTP Request to a *.clickip .de Domain
(info.rules)
2042928 - ET INFO DYNAMIC_DNS Query to a *.n4t .co Domain (info.rules)
2042929 - ET INFO DYNAMIC_DNS HTTP Request to a *.n4t .co Domain
(info.rules)
2042930 - ET INFO DYNAMIC_DNS Query to a *.cloudns .net Domain
(info.rules)
2042931 - ET INFO DYNAMIC_DNS HTTP Request to a *.cloudns .net Domain
(info.rules)
2042932 - ET INFO DYNAMIC_DNS Query to a *.dynu .com Domain (info.rules)
2042933 - ET INFO DYNAMIC_DNS HTTP Request to a *.dynu .com Domain
(info.rules)
2042934 - ET INFO DYNAMIC_DNS Query to a *.crafting .xyz Domain
(info.rules)
2042935 - ET INFO DYNAMIC_DNS HTTP Request to a *.crafting .xyz Domain
(info.rules)
2042936 - ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
(info.rules)
2042937 - ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain
(info.rules)
2042938 - ET INFO DYNAMIC_DNS Query to a *.now-dns .top Domain
(info.rules)
2042939 - ET INFO DYNAMIC_DNS HTTP Request to a *.now-dns .top Domain
(info.rules)
2042940 - ET INFO DYNAMIC_DNS Query to a *.dnsapi .info Domain
(info.rules)
2042941 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsapi .info Domain
(info.rules)
2042942 - ET MALWARE RedditC2 Related Activity M2 (POST) (malware.rules)
2042943 - ET MALWARE Suspected Golang/Zerobot Websocket Activity (GET)
(malware.rules)
2042944 - ET INFO Suspicious File Extension Inbound (.phonk) (info.rules)
2042945 - ET MALWARE Phonk Trojan CnC Checkin (POST) (malware.rules)
2042946 - ET MALWARE Win32/Goofy Guineapig CnC Activity (GET) M2
(malware.rules)
2042947 - ET MALWARE Win32/Goofy Guineapig CnC Activity (GET) M1
(malware.rules)
2042948 - ET MALWARE Observed DNS Query to Goofy Guineapig Domain (static
.tcplog .com) (malware.rules)
2042949 - ET MALWARE CIA Ransomware Domain (cia .cookie-coin .xyz) in DNS
Lookup (malware.rules)
2042950 - ET MALWARE CIA Ransomware - wallpaper/readme retrieval attempt
(malware.rules)
2042951 - ET MALWARE GoLinux/GoTrim CnC Checkin (malware.rules)
2042952 - ET PHISHING Successful Made in China Credential Phish
2022-12-14 (phishing.rules)
2042953 - ET MALWARE SocGholish Domain in DNS Lookup (fittingroom
.gibbsjewelry .com) (malware.rules)
2042954 - ET MALWARE SocGholish Domain in DNS Lookup (deposit .coveprice
.com) (malware.rules)
2042955 - ET MALWARE SocGholish Domain in DNS Lookup (brooklands
.harteverything .com) (malware.rules)

Pro:

2845553 - ETPRO PHISHING Suspected GoPhish Phishing Landing M1
(phishing.rules)
2852950 - ETPRO PHISHING Suspected GoPhish Phishing Landing M2
(phishing.rules)
2852953 - ETPRO MALWARE QBot Style Payload Request (malware.rules)
2852954 - ETPRO MALWARE Observed Sliver Domain in TLS SNI (malware.rules)
2852955 - ETPRO MALWARE Observed DNS Query to Sliver Domain
(malware.rules)

[///] Modified active rules: [///]

2039470 - ET EXPLOIT Possible Apache Text4shell RCE Attempt JEXL Path
(CVE-2022-42889) (Inbound) (exploit.rules)

[---] Disabled and modified rules: [---]

2028380 - ET JA3 Hash - Possible Malware - Neutrino (ja3.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team