[***] Summary: [***]

75 new OPEN, 78 new PRO (75 + 3). Various Glupteba, RisePro, Phishing and APT.

Thanks @sekoia_io, @nozominetworks

The Emerging Threats mailing list is migrating to Discourse. Please
visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

There will be no signature release on Monday, January 2, 2023 due to
New Year holiday observance.

[+++] Added rules: [+++]

Open:

2043023 - ET PHISHING Generic Cryptocurrency Credential Phish
Related Domain in DNS Lookup (thedoodles .site) (phishing.rules)
2043026 - ET INFO Suspicious Empty Accept-Encoding Header (info.rules)
2043027 - ET MALWARE Observed Glupteba CnC Domain (greenphoenix .xyz
in TLS SNI) (malware.rules)
2043028 - ET MALWARE Observed Glupteba CnC Domain (cdneurops .buzz
in TLS SNI) (malware.rules)
2043029 - ET MALWARE Observed Glupteba CnC Domain (mastiakele .ae
.org in TLS SNI) (malware.rules)
2043030 - ET MALWARE Observed Glupteba CnC Domain (cdneurops .pics
in TLS SNI) (malware.rules)
2043031 - ET MALWARE Observed Glupteba CnC Domain (zaoshang .ooo in
TLS SNI) (malware.rules)
2043032 - ET MALWARE Observed Glupteba CnC Domain (getyourgift .life
in TLS SNI) (malware.rules)
2043033 - ET MALWARE Observed Glupteba CnC Domain (zaoshang .ru in
TLS SNI) (malware.rules)
2043034 - ET MALWARE Observed Glupteba CnC Domain (tmetres .com in
TLS SNI) (malware.rules)
2043035 - ET MALWARE Observed Glupteba CnC Domain (revouninstaller
.homes in TLS SNI) (malware.rules)
2043036 - ET MALWARE Observed Glupteba CnC Domain (limeprime .com in
TLS SNI) (malware.rules)
2043037 - ET MALWARE Observed Glupteba CnC Domain (zaoshanghao .su
in TLS SNI) (malware.rules)
2043038 - ET MALWARE Observed Glupteba CnC Domain (cdneurop .cloud
in TLS SNI) (malware.rules)
2043039 - ET MALWARE Observed Glupteba CnC Domain (zaoshanghaoz .net
in TLS SNI) (malware.rules)
2043040 - ET MALWARE Observed Glupteba CnC Domain (checkpos .net in
TLS SNI) (malware.rules)
2043041 - ET MALWARE Observed Glupteba CnC Domain (zaoshang .moscow
in TLS SNI) (malware.rules)
2043042 - ET MALWARE Observed Glupteba CnC Domain (mastiakele .icu
in TLS SNI) (malware.rules)
2043043 - ET MALWARE Observed Glupteba CnC Domain (cdntokiog .studio
in TLS SNI) (malware.rules)
2043044 - ET MALWARE Observed Glupteba CnC Domain (mastiakele .xyz
in TLS SNI) (malware.rules)
2043045 - ET MALWARE Observed Glupteba CnC Domain (cdneurops .health
in TLS SNI) (malware.rules)
2043046 - ET MALWARE Observed Glupteba CnC Domain (cdneurops .shop
in TLS SNI) (malware.rules)
2043047 - ET MALWARE Observed Glupteba CnC Domain (mastiakele .cyou
in TLS SNI) (malware.rules)
2043048 - ET MALWARE Observed Glupteba CnC Domain (duniadekho .bar
in TLS SNI) (malware.rules)
2043049 - ET MALWARE Lazarus APT Related Domain in DNS Lookup
(professiondesc .com) (malware.rules)
2043050 - ET MALWARE Win32/RisePro CnC Command Outbound
(get_settings) (malware.rules)
2043051 - ET MALWARE Observed DNS Query to RisePro Domain
(first-mirror .com) (malware.rules)
2043052 - ET MALWARE Observed DNS Query to RisePro Domain
(torggissoft .com) (malware.rules)
2043053 - ET MALWARE Observed DNS Query to RisePro Domain (myrise
.pro) (malware.rules)
2043054 - ET MALWARE Observed DNS Query to RisePro Domain
(hero-files .com) (malware.rules)
2043055 - ET MALWARE Observed DNS Query to RisePro Domain (uc-files
.com) (malware.rules)
2043056 - ET MALWARE Observed DNS Query to RisePro Domain
(files-rate .com) (malware.rules)
2043057 - ET MALWARE Observed DNS Query to RisePro Domain
(rate-files .com) (malware.rules)
2043058 - ET MALWARE Observed DNS Query to RisePro Domain (xx1-files
.com) (malware.rules)
2043059 - ET MALWARE Observed DNS Query to RisePro Domain
(webproduct25 .com) (malware.rules)
2043060 - ET MALWARE Observed DNS Query to RisePro Domain (pin-files
.com) (malware.rules)
2043061 - ET MALWARE Observed DNS Query to RisePro Domain
(best24-files .com) (malware.rules)
2043062 - ET MALWARE Observed DNS Query to RisePro Domain
(get-24files .com) (malware.rules)
2043063 - ET MALWARE Observed DNS Query to RisePro Domain (neo-files
.com) (malware.rules)
2043064 - ET MALWARE Observed DNS Query to RisePro Domain (m-rise
.pro) (malware.rules)
2043065 - ET MALWARE Observed DNS Query to RisePro Domain
(pickofiles .com) (malware.rules)
2043066 - ET MALWARE Observed DNS Query to RisePro Domain (my-rise
.cc) (malware.rules)
2043067 - ET MALWARE Observed DNS Query to RisePro Domain (my-rise
.pro) (malware.rules)
2043068 - ET MALWARE Observed DNS Query to RisePro Domain (fvp-files
.com) (malware.rules)
2043069 - ET MALWARE Observed DNS Query to RisePro Domain
(gg-download .com) (malware.rules)
2043070 - ET MALWARE Observed DNS Query to RisePro Domain
(get-files24 .com) (malware.rules)
2043071 - ET MALWARE Observed DNS Query to RisePro Domain (vi-files
.com) (malware.rules)
2043072 - ET MALWARE Observed DNS Query to RisePro Domain
(greatsofteasy .com) (malware.rules)
2043073 - ET MALWARE Observed DNS Query to RisePro Domain (qd-file
.com) (malware.rules)
2043074 - ET MALWARE Observed DNS Query to RisePro Domain (upxlead
.com) (malware.rules)
2043075 - ET MALWARE Observed DNS Query to RisePro Domain
(jojo-files .com) (malware.rules)
2043076 - ET MALWARE Observed DNS Query to RisePro Domain (vip-space
.com) (malware.rules)
2043077 - ET MALWARE Observed DNS Query to RisePro Domain
(files-sender .com) (malware.rules)
2043078 - ET MALWARE Observed DNS Query to RisePro Domain
(elite-hacks .ru) (malware.rules)
2043079 - ET MALWARE Observed DNS Query to RisePro Domain (gg-loader
.com) (malware.rules)
2043080 - ET MALWARE Observed DNS Query to RisePro Domain
(softs-portal .com) (malware.rules)
2043081 - ET MALWARE Observed DNS Query to RisePro Domain
(factor1right .com) (malware.rules)
2043082 - ET MALWARE Observed DNS Query to RisePro Domain
(gs24softeasy .com) (malware.rules)
2043083 - ET MALWARE Observed DNS Query to RisePro Domain
(teleportsoft .com) (malware.rules)
2043084 - ET MALWARE Observed DNS Query to RisePro Domain
(boost-files .com) (malware.rules)
2043085 - ET MALWARE Observed DNS Query to RisePro Domain
(testitsoft .com) (malware.rules)
2043086 - ET MALWARE Observed DNS Query to RisePro Domain (uni-files
.com) (malware.rules)
2043087 - ET MALWARE Observed DNS Query to RisePro Domain
(fixgroupfactor .com) (malware.rules)
2043088 - ET MALWARE Observed DNS Query to RisePro Domain (pu-file
.com) (malware.rules)
2043089 - ET MALWARE Possible PrivateLoader Payload Request (GET)
(malware.rules)
2043090 - ET MALWARE Win32/RisePro CnC Server Response M3 (malware.rules)
2043091 - ET MALWARE Win32/RisePro CnC Server Response M4 (malware.rules)
2043092 - ET MALWARE Win32/RisePro CnC Server Response M5 (malware.rules)
2043093 - ET ADWARE_PUP Observed DNS Query to PUP Domain (omnatuor
.com) (adware_pup.rules)
2043094 - ET PHISHING US Government Bid Credential Phish Landing
Page 2022-12-28 (phishing.rules)
2043095 - ET PHISHING Successful US Government Bid Credential Phish
2022-12-28 (phishing.rules)
2043096 - ET PHISHING Successful MetaMask Pass Phrase Phish
2022-12-27 (phishing.rules)
2043097 - ET PHISHING Successful Netflix Credential Phish 2022-12-27
(phishing.rules)
2043098 - ET MALWARE Win32/Uwamson.A!ml CnC Checkin (malware.rules)
2043099 - ET MALWARE TA569 Domain in DNS Lookup (luxurycompare .com)
(malware.rules)

Pro:

2852984 - ETPRO MALWARE Win32/Glupteba CnC Activity (malware.rules)
2852985 - ETPRO MALWARE Win32/Glupteba CnC Activity (malware.rules)
2852986 - ETPRO MALWARE Win32/Glupteba CnC Activity (malware.rules)

[///] Modified active rules: [///]

2007994 - ET HUNTING Suspicious Empty User-Agent (hunting.rules)
2042977 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
(malware.rules)
2843688 - ETPRO PHISHING Successful Generic Central Credit Union
Phish 2020-07-27 (phishing.rules)

[---] Removed rules: [---]

2043023 - ET MALWARE TA444/Lazarus Related Domain in DNS Lookup
(thedoodles .site) (malware.rules)
2837497 - ETPRO POLICY Empty User-Agent Header (policy.rules)