Daily Ruleset Update Summary
Daily Ruleset Update Summary 2023/01/03

[***] Summary: [***]

41 new OPEN, 49 new PRO (41 + 8). Win32/Aurora, ActionLoader, Various
PowerShell, Others.

Thanks @Doctor_Web, @Trustwave, @rmceoin, @_tweedge

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2043161 - ET ATTACK_RESPONSE PowerShell String Base64 Encoded
Invoke-RestMethod (dm9rZS1SZXN0TWV0) in DNS TXT Reponse
(attack_response.rules)
2043162 - ET ATTACK_RESPONSE PowerShell String Base64 Encoded
Invoke-RestMethod (Zva2UtUmVzdE1ld) in DNS TXT Reponse
(attack_response.rules)
2043163 - ET ATTACK_RESPONSE PowerShell String Base64 Encoded
Invoke-RestMethod (2b2tlLVJlc3RNZX) in DNS TXT Reponse
(attack_response.rules)
2043164 - ET ATTACK_RESPONSE PowerShell String Base64 Encoded
Text.Encoding (ZXh0LkVuY29k) in DNS TXT Reponse (attack_response.rules)
2043165 - ET ATTACK_RESPONSE PowerShell String Base64 Encoded
Text.Encoding (V4dC5FbmNvZ) in DNS TXT Reponse (attack_response.rules)
2043166 - ET ATTACK_RESPONSE PowerShell String Base64 Encoded
Text.Encoding (leHQuRW5jb2) in DNS TXT Reponse (attack_response.rules)
2043167 - ET MALWARE ViperSoftX HTTP CnC Activity (malware.rules)
2043168 - ET MALWARE ActionLoader CnC Domain in DNS Lookup (mejito .ru)
(malware.rules)
2043169 - ET MALWARE ActionLoader CnC Domain in DNS Lookup (roskazna
.net) (malware.rules)
2043170 - ET MALWARE ActionLoader CnC Domain in DNS Lookup
(cloud-documents .com) (malware.rules)
2043171 - ET MALWARE ActionLoader CnC Domain in DNS Lookup (kc-3 .ru)
(malware.rules)
2043172 - ET MALWARE ActionLoader CnC Domain in DNS Lookup (azure-tech
.pro) (malware.rules)
2043173 - ET MALWARE ActionLoader CnC Domain in DNS Lookup (xlssmooth
.xyz) (malware.rules)
2043174 - ET MALWARE ActionLoader CnC Domain in DNS Lookup (ekb
.tanzedrom .ru) (malware.rules)
2043175 - ET PHISHING Office 365 Credential Harvesting Domain
(rightofcourse .com) in DNS Lookup (phishing.rules)
2043176 - ET PHISHING Office 365 Credential Harvesting Domain
(rightofcourse .com) in TLS SNI (phishing.rules)
2043177 - ET MALWARE linux.backdoor.wordpressexploit.1 CnC Domain
(gabriellalovecats .com) in DNS Lookup (malware.rules)
2043178 - ET MALWARE linux.backdoor.wordpressexploit.1 CnC Domain
(transadforward .icu) in DNS Lookup (malware.rules)
2043179 - ET MALWARE linux.backdoor.wordpressexploit.1 CnC Domain
(tommyforgreendream .icu) in DNS Lookup (malware.rules)
2043180 - ET MALWARE Observed linux.backdoor.wordpressexploit.1 Domain
(gabriellalovecats .com) in TLS SNI (malware.rules)
2043181 - ET MALWARE Observed linux.backdoor.wordpressexploit.1 Domain
(transadforward .icu) in TLS SNI (malware.rules)
2043182 - ET MALWARE Observed linux.backdoor.wordpressexploit.1 Domain
(tommyforgreendream .icu) in TLS SNI (malware.rules)
2043183 - ET MALWARE linux.backdoor.wordpressexploit.2 CnC Domain (clon
.collectfasttracks .com) in DNS Lookup (malware.rules)
2043184 - ET MALWARE linux.backdoor.wordpressexploit.2 CnC Domain
(letsmakeparty3 .ga) in DNS Lookup (malware.rules)
2043185 - ET MALWARE linux.backdoor.wordpressexploit.2 CnC Domain (count
.trackstatisticsss .com) in DNS Lookup (malware.rules)
2043186 - ET MALWARE linux.backdoor.wordpressexploit.2 CnC Domain
(lobbydesires .com) in DNS Lookup (malware.rules)
2043187 - ET MALWARE linux.backdoor.wordpressexploit.2 CnC Domain
(deliverygoodstrategies .com) in DNS Lookup (malware.rules)
2043188 - ET MALWARE Observed linux.backdoor.wordpressexploit.2 Domain
(clon .collectfasttracks .com) in TLS SNI (malware.rules)
2043189 - ET MALWARE Observed linux.backdoor.wordpressexploit.2 Domain
(letsmakeparty3 .ga) in TLS SNI (malware.rules)
2043190 - ET MALWARE Observed linux.backdoor.wordpressexploit.2 Domain
(count .trackstatisticsss .com) in TLS SNI (malware.rules)
2043191 - ET MALWARE Observed linux.backdoor.wordpressexploit.2 Domain
(lobbydesires .com) in TLS SNI (malware.rules)
2043192 - ET MALWARE Observed linux.backdoor.wordpressexploit.2 Domain
(deliverygoodstrategies .com) in TLS SNI (malware.rules)
2043193 - ET MALWARE linux.backdoor.wordpressexploit.1 CnC Checkin
(malware.rules)
2043194 - ET MALWARE linux.backdoor.wordpressexploit.1 JS backdoor
retrieval (malware.rules)
2043195 - ET MALWARE linux.backdoor.wordpressexploit.2 CnC Checkin
(malware.rules)
2043196 - ET MALWARE linux.backdoor.wordpressexploit.2 JS backdoor
retrieval (malware.rules)
2043197 - ET MALWARE linux.backdoor.wordpressexploit file upload test
(malware.rules)
2043198 - ET MALWARE Win32/Aurora Stealer WORK Command (malware.rules)
2043199 - ET MALWARE Win32/Aurora Stealer Accept Command (malware.rules)
2043200 - ET MALWARE Win32/Aurora Stealer Thanks Command (malware.rules)
2043201 - ET PHISHING Successful American First CU Credential Phish
2023-01-03 (phishing.rules)

Pro:

2852993 - ETPRO INFO Observed Sophos Phishing Awareness Domain in DNS
Lookup (info.rules)
2852994 - ETPRO INFO Observed Sophos Phishing Awareness Domain in DNS
Lookup (info.rules)
2852995 - ETPRO INFO Observed Sophos Phishing Awareness Domain in DNS
Lookup (info.rules)
2852996 - ETPRO INFO Observed Sophos Phishing Awareness Domain in DNS
Lookup (info.rules)
2852997 - ETPRO INFO Observed Sophos Phishing Awareness Domain in TLS SNI
(info.rules)
2852998 - ETPRO INFO Observed Sophos Phishing Awareness Domain in TLS SNI
(info.rules)
2852999 - ETPRO INFO Observed Sophos Phishing Awareness Domain in TLS SNI
(info.rules)
2853000 - ETPRO INFO Observed Sophos Phishing Awareness Domain in TLS SNI
(info.rules)

[///] Modified active rules: [///]

2841974 - ETPRO MALWARE Win32/Fabookie.ek CnC Activity M1 (malware.rules)
2851115 - ETPRO MALWARE Win32/Fabookie.ek CnC Activity M2 (malware.rules)
2852979 - ETPRO MALWARE Win32/Fabookie.ek CnC Response (malware.rules)
2852980 - ETPRO MALWARE Win32/Fabookie.ek CnC Request M1 (GET)
(malware.rules)
2852981 - ETPRO MALWARE Win32/Fabookie.ek CnC Request M3 (GET)
(malware.rules)

[///] Modified inactive rules: [///]

2841974 - ETPRO MALWARE Win32/Fabookie.ek CnC Activity M1 (malware.rules)
2851115 - ETPRO MALWARE Win32/Fabookie.ek CnC Activity M2 (malware.rules)
2852979 - ETPRO MALWARE Win32/Fabookie.ek CnC Response (malware.rules)
2852980 - ETPRO MALWARE Win32/Fabookie.ek CnC Request M1 (GET)
(malware.rules)
2852981 - ETPRO MALWARE Win32/Fabookie.ek CnC Request M3 (GET)
(malware.rules)

[---] Disabled and modified rules: [---]

2038951 - ET MALWARE SocGholish Domain in DNS Lookup (loans
.mistakenumberone .com) (malware.rules)
2039092 - ET MALWARE TA569 Domain in DNS Lookup (gloogletag .com)
(malware.rules)
2039093 - ET MALWARE TA569 Domain in DNS Lookup (brocode3s .com)
(malware.rules)
2039101 - ET MALWARE TA569 Domain in DNS Lookup (pastukhova .com)
(malware.rules)
2040145 - ET MALWARE SocGholish Domain in DNS Lookup (wiki .clotheslane
.com) (malware.rules)
2040146 - ET MALWARE SocGholish Domain in DNS Lookup (perspective
.cdsignner .com) (malware.rules)
2040147 - ET MALWARE SocGholish Domain in DNS Lookup (mask .covidturf
.com) (malware.rules)
2040148 - ET MALWARE SocGholish Domain in DNS Lookup (progress
.cashdigger .com) (malware.rules)
2042968 - ET MALWARE SocGholish Domain in DNS Lookup (navyseal .bezmail
.com) (malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
41 new OPEN, 49 new PRO (41 + 8). Win32/Aurora, ActionLoader, Various PowerShell, Others.