Daily Ruleset Update Summary 2023/01/05

Daily Ruleset Update Summary

[***] Summary: [***]

24 new OPEN, 30 new PRO (24 + 6). Win32/DarkCloud, MintStealer, Others.

Thanks @James_inthe_box, @ViriBack

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2043207 - ET MALWARE Donot APT Related Domain in DNS Lookup (soundvista
.club) (malware.rules)
2043208 - ET MALWARE Donot APT Related Domain in DNS Lookup
(resolverequest .live) (malware.rules)
2043209 - ET MALWARE Donot APT Related Domain in DNS Lookup (biteupdates
.live) (malware.rules)
2043210 - ET MALWARE Donot APT Related Domain in DNS Lookup (biteupdates
.site) (malware.rules)
2043211 - ET MALWARE Donot APT Related Domain in DNS Lookup
(printerupdates .online) (malware.rules)
2043212 - ET MALWARE Donot APT Related Domain in DNS Lookup
(printersolutions .live) (malware.rules)
2043213 - ET MALWARE Donot APT Related Domain in DNS Lookup
(tplinkupdates .space) (malware.rules)
2043214 - ET MALWARE Donot APT Related Domain in DNS Lookup (packetbite
.live) (malware.rules)
2043215 - ET MALWARE Donot APT Related Domain in DNS Lookup
(lovingallupdates .life) (malware.rules)
2043216 - ET MALWARE AHK Bot Domain Profiler CnC Activity (malware.rules)
2043217 - ET MALWARE Golang/Sandcat Plugin Activity (POST) (malware.rules)
2043218 - ET MALWARE Win32/DarkCloud Exfil Over SMTP (Subject)
(malware.rules)
2043219 - ET MALWARE Win32/DarkCloud Exfil Over SMTP (Body)
(malware.rules)
2043220 - ET INFO Free File Hosting Domain in DNS Lookup (fileditch .com)
(info.rules)
2043221 - ET MALWARE MintStealer Discord Activity (GET) (malware.rules)
2043222 - ET MALWARE MintStealer Discord Activity (GET) (malware.rules)
2043223 - ET MALWARE MintStealer CnC Activity (GET) (malware.rules)
2043224 - ET MALWARE MintStealer CnC Activity (GET) (malware.rules)
2043225 - ET MALWARE MintStealer CnC Activity (POST) (malware.rules)
2043226 - ET MALWARE Downloader/Linux.Agent CnC Domain (wget .hostname
.help) in DNS Lookup (malware.rules)
2043227 - ET MALWARE Downloader/Linux.Agent CnC Domain (pateu .freevar
.com) in DNS Lookup (malware.rules)
2043228 - ET EXPLOIT TIBCO JasperReports Directory Traversal Attempt
(CVE-2018-18809) (exploit.rules)
2043229 - ET EXPLOIT TIBCO JasperReports Authenticated Arbitrary File
Read Attempt (CVE-2018-5430) (exploit.rules)
2043230 - ET MALWARE Win32/Youtube Bot - CnC Checkin (malware.rules)

Pro:

2853007 - ETPRO MALWARE DonotGroup Backdoor Activity (POST)
(malware.rules)
2853008 - ETPRO MALWARE AHK Bot Looper - Payload Request (malware.rules)
2853009 - ETPRO MALWARE AHK Bot Looper - Payload Request (malware.rules)
2853010 - ETPRO MALWARE AHK Bot Looper - Payload Request (malware.rules)
2853011 - ETPRO MALWARE AHK Bot Looper - Payload Request (malware.rules)
2853014 - ETPRO MALWARE MSIL/Kryptik.AHPT CnC Activity (GET)
(malware.rules)

[///] Modified active rules: [///]

2034878 - ET MALWARE APT/Donot Group CnC Domain in DNS Lookup (request
.soundedge .live) (malware.rules)

[///] Modified inactive rules: [///]

2034878 - ET MALWARE APT/Donot Group CnC Domain in DNS Lookup (request
.soundedge .live) (malware.rules)

[---] Disabled and modified rules: [---]

2041783 - ET MALWARE TA569 Domain in DNS Lookup (ergpractice .com)
(malware.rules)
2042993 - ET MALWARE SocGholish Domain in DNS Lookup (governing
.beautynic .com) (malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Thursday, January 5, 2023

Summary title:

24 new OPEN, 30 new PRO (24 + 6). Win32/DarkCloud, MintStealer, Others.