Daily Ruleset Update Summary
Daily Ruleset Update Summary 2023/01/06

[***] Summary: [***]

7 new OPEN, 14 new PRO (7 + 7). RedLine, Turla, AHK Bot, Others.

Thanks @1ZRR4H, @Mandiant

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2043231 - ET MALWARE Redline Stealer TCP CnC Activity (malware.rules)
2043232 - ET MALWARE Turla JS/Kopiluwak Sending Information (POST)
(malware.rules)
2043233 - ET MALWARE RedLine Stealer TCP CnC net.tcp Init (malware.rules)
2043234 - ET MALWARE RedLine Stealer TCP CnC - Id1Response (malware.rules)
2043235 - ET MALWARE Win32/Generik.NWVMNHQ Variant Exfil (POST)
(malware.rules)
2043236 - ET MALWARE O97M/Sadoca.C!ml Checkin (malware.rules)
2043237 - ET MALWARE Remote Utility Access Tool Key SMTP Exfil
(malware.rules)

Pro:

2853015 - ETPRO MALWARE AHK Bot - Logger Sending Data (malware.rules)
2853016 - ETPRO MALWARE AHK Bot - Stealer Loader Payload Request
(malware.rules)
2853017 - ETPRO MALWARE AHK Bot - Logger Sending Data (malware.rules)
2853018 - ETPRO MALWARE Win32/Remcos RAT Checkin 857 (malware.rules)
2853019 - ETPRO PHISHING Observed DNS Query to DomBox Phishing Domain
(2023-01-06) (phishing.rules)
2853020 - ETPRO PHISHING Successful DomBox Credential Phish (2023-01-06)
(phishing.rules)
2853021 - ETPRO PHISHING Generic Phishing Page Inbound (2023-01-06)
(phishing.rules)

[///] Modified active rules: [///]

2841160 - ETPRO MALWARE RedLine - CnC Activity (malware.rules)
2841435 - ETPRO MALWARE RedLine - GetSettings Request (malware.rules)
2841436 - ETPRO MALWARE RedLine - GetSettings Response (malware.rules)
2841437 - ETPRO MALWARE RedLine - GetTasks Response (malware.rules)
2850142 - ETPRO MALWARE RedLine Stealer TCP CnC - ExtensionDiscord
(malware.rules)
2850143 - ETPRO MALWARE RedLine Stealer TCP CnC - ExtensionColdWallets
(malware.rules)

[---] Removed rules: [---]

2850027 - ETPRO MALWARE RedLine Stealer TCP CnC net.tcp Init
(malware.rules)
2850286 - ETPRO MALWARE Redline Stealer TCP CnC Activity (malware.rules)
2850353 - ETPRO MALWARE Redline Stealer TCP CnC - Id1Response
(malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
7 new OPEN, 14 new PRO (7 + 7). RedLine, Turla, AHK Bot, Others.