Daily Ruleset Update Summary
Daily Ruleset Update Summary 2023/01/09

[***] Summary: [***]

14 new OPEN, 17 new PRO (14 + 3) ScreenShotter, IcedID, Netsupport
and Vidar.

Thanks @Unit42_Intel, @mawlare_traffic, @trustwave

The Emerging Threats mailing list is migrating to Discourse. Please
visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2043238 - ET INFO External IP Lookup Domain in DNS Query (checkip
.dyndns .org) (info.rules)
2043239 - ET MALWARE Win32/Screenshotter Backdoor Payload Request
(GET) (malware.rules)
2043240 - ET MALWARE Win32/Screenshotter Backdoor CnC Activity (GET)
(malware.rules)
2043241 - ET MALWARE Observed DNS Query to IcedID Domain
(coldcreekranch .com) (malware.rules)
2043242 - ET MALWARE Observed DNS Query to IcedID Domain
(dogotungtam .com) (malware.rules)
2043243 - ET MALWARE Observed DNS Query to IcedID Domain
(acehphonnajaya .com) (malware.rules)
2043244 - ET MALWARE Observed DNS Query to IcedID Domain
(baherlakerl .online) (malware.rules)
2043245 - ET MALWARE Observed DNS Query to IcedID Domain (ajerlakerl
.online) (malware.rules)
2043246 - ET MALWARE WinPwn PenTesting Activity (malware.rules)
2043247 - ET PHISHING Generic Korean Bank Credential Theft
2023-01-09 (phishing.rules)
2043248 - ET MALWARE Vidar Stealer IP Address in DNS Query Response
(malware.rules)
2043249 - ET MALWARE NetSupport RAT Domain (tradinghuy .duckdns
.org) in DNS Lookup (malware.rules)
2043250 - ET PHISHING Successful Coinbase Credential Phish
2023-01-09 (phishing.rules)
2043251 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .asset
.tradingvein .xyz) (malware.rules)

Pro:

2853022 - ETPRO MALWARE UltimateLoader Connection Request (malware.rules)
2853023 - ETPRO MALWARE ActionLoader Data Exfiltration (GET) (malware.rules)
2853024 - ETPRO MALWARE ActionLoader Second Stage Payload Request
(GET) (malware.rules)

[///] Modified active rules: [///]

2012758 - ET INFO DYNAMIC_DNS Query to *.dyndns. Domain (info.rules)
2042687 - ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain (info.rules)
2042688 - ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain
(info.rules)

Date:
Summary title:
14 new OPEN, 17 new PRO (14 + 3) ScreenShotter, IcedID, Netsupport and Vidar.