Daily Ruleset Update Summary
Daily Ruleset Update Summary 2023/01/12

[***] Summary: [***]

8 new OPEN, 12 new PRO (8 + 4) ZeroBot, VectorSTealer, DCRat,
Magecart and Vidar.

Thanks @suyog41, @dtmsecurity, @slash30miata

The Emerging Threats mailing list is migrating to Discourse. Please
visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2043288 - ET MALWARE DCRAT Checkin via Telegram (malware.rules)
2043289 - ET MALWARE VectorStealer Data Exfil via Telegram (malware.rules)
2043290 - ET MALWARE ZeroBot/ZeroStresser Botnet Related Domain in
DNS Lookup (zero .sudolite .ml) (malware.rules)
2043291 - ET MALWARE Observed Various Malware Staging Domain
(direct-trojan .com in TLS SNI) (malware.rules)
2043292 - ET MALWARE Various Malware Staging Domain in DNS Lookup
(direct-trojan .com) (malware.rules)
2043293 - ET MALWARE Magecart CnC Domain in DNS Lookup (2xdepp .com)
(malware.rules)
2043294 - ET MALWARE Magecart CnC Domain in DNS Lookup (saylor2xbtc
.com) (malware.rules)
2043295 - ET MALWARE Magecart CnC Domain in DNS Lookup (elon2xmusk
.com) (malware.rules)

Pro:

2853038 - ETPRO MALWARE Arkei/Vidar/Mars Stealer Variant User-Agent
Observed (20100101 Firefox) (malware.rules)
2853039 - ETPRO MALWARE Arkei/Vidar/Mars Stealer Variant CnC
Response (malware.rules)
2853040 - ETPRO PHISHING Successful Gmail Credential Phish
2023-01-12 (phishing.rules)
2853041 - ETPRO MALWARE Win32/PSW.Agent.ONW Telegram Response (malware.rules)

[///] Modified active rules: [///]

2034194 - ET MALWARE DCRAT Activity (GET) (malware.rules)

[---] Disabled and modified rules: [---]

2038952 - ET MALWARE SocGholish Domain in DNS Lookup (restructuring
.breatheinnew .life) (malware.rules)
2039442 - ET MALWARE SocGholish Domain in DNS Lookup (consultant
.meredithklemmblog .com) (malware.rules)
2042773 - ET MALWARE SocGholish Domain in DNS Lookup (modernism
.designpaw .com) (malware.rules)
2042774 - ET MALWARE SocGholish Domain in DNS Lookup (library
.covebooks .com) (malware.rules)
2809178 - ETPRO EXPLOIT DTLS 1.2 HelloVerifyRequest CookieSize Heap
Overflow CVE-2014-6321 (exploit.rules)
2809179 - ETPRO EXPLOIT DTLS Pre 1.0 HelloVerifyRequest Schannel OOB
Read CVE-2014-6321 (exploit.rules)
2809180 - ETPRO EXPLOIT DTLS 1.0 HelloVerifyRequest Schannel OOB
Read CVE-2014-6321 (exploit.rules)
2809181 - ETPRO EXPLOIT DTLS 1.2 HelloVerifyRequest Schannel OOB
Read CVE-2014-6321 (exploit.rules)

Date:
Summary title:
8 new OPEN, 12 new PRO (8 + 4) ZeroBot, VectorSTealer, DCRat, Magecart and Vidar.