Daily Ruleset Update Summary 2023/01/13

Daily Ruleset Update Summary

[***] Summary: [***]

8 new OPEN, 11 new PRO (8 + 3) OneNote Notebook Downloaded via
Powershell,, XWorm, IcedID, Cobalt Strike, Java/Adwind.

Thanks @executemalware, @RedDrip7

The Emerging Threats mailing list is migrating to Discourse. Please
visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2043296 - ET MALWARE OneNote Notebook Downloaded via Powershell
(malware.rules)
2043297 - ET MALWARE Observed DNS Query to Xworm Domain (su1d
.nerdpol .ovh) (malware.rules)
2043298 - ET MALWARE Win32/Gamaredon CnC Activity (malware.rules)
2043299 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2043300 - ET MALWARE Cobalt Strike Domain in DNS Lookup (fepopeguc
.com) (malware.rules)
2043301 - ET MALWARE Cobalt Strike Domain (fepopeguc .com) in TLS
SNI (malware.rules)
2043302 - ET EXPLOIT CentOS Control Web Panel Pre-Auth Remote Code
Execution (CVE-2022-44877) (exploit.rules)
2043303 - ET MALWARE Win32/Spy.KeyLogger.RJA Checkin (malware.rules)

Pro:

2853042 - ETPRO MALWARE Java/Adwind Variant CnC Activity (malware.rules)
2853043 - ETPRO MALWARE Java/Adwind Variant Checkin (malware.rules)
2853044 - ETPRO MALWARE Java/Adwind Variant CnC Activity (malware.rules)

[///] Modified active rules: [///]

2043293 - ET MALWARE Magecart Loader Domain in DNS Lookup (2xdepp
.com) (malware.rules)
2043295 - ET MALWARE Magecart Skimmer Domain in DNS Lookup
(elon2xmusk .com) (malware.rules)
2853038 - ETPRO MALWARE Arkei/Vidar/Mars Stealer Variant User-Agent
Observed (malware.rules)

[---] Disabled and modified rules: [---]

2019732 - ET WEB_CLIENT Possible Internet Explorer VBscript failure
to handle error case information disclosure CVE-2014-6332 Percent Hex
Encode (web_client.rules)
2808986 - ETPRO WEB_CLIENT Possible malformed disk image transfer
(CVE-2014-4115) (web_client.rules)
2809230 - ETPRO EXPLOIT Hikvision DVR Buffer Overflow Exploit
Attempt CVE-2014-4878 (exploit.rules)
2809231 - ETPRO EXPLOIT Hikvision DVR Buffer Overflow Exploit
Attempt CVE-2014-4879 (exploit.rules)
2809232 - ETPRO EXPLOIT Hikvision DVR Buffer Overflow Exploit
Attempt CVE-2014-4880 (exploit.rules)

[---] Removed rules: [---]

2019734 - ET EXPLOIT Possible Internet Explorer VBscript failure to
handle error case information disclosure CVE-2014-6332 Common
Construct (exploit.rules)
2019735 - ET EXPLOIT Possible Internet Explorer VBscript failure to
handle error case information disclosure CVE-2014-6332 Common
Construct Hex Encode (exploit.rules)

Date:

Friday, January 13, 2023

Summary title:

8 new OPEN, 11 new PRO (8 + 3) OneNote Notebook Downloaded via Powershell,, XWorm, IcedID, Cobalt Strike, Java/Adwind.