Daily Ruleset Update Summary 2023/01/27

[***] Summary: [***]

10 new OPEN, 93 new PRO (10 + 83) Gamaredon, Glupteba, XWorm, and Various
Android Malware

Thanks @TheDFIRReport

We would like to inform Emerging Threats users that there will be a
scheduled maintenance window on February 1st, 2023 between 3 pm CST to 5 pm
CST. This will affect ET Pro and ET Intel customers.

During this window the ET Pro rules may be unavailable for download and
the ET Intel replist may also be unavailable.

This important maintenance window is focused on improving our services
and infrastructure. Thank you for your understanding.

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at
https://community.emergingthreats.net/t/ruleset-update-summary-2023-01-…

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2044004 - ET MALWARE Observed Glupteba CnC Domain (nisdably .com in TLS
SNI) (malware.rules)
2044005 - ET MALWARE Observed Glupteba CnC Domain (ninhaine .com in TLS
SNI) (malware.rules)
2044006 - ET MALWARE Gamaredon APT Related Activity (GET) (malware.rules)
2044007 - ET MALWARE Gamaredon APT Related Activity (GET) (malware.rules)
2044008 - ET EXPLOIT Realtek SDK - Command Execution/Backdoor Access
Inbound (CVE-2021-35394) (exploit.rules)
2044009 - ET EXPLOIT D-Link webupg Remote Code Execution Attempt Inbound
(CVE 2021-46441, 2021-46442) (exploit.rules)
2044010 - ET EXPLOIT Possible Oracle E-Business RCE Attempt Inbound M1
(CVE-2022-21587) (exploit.rules)
2044011 - ET EXPLOIT Possible Oracle E-Business RCE Attempt Inbound M2
(CVE-2022-21587) (exploit.rules)
2044012 - ET EXPLOIT Possible Oracle E-Business RCE Attempt Inbound M3
(CVE-2022-21587) (exploit.rules)
2044013 - ET EXPLOIT Possible Oracle E-Business RCE Attempt Inbound M4
(CVE-2022-21587) (exploit.rules)

Pro:

2810416 - ETPRO HUNTING Inbound cmd.exe Base64 Encoded (Unicode) 1
(hunting.rules)
2810417 - ETPRO HUNTING Inbound cmd.exe Base64 Encoded (Unicode) 2
(hunting.rules)
2810418 - ETPRO HUNTING Inbound cmd.exe Base64 Encoded (Unicode) 3
(hunting.rules)
2810419 - ETPRO HUNTING Inbound cmd.exe Base64 Encoded (ASCII) 1
(hunting.rules)
2810420 - ETPRO HUNTING Inbound cmd.exe Base64 Encoded (ASCII) 2
(hunting.rules)
2810421 - ETPRO HUNTING Inbound cmd.exe Base64 Encoded (ASCII) 3
(hunting.rules)
2853174 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Rewardsteal.l CnC
Domain in DNS Lookup (mobile_malware.rules)
2853175 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.h CnC
Domain in DNS Lookup (mobile_malware.rules)
2853176 - ETPRO MOBILE_MALWARE Android/Spy.Banker.BSO CnC Domain in DNS
Lookup (mobile_malware.rules)
2853177 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.KTE CnC Domain
in DNS Lookup (mobile_malware.rules)
2853178 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Rewardsteal.l CnC
Domain in DNS Lookup (mobile_malware.rules)
2853179 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.KMZ CnC Domain
in DNS Lookup (mobile_malware.rules)
2853180 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Xhunter.a CnC Domain in
DNS Lookup (mobile_malware.rules)
2853181 - ETPRO MOBILE_MALWARE Android.BankBot.14183 CnC Domain in DNS
Lookup (mobile_malware.rules)
2853182 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853183 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853184 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853185 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853186 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853187 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853188 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853189 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853190 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853191 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853192 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853193 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853194 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853195 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853196 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853197 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853198 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853199 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853200 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853201 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853202 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853203 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853204 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853205 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853206 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853207 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853208 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853209 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853210 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853211 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853212 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853213 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853214 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853215 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853216 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853217 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853218 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853219 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853220 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853221 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound
(malware.rules)
2853222 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound
(malware.rules)
2853223 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound
(malware.rules)
2853224 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853225 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853226 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853227 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound
(malware.rules)
2853228 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853229 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound
(malware.rules)
2853230 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound
(malware.rules)
2853231 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound
(malware.rules)
2853232 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound
(malware.rules)
2853233 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853234 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853235 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853236 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853237 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853238 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853239 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853240 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853241 - ETPRO MALWARE XWorm CnC Domain in DNS Lookup (malware.rules)
2853242 - ETPRO MALWARE XWorm CnC Domain in DNS Lookup (malware.rules)
2853243 - ETPRO MALWARE XWorm CnC Domain in DNS Lookup (malware.rules)
2853244 - ETPRO MALWARE XWorm CnC Domain in DNS Lookup (malware.rules)
2853245 - ETPRO MALWARE XWorm CnC Domain in DNS Lookup (malware.rules)
2853246 - ETPRO MALWARE XWorm CnC Domain in DNS Lookup (malware.rules)
2853247 - ETPRO MALWARE XWorm CnC Domain in DNS Lookup (malware.rules)
2853248 - ETPRO MALWARE FormBook CnC Checkin (GET) (malware.rules)
2853249 - ETPRO MALWARE VBA/TrojanDownloader.Agent.OJG CnC Activity (GET)
(malware.rules)
2853250 - ETPRO MALWARE Suspected DOUBLEDRAG Variant Activity (GET)
(malware.rules)

[---] Removed rules: [---]

2810416 - ETPRO MALWARE Inbound cmd.exe Base64 Encoded (Unicode) 1
(malware.rules)
2810417 - ETPRO INFO Inbound cmd.exe Base64 Encoded (Unicode) 2
(info.rules)
2810418 - ETPRO INFO Inbound cmd.exe Base64 Encoded (Unicode) 3
(info.rules)
2810419 - ETPRO INFO Inbound cmd.exe Base64 Encoded (ASCII) 1 (info.rules)
2810420 - ETPRO MALWARE Inbound cmd.exe Base64 Encoded (ASCII) 2
(malware.rules)
2810421 - ETPRO MALWARE Inbound cmd.exe Base64 Encoded (ASCII) 3
(malware.rules)

Date:

Friday, January 27, 2023

Summary title:

10 new OPEN, 93 new PRO (10 + 83) Gamaredon, Glupteba, XWorm, and Various Android Malware