[***] Summary: [***]

16 new OPEN, 39 new PRO (16 + 23) Win32/Phorpiex, Win32/XWorm, Ice
Breaker Backdoor, Metamask Phish, IcedID Domains, Coinminers

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2044045 - ET MALWARE Phorpiex CnC Domain (twizt .org) in DNS Lookup
(malware.rules)
2044046 - ET INFO URL Shortener Service (fanlink .to) in DNS Lookup
(info.rules)
2044047 - ET INFO Observed URL Shortener Service Domain (fanlink .to) in
TLS SNI (info.rules)
2044048 - ET MALWARE Ice Breaker Backdoor CnC Domain (xn--screnshot-iib
.net) in DNS Lookup (malware.rules)
2044049 - ET MALWARE Ice Breaker Backdoor CnC Domain (ponzix .net) in DNS
Lookup (malware.rules)
2044050 - ET MALWARE Ice Breaker Backdoor CnC Domain (screenshotlite
.com) in DNS Lookup (malware.rules)
2044051 - ET MALWARE Ice Breaker Backdoor CnC Domain (screenshot .icu) in
DNS Lookup (malware.rules)
2044052 - ET MALWARE Ice Breaker Backdoor CnC Domain (xn--screnshot-jib
.net) in DNS Lookup (malware.rules)
2044053 - ET MALWARE Ice Breaker Backdoor CnC Domain (screenshotcap .com)
in DNS Lookup (malware.rules)
2044054 - ET PHISHING Successful Metamask Pass Phrase Phish 2023-02-01
(phishing.rules)
2044055 - ET MALWARE Observed DNS Query to IcedID Domain (alijhaborta
.com) (malware.rules)
2044056 - ET MALWARE Observed DNS Query to IcedID Domain (qoipaboni .com)
(malware.rules)
2044057 - ET MALWARE Observed DNS Query to IcedID Domain (windmencherser
.com) (malware.rules)
2044058 - ET MALWARE Observed DNS Query to IcedID Domain (leftcatrheringg
.com) (malware.rules)
2044059 - ET MALWARE Observed DNS Query to IcedID Domain (yelsopotre
.com) (malware.rules)
2044060 - ET MALWARE Observed DNS Query to IcedID Domain (headertolz
.com) (malware.rules)

Pro:

2853270 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2023-02-01 1) (coinminer.rules)
2853271 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2023-02-01 2) (coinminer.rules)
2853272 - ETPRO MALWARE Win32/Phorpiex Bot Executable Payload Inbound
(malware.rules)
2853273 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound
(malware.rules)
2853274 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853275 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853276 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound
(malware.rules)
2853277 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound
(malware.rules)
2853278 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound
(malware.rules)
2853279 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound
(malware.rules)
2853280 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853281 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853282 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations
Outbound (malware.rules)
2853283 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Inbound (malware.rules)
2853284 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Outbound (malware.rules)
2853285 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound
(malware.rules)
2853286 - ETPRO HUNTING NT Authorty - Domain SID in URI (hunting.rules)
2853287 - ETPRO HUNTING NT Authorty - LocalSystem SID in URI
(hunting.rules)
2853288 - ETPRO HUNTING NT Authority - Users SID in URI (hunting.rules)
2853289 - ETPRO HUNTING AzureAD SID in URI (hunting.rules)
2853290 - ETPRO HUNTING Look-alike Domain Query (.xyz) (hunting.rules)
2853291 - ETPRO HUNTING Look-alike Domain Query (.space) (hunting.rules)
2853292 - ETPRO MALWARE Win32/Phorpiex Twizt Variant CnC Checkin
(malware.rules)

[---] Disabled and modified rules: [---]

2038953 - ET MALWARE SocGholish Domain in DNS Lookup (prompt
.zonashoppers .academy) (malware.rules)
2043251 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .asset
.tradingvein .xyz) (malware.rules)