Daily Ruleset Update Summary
Daily Ruleset Update Summary 2023/02/14

[***] Summary: [***]

16 new OPEN, 34 new PRO (16 + 18). Donot Group, IcedID, Gamaredon and XWorm.

Thanks @StopMalvertisin, @jaydinbas, @ahnlab_secuinfo, @SLASH30Miata

The Emerging Threats mailing list is migrating to Discourse. Please
visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2044190 - ET MALWARE DonotGroup Pult Downloader Activity M3 (malware.rules)
2044191 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2044192 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2044193 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2044194 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2044195 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2044196 - ET MALWARE zgRAT Activity M3 (malware.rules)
2044197 - ET MALWARE Gamaredon APT Related Activity (GET) (malware.rules)
2044198 - ET MALWARE Donot Group Related Domain in DNS Lookup
(mayosasa .buzz) (malware.rules)
2044199 - ET MALWARE Observed External IP Lookup Domain (mayosasa
.buzz in TLS SNI) (malware.rules)
2044200 - ET MALWARE Win32/Loader Variant Activity (POST) (malware.rules)
2044201 - ET EXPLOIT GitLab Pre-Auth RCE Detected (CVE-2021-22205)
(exploit.rules)
2044202 - ET MALWARE Donot APT Related Domain in DNS Lookup (best
.tasterschoice .shop) (malware.rules)
2044203 - ET MALWARE Donot APT Related Domain in DNS Lookup (blogs
.tourseasons .xyz) (malware.rules)
2044204 - ET MALWARE Donot APT Related Domain in DNS Lookup (blogs
.libraryutilitis .live) (malware.rules)
2044205 - ET EXPLOIT Sunlogin Sunflower Simplified 1.0.1.43315
Directory Traversal Attempt (CVE-2022-48323) (exploit.rules)

Pro:

2853364 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2023-02-13 1) (coinminer.rules)
2853365 - ETPRO MALWARE Win32/XWorm CnC Domain in DNS Lookup (malware.rules)
2853366 - ETPRO MALWARE Win32/XWorm CnC Domain in DNS Lookup (malware.rules)
2853367 - ETPRO MALWARE Win32/XWorm CnC Domain in DNS Lookup (malware.rules)
2853368 - ETPRO MALWARE Win32/XWorm CnC Domain in DNS Lookup (malware.rules)
2853369 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound
(malware.rules)
2853370 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853371 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853372 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2853373 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound
(malware.rules)
2853374 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound
(malware.rules)
2853375 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto
Inbound (malware.rules)
2853376 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin
Outbound (malware.rules)
2853377 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin
Inbound (malware.rules)
2853378 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations
Outbound (malware.rules)
2853379 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Inbound (malware.rules)
2853380 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Outbound (malware.rules)
2853381 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown
Inbound (malware.rules)

[---] Disabled and modified rules: [---]

2031439 - ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI
(img565vv6 .holdmydoor .com) (mobile_malware.rules)
2031440 - ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI
(crashparadox .net) (mobile_malware.rules)
2031441 - ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI
(f15fwd322 .regularhours .net) (mobile_malware.rules)

Date:
Summary title:
16 new OPEN, 34 new PRO (16 + 18). Donot Group, IcedID, Gamaredon and XWorm.