Daily Ruleset Update Summary 2023/02/16

Daily Ruleset Update Summary

[***] Summary: [***]

22 new OPEN, 23 new PRO (22 + 1). Various APT, IcedID, Phishing and
IIS Backdoor.

Thanks @symantec, @James_inthe_box

The Emerging Threats mailing list is migrating to Discourse. Please
visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2037960 - ET HUNTING Observed Suspicious SSL Cert (Acme Co) (hunting.rules)
2044212 - ET MALWARE Likely APT29 Retrieving Payload Embedded In PNG
(malware.rules)
2044213 - ET MALWARE Likely APT29 Retrieving Payload Embedded In PNG
2 (malware.rules)
2044214 - ET MALWARE Likely APT29 Retrieving Payload Embedded In PNG
3 (malware.rules)
2044215 - ET MALWARE Possible APT29 Compressed Payload Download
Request (malware.rules)
2044216 - ET MALWARE APT28 DealersChoice CnC Beacon Response (malware.rules)
2044217 - ET MALWARE APT28 Zebrocy/Zekapab POST Template Structure
(malware.rules)
2044218 - ET MALWARE APT28 Zebrocy/Zekapab CnC Checkin (malware.rules)
2044219 - ET INFO DYNAMIC_DNS Query to a *.apocalypto .org .uk
domain (info.rules)
2044220 - ET INFO DYNAMIC_DNS HTTP Request to a *.apocalypto .org
.uk domain (info.rules)
2044221 - ET INFO DYNAMIC_DNS Query to a *.satelit .org domain (info.rules)
2044222 - ET INFO DYNAMIC_DNS HTTP Request to a *.satelit .org
domain (info.rules)
2044223 - ET INFO DYNAMIC_DNS Query to a *.khabdha .org domain (info.rules)
2044224 - ET INFO DYNAMIC_DNS HTTP Request to a *.khabdha .org
domain (info.rules)
2044225 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2044226 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2044227 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2044228 - ET HUNTING Observed Meterpreter Style Request (GET) (hunting.rules)
2044229 - ET PHISHING myGov Credential Phish 2023-02-15 (phishing.rules)
2044230 - ET PHISHING Prohqcker Phish Kit (phishing.rules)
2044231 - ET MALWARE Win32/frebniis IIS Backdoor Trigger Attempt M1
(malware.rules)
2044232 - ET MALWARE Win32/frebniis IIS Backdoor Trigger Attempt M1
(malware.rules)

Pro:

2853506 - ETPRO EXPLOIT Possible Adobe Acrobat Reader Use-After-Free
Attempt Inbound (CVE-2023-21608) (exploit.rules)

[---] Disabled and modified rules: [---]

2009702 - ET POLICY DNS Update From External net (policy.rules)
2034645 - ET MALWARE APT15/NICKEL Related CnC Activity (POST) (malware.rules)
2850279 - ETPRO MALWARE Observed Malicious SSL Cert (BazaLoader CnC)
(malware.rules)
2850280 - ETPRO MALWARE Observed Malicious SSL Cert (BazaLoader CnC)
(malware.rules)

[---] Removed rules: [---]

2028832 - ET JA3 Hash - Suspected Cobalt Strike Malleable C2 (ja3s)
M1 (ja3.rules)
2037960 - ET MALWARE Observed Malicious SSL Cert (Acme Co) (malware.rules)
2821945 - ETPRO MALWARE Likely APT29 Retrieving Payload Embedded In
PNG (malware.rules)
2822055 - ETPRO MALWARE Likely APT29 Retrieving Payload Embedded In
PNG 2 (malware.rules)
2822622 - ETPRO MALWARE Likely APT29 Retrieving Payload Embedded In
PNG 3 (malware.rules)
2823197 - ETPRO MALWARE Possible APT29 Compressed Payload Download
Request (malware.rules)
2823642 - ETPRO MALWARE APT28 DealersChoice CnC Beacon Response
(malware.rules)
2835618 - ETPRO MALWARE APT28 Zebrocy/Zekapab POST Template
Structure (malware.rules)
2836072 - ETPRO MALWARE APT28 Zebrocy/Zekapab CnC Checkin (malware.rules)

Date:

Thursday, February 16, 2023

Summary title:

22 new OPEN, 23 new PRO (22 + 1). Various APT, IcedID, Phishing and IIS Backdoor.