Daily Ruleset Update Summary
Daily Ruleset Update Summary 2023/02/20

[***] Summary: [***]

15 new OPEN, 19 new PRO (15 + 4). Win32/Stealc, Win32/WhiskerSpy,
CVE-2023-21690, Others.

Thanks @TrendMicroRSRCH, @sekoia_io

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2044243 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in (malware.rules)
2044244 - ET MALWARE Win32/Stealc Requesting browsers Config from C2
(malware.rules)
2044245 - ET MALWARE Win32/Stealc Active C2 Responding with browsers
Config (malware.rules)
2044246 - ET MALWARE Win32/Stealc Requesting plugins Config from C2
(malware.rules)
2044247 - ET MALWARE Win32/Stealc Active C2 Responding with plugins
Config (malware.rules)
2044248 - ET MALWARE Win32/Stealc Submitting System Information to C2
(malware.rules)
2044249 - ET MALWARE Win32/Stealc Submitting Screenshot to C2
(malware.rules)
2044250 - ET MALWARE Win32/WhiskerSpy - Machine ID Registration
(malware.rules)
2044251 - ET MALWARE Win32/WhiskerSpy - Key Material Upload
(malware.rules)
2044252 - ET MALWARE Win32/WhiskerSpy - Task Request (malware.rules)
2044253 - ET MALWARE Win32/WhiskerSpy CnC Activity (malware.rules)
2044254 - ET MALWARE Win32/WhiskerSpy - FTP - Observed Creds
(malware.rules)
2044255 - ET MALWARE Win32/WhiskerSpy - FTP STOR Command M1
(malware.rules)
2044256 - ET MALWARE Win32/WhiskerSpy - FTP STOR Command M2
(malware.rules)
2044257 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .calendar
.wishmarkets .com) (malware.rules)

Pro:

2853518 - ETPRO INFO Abnormally Large Remote TLS Certificate Drip Feed
Inbound - Potential Exploit Activity (info.rules)
2853519 - ETPRO EXPLOIT Microsoft Protected Extensible Authentication
Protocol RCE xbits set, noalert (CVE-2023-21690) (exploit.rules)
2853520 - ETPRO EXPLOIT Microsoft Protected Extensible Authentication
Protocol RCE Attempt Inbound (CVE-2023-21690) (exploit.rules)
2853521 - ETPRO HUNTING POST to a 32 byte hex string name PHP file
(hunting.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
15 new OPEN, 19 new PRO (15 + 4). Win32/Stealc, Win32/WhiskerSpy, CVE-2023-21690, Others.