Daily Ruleset Update Summary 2023/02/21

Daily Ruleset Update Summary

[***] Summary: [***]

12 new OPEN, 12 new PRO (12 + 0). Win32/Snojan, Win32/0xtaRAT,
Gamaredon, Others.

Thanks @cpresearch

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2044258 - ET MALWARE Win32/Snojan Variant Sending System Information
(GET) (malware.rules)
2044259 - ET MALWARE Win32/Snojan Variant Sending System Information
(POST) (malware.rules)
2044260 - ET MALWARE Villain C2 Framework CnC Exfil (POST) (malware.rules)
2044261 - ET MALWARE Win32/0xtaRAT CnC Activity (GET) (malware.rules)
2044262 - ET MALWARE Observed Operation Silent Watch Domain in DNS Lookup
(edupoliceam .info) (malware.rules)
2044263 - ET MALWARE Observed Operation Silent Watch Domain in DNS Lookup
(filecloudservices .xyz) (malware.rules)
2044264 - ET MALWARE Observed Operation Silent Watch Domain in DNS Lookup
(filesindrive .info) (malware.rules)
2044265 - ET MALWARE Observed Operation Silent Watch Domain in DNS Lookup
(avvpassport .info) (malware.rules)
2044266 - ET MALWARE Observed Operation Silent Watch Domain in DNS Lookup
(mediacloud .space) (malware.rules)
2044267 - ET PHISHING Generic Credential Phish Landing Page 2023-02-21
(phishing.rules)
2044268 - ET MALWARE Gamaredon C2 Domain (a0728173 .xsph .ru) in DNS
Lookup (malware.rules)
2044269 - ET MALWARE Gamaredon C2 Domain (f0559838 .xsph .ru) in DNS
Lookup (malware.rules)

[---] Disabled and modified rules: [---]

2034474 - ET MALWARE Cobalt Strike Activity (GET) (malware.rules)
2034752 - ET MALWARE Win32/BazarLoader Activity (GET) (malware.rules)
2039839 - ET MALWARE SocGholish Domain in DNS Lookup (subscribe .3gbling
.com) (malware.rules)
2043264 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2043265 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2043266 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2043267 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2043270 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2043271 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2043422 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .betting
.cockroachracing .site) (malware.rules)
2043456 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .market
.dentureforfree .online) (malware.rules)
2043457 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .rendezvous
.tophandsome .gay) (malware.rules)
2043458 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .signing
.unitynotarypublic .com) (malware.rules)
2043993 - ET MALWARE Observed DNS Query to IcedID Domain (nomaeradiur
.com) (malware.rules)
2043995 - ET MALWARE Observed DNS Query to IcedID Domain (tibloautonef
.com) (malware.rules)
2044140 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .samples
.muzikcitysound .com) (malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Tuesday, February 21, 2023

Summary title:

12 new OPEN, 12 new PRO (12 + 0). Win32/Snojan, Win32/0xtaRAT, Gamaredon, Others.