[***] Summary: [***]

37 new OPEN, 40 new PRO (37 + 3). CVE-2023-20052, IcedID, XWorm, Others.

Thanks @crep1x

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2044271 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2044272 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2044273 - ET INFO DYNAMIC_DNS Query to a *.nswrogaining .org Domain
(info.rules)
2044274 - ET INFO DYNAMIC_DNS HTTP Request to a *.nswrogaining .org
Domain (info.rules)
2044275 - ET INFO DYNAMIC_DNS Query to a *.datacomponents .com .mx Domain
(info.rules)
2044276 - ET INFO DYNAMIC_DNS HTTP Request to a *.datacomponents .com .mx
Domain (info.rules)
2044277 - ET INFO DYNAMIC_DNS Query to a *.portalwebvillamercedes .gob
.ar Domain (info.rules)
2044278 - ET INFO DYNAMIC_DNS HTTP Request to a *.portalwebvillamercedes
.gob .ar Domain (info.rules)
2044279 - ET INFO DYNAMIC_DNS Query to a *.comapatecoman .gob .mx Domain
(info.rules)
2044280 - ET INFO DYNAMIC_DNS HTTP Request to a *.comapatecoman .gob .mx
Domain (info.rules)
2044281 - ET INFO DYNAMIC_DNS Query to a *.potomacriversafetycommittee
.org Domain (info.rules)
2044282 - ET INFO DYNAMIC_DNS HTTP Request to a
*.potomacriversafetycommittee .org Domain (info.rules)
2044283 - ET INFO DYNAMIC_DNS Query to a *.nova-gns .com Domain
(info.rules)
2044284 - ET INFO DYNAMIC_DNS HTTP Request to a *.nova-gns .com Domain
(info.rules)
2044285 - ET INFO DYNAMIC_DNS Query to a *.sismonda .com Domain
(info.rules)
2044286 - ET INFO DYNAMIC_DNS HTTP Request to a *.sismonda .com Domain
(info.rules)
2044287 - ET INFO DYNAMIC_DNS Query to a *.vaultnoir .com Domain
(info.rules)
2044288 - ET INFO DYNAMIC_DNS HTTP Request to a *.vaultnoir .com Domain
(info.rules)
2044289 - ET PHISHING VigLink Redirect To Phishing Landing Page
(phishing.rules)
2044290 - ET MALWARE Win32/Atlantida Stealer Sending System Information
(POST) (malware.rules)
2044291 - ET MALWARE Win32/0xtaRAT CnC Activity (GET) M2 (malware.rules)
2044292 - ET PHISHING Generic Credential Phish Landing Page M1 2023-02-22
(phishing.rules)
2044293 - ET PHISHING Successful Generic Credential Phish M1 2023-02-22
(phishing.rules)
2044294 - ET PHISHING Generic Credential Phish Landing Page M2 2023-02-22
(phishing.rules)
2044295 - ET PHISHING Successful Generic Credential Phish M2 2023-02-22
(phishing.rules)
2044296 - ET PHISHING Successful Generic Credential Phish M1 2023-02-22
(phishing.rules)
2044297 - ET PHISHING Successful Generic Credential Phish M2 2023-02-22
(phishing.rules)
2044298 - ET PHISHING Successful Generic Credential Phish M3 2023-02-22
(phishing.rules)
2044299 - ET PHISHING Successful Generic Credential Phish M4 2023-02-22
(phishing.rules)
2044300 - ET INFO Clearbit Logo Query in DNS Lookup (info.rules)
2044301 - ET HUNTING HTTP GET Request for sqlite3.dll - Possible
Infostealer Activity (hunting.rules)
2044302 - ET HUNTING HTTP GET Request for mozglue.dll - Possible
Infostealer Activity (hunting.rules)
2044303 - ET HUNTING HTTP GET Request for freebl3.dll - Possible
Infostealer Activity (hunting.rules)
2044304 - ET HUNTING HTTP GET Request for msvcp40.dll - Possible
Infostealer Activity (hunting.rules)
2044305 - ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer
Activity (hunting.rules)
2044306 - ET HUNTING HTTP GET Request for softokn3.dll - Possible
Infostealer Activity (hunting.rules)
2044307 - ET HUNTING HTTP GET Request for vcruntime140.dll - Possible
Infostealer Activity (hunting.rules)

Pro:

2853530 - ETPRO EXPLOIT Possible ClamAV XML XXE in Maliciously Crafted
.dmg M1 (CVE-2023-20052) (exploit.rules)
2853531 - ETPRO EXPLOIT Possible ClamAV XML XXE in Maliciously Crafted
.dmg M2 (CVE-2023-20052) (exploit.rules)
2853532 - ETPRO MALWARE XWorm CnC Domain in DNS Lookup (malware.rules)

[---] Disabled and modified rules: [---]

2853520 - ETPRO EXPLOIT Microsoft Protected Extensible Authentication
Protocol RCE Attempt Inbound (CVE-2023-21690) (exploit.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
37 new OPEN, 40 new PRO (37 + 3). CVE-2023-20052, IcedID, XWorm, Others.