Daily Ruleset Update Summary 2023/02/24

[***] Summary: [***]

28 new OPEN, 28 new PRO (28 + 0) HiYu Phish, TA453, Gurcu Stealer,
Observed NimPlant, Coinbase Phish, EvilExtractor Stealer,
Trojan/Win32.Agent, PS1Loader

Thanks @c7rl4ltd3lc, @certfalab

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at https://community.emergingthreats.net/

The mailing list is being retired on April 3, 2023.

Happy Free Sig Friday!

[+++] Added rules: [+++]

Open:

2044318 - ET PHISHING HiYu - Request for Victim Enrichment
(phishing.rules)
2044319 - ET PHISHING HiYu - Victim Enrichment Response M1
(phishing.rules)
2044320 - ET PHISHING HiYu - Victim Enrichment Response M2
(phishing.rules)
2044321 - ET PHISHING HiYu - Victim Enrichment Response M3
(phishing.rules)
2044322 - ET PHISHING HiYu - Request for User Specific Landing Page
(phishing.rules)
2044323 - ET PHISHING TA453 Phishing Domain in DNS Lookup (phishing.rules)
2044324 - ET PHISHING TA453 Phishing Domain in DNS Lookup (phishing.rules)
2044325 - ET PHISHING TA453 Phishing Domain in DNS Lookup (phishing.rules)
2044326 - ET PHISHING TA453 Phishing Domain in DNS Lookup (phishing.rules)
2044327 - ET PHISHING TA453 Phishing Domain in DNS Lookup (phishing.rules)
2044328 - ET INFO DYNAMIC_DNS Query to a *.100mountain .com Domain
(info.rules)
2044329 - ET INFO DYNAMIC_DNS HTTP Request to a *.100mountain .com Domain
(info.rules)
2044330 - ET INFO DYNAMIC_DNS Query to a *.litecsys .com Domain
(info.rules)
2044331 - ET INFO DYNAMIC_DNS HTTP Request to a *.litecsys .com Domain
(info.rules)
2044332 - ET INFO DYNAMIC_DNS Query to a *.itekgroup .com Domain
(info.rules)
2044333 - ET INFO DYNAMIC_DNS HTTP Request to a *.itekgroup .com Domain
(info.rules)
2044334 - ET INFO DYNAMIC_DNS Query to a *.apps .dj Domain (info.rules)
2044335 - ET INFO DYNAMIC_DNS HTTP Request to a *.apps .dj Domain
(info.rules)
2044336 - ET INFO DYNAMIC_DNS Query to a *.kayanganmedia .com Domain
(info.rules)
2044337 - ET INFO DYNAMIC_DNS HTTP Request to a *.kayanganmedia .com
Domain (info.rules)
2044338 - ET MALWARE Gurcu Stealer Response (Inbound) (malware.rules)
2044339 - ET MALWARE Observed NimPlant UA (NimPlant) (malware.rules)
2044340 - ET MALWARE Observed NimPlant Server Response (Inbound)
(malware.rules)
2044341 - ET INFO HTTP Request to logo .clearbit .com (info.rules)
2044342 - ET PHISHING Coinbase Credential Phish 2023-02-24
(phishing.rules)
2044343 - ET MALWARE EvilExtractor Stealer CnC Domain (evilextractor
.com) in DNS Lookup (malware.rules)
2044344 - ET MALWARE Trojan/Win32.Agent Variant Checkin (malware.rules)
2044345 - ET MALWARE PS1Loader Encoded Profiling POST (malware.rules)

[---] Disabled and modified rules: [---]

2034962 - ET MALWARE Win32/Tiggre Variant Activity Sending System Files
(POST) (malware.rules)
2035006 - ET MALWARE Gamaredon Related Maldoc Activity (GET)
(malware.rules)
2035007 - ET MALWARE Gamaredon Related Maldoc Activity (GET)
(malware.rules)
2035210 - ET MALWARE MosesStaff APT Related Activity (POST)
(malware.rules)
2035370 - ET MALWARE Cobalt Strike Activity (GET) (malware.rules)
2039027 - ET MALWARE TA569 Domain in DNS Lookup (luxury-limousine .com)
(malware.rules)
2039102 - ET MALWARE TA569 Fake Browser Update Domain in DNS Lookup
(profi-stom .com) (malware.rules)
2850961 - ETPRO PHISHING Successful Generic Phish 2022-01-28
(phishing.rules)

Date:

Friday, February 24, 2023

Summary title:

28 new OPEN, 28 new PRO (28 + 0) HiYu Phish, TA453, Gurcu Stealer, Observed NimPlant, Coinbase Phish, EvilExtractor Stealer, Trojan/Win32.Agent, PS1Loader