Daily Ruleset Update Summary 2023/02/28

[***] Summary: [***]

42 new OPEN, 45 new PRO (42 + 3) MageCart, ReverseRAT, IcedID, Donot
Group, BUGHATCH, SocGholish and various Android malware.

Thanks @cs0sf, @GGGGh0st, @sucurisecurity, @SentinelOne, @elastic,
@Bitdefender, @AuCyble, @Cyber0verload, @MonThreat, @souiten

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at https://community.emergingthreats.net

The mailing list is being retired on April 3, 2023.

Due to an internal company holiday there will be no rule release on Friday
March 3rd, 2023.

[+++] Added rules: [+++]

Open:

2044370 - ET HUNTING Likely Hex Encoded Executable as String - Pipe
Separated (hunting.rules)
2044371 - ET HUNTING Likely Hex Encoded Executable as String - Dash
Separated (hunting.rules)
2044372 - ET HUNTING Likely Hex Encoded Executable as String - Octothorp
Separated (hunting.rules)
2044373 - ET HUNTING Likely Hex Encoded Executable as String - Percent
Separated (hunting.rules)
2044374 - ET HUNTING Likely Hex Encoded Executable as String - Double
Quote Separated (hunting.rules)
2044375 - ET HUNTING Likely Hex Encoded Executable as String - Single
Quote Separated (hunting.rules)
2044376 - ET HUNTING Likely Hex Encoded Executable as String - Tilde
Separated (hunting.rules)
2044377 - ET HUNTING Likely Hex Encoded Executable as String - Backtick
Separated (hunting.rules)
2044378 - ET HUNTING Likely Hex Encoded Executable as String - Comma
Separated (hunting.rules)
2044379 - ET MALWARE ReverseRat 3.0 CnC Checkin M1 (malware.rules)
2044380 - ET MALWARE ReverseRat 3.0 CnC Checkin M2 (malware.rules)
2044381 - ET INFO Observed CheckMal AV/Anti-Ransomware Domain (www
.checkmal .com in TLS SNI) (info.rules)
2044382 - ET MALWARE Donot Group APT Related Domain in DNS Lookup
(briefdeal .buzz) (malware.rules)
2044383 - ET MALWARE Observed Donot Group APT Domain (briefdeal .buzz in
TLS SNI) (malware.rules)
2044384 - ET MALWARE Observed Donot Group APT Domain (winterhero .buzz in
TLS SNI) (malware.rules)
2044385 - ET MALWARE Donot Group APT Related Domain in DNS Lookup
(winterhero .buzz) (malware.rules)
2044386 - ET MALWARE Gamaredon APT Related Activity (GET) (malware.rules)
2044387 - ET MALWARE Win32/BUGHATCH SpawnAgent Request (GET) M1
(malware.rules)
2044388 - ET MALWARE Win32/BUGHATCH SpawnAgent Request (GET) M2
(malware.rules)
2044389 - ET MALWARE Magecart Skimmer Domain in DNS Lookup (rithdigit
.cyou) (malware.rules)
2044390 - ET MALWARE Magecart Skimmer Domain in DNS Lookup (app-stat
.com) (malware.rules)
2044391 - ET MALWARE Magecart Skimmer Domain in DNS Lookup (yachtbars
.fun) (malware.rules)
2044392 - ET MALWARE Magecart Skimmer Domain in DNS Lookup (antohub
.shop) (malware.rules)
2044393 - ET MALWARE Magecart Skimmer Domain in DNS Lookup (okqtfc1 .org)
(malware.rules)
2044394 - ET MALWARE Magecart Skimmer Domain in DNS Lookup (nebiltech
.shop) (malware.rules)
2044395 - ET MALWARE Magecart Skimmer Domain in DNS Lookup (jquery-node
.com) (malware.rules)
2044396 - ET MALWARE Fake ChatGPT Domain in DNS Lookup (chat-gpt-pc
.online) (malware.rules)
2044397 - ET MALWARE Fake ChatGPT Domain in DNS Lookup (openai-pc-pro
.online) (malware.rules)
2044398 - ET MALWARE Fake ChatGPT Domain in DNS Lookup
(chat-gpt-online-pc .com) (malware.rules)
2044399 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (virga .pp
.ua) (info.rules)
2044400 - ET MALWARE IcedID CnC Domain (neonmilkustaers .com) in DNS
Lookup (malware.rules)
2044401 - ET MALWARE IcedID CnC Domain (whothitheka .com) in DNS Lookup
(malware.rules)
2044402 - ET MALWARE IcedID CnC Domain (trbiriumpa .com) in DNS Lookup
(malware.rules)
2044403 - ET MALWARE IcedID CnC Domain (svoykbragudern .com) in DNS
Lookup (malware.rules)
2044404 - ET MALWARE 8220 Gang CnC Domain (jira .letmaker .top) in DNS
Lookup (malware.rules)
2044405 - ET MALWARE 8220 Gang CnC Domain (dw .bpdeliver .ru) in DNS
Lookup (malware.rules)
2044406 - ET MALWARE 8220 Gang CnC Domain (fbi .su1001-2 .top) in DNS
Lookup (malware.rules)
2044407 - ET MALWARE SocGholish Domain in DNS Lookup (catalog .iroldzyn
.com) (malware.rules)
2044408 - ET MALWARE SocGholish Domain in DNS Lookup (accountability
.thefenceanddeckguys .com) (malware.rules)
2044409 - ET MALWARE SocGholish Domain in DNS Lookup (oxford .courstify
.com) (malware.rules)
2044410 - ET EXPLOIT_KIT NDSW/NDSX Javascript Inject (exploit_kit.rules)
2044411 - ET PHISHING Successful Ionos Credential Phish 2023-02-28
(phishing.rules)

Pro:

2853604 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Piom.auu CnC Domain in
DNS Lookup (mobile_malware.rules)
2853605 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Xhunter.a CnC Domain in
DNS Lookup (mobile_malware.rules)
2853606 - ETPRO MALWARE ReverseRAT Activity (POST) - Generic
(malware.rules)

[---] Removed rules: [---]

2851185 - ETPRO INFO Observed CheckMal AV/Anti-Ransomware Domain (www
.checkmal .com in TLS SNI) (info.rules)

Date:

Tuesday, February 28, 2023

Summary title:

42 new OPEN, 45 new PRO (42 + 3) MageCart, ReverseRAT, IcedID, Donot Group, BUGHATCH, SocGholish and various Android malware.