[***] Summary: [***]
13 new OPEN, 26 new PRO (13 + 13) Gootloader, MSIL/PSW.Agent.STP, XWorm
and Win32/GenKryptik.GCJX.
Thanks @Mandiant, @0xToxin
A whole slew of DYNAMIC_DNS rules had reference and MITRE ATT&CK
updates. Due to an internal company holiday there will be no rule release
Tomorrow Friday March 3rd, 2023.
The Emerging Threats mailing list is migrating to Discourse. Please visit
us at https://community.emergingthreats.net
The mailing list is being retired on April 3, 2023.
[+++] Added rules: [+++]
Open:
2044421 - ET INFO DYNAMIC_DNS Query to a *.mollypornstar .com domain
(info.rules)
2044422 - ET INFO DYNAMIC_DNS HTTP Request to a *.mollypornstar .com
domain (info.rules)
2044423 - ET MALWARE Observed Gootloader Domain in DNS Lookup (jp
.imonitorsoft .com) (malware.rules)
2044424 - ET MALWARE Observed Gootloader Domain in DNS Lookup (kakiosk
.adsparkdev .com) (malware.rules)
2044425 - ET MALWARE Observed Gootloader Domain in DNS Lookup (kristinee
.com) (malware.rules)
2044426 - ET MALWARE Observed Gootloader Domain in DNS Lookup
(jonathanbartz .com) (malware.rules)
2044427 - ET MALWARE Observed Gootloader Domain in DNS Lookup (kepw .org)
(malware.rules)
2044428 - ET MALWARE Observed Gootloader Domain in DNS Lookup
(lakeside-fishandchips .com) (malware.rules)
2044429 - ET MALWARE Observed Gootloader Domain in DNS Lookup (junk-bros
.com) (malware.rules)
2044430 - ET ATTACK_RESPONSE VBS/TrojanDownloader.Agent.YLH Payload
Inbound (attack_response.rules)
2044431 - ET MALWARE MSIL/PSW.Agent.STP Data Exfiltration Attempt
(malware.rules)
2044432 - ET MALWARE Win32/GenKryptik.GCJX Data Exfiltration Attempt
(malware.rules)
2044433 - ET ADWARE_PUP Win32/Presenoker Checkin (adware_pup.rules)
Pro:
2853616 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound
(malware.rules)
2853617 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853618 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853619 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound
(malware.rules)
2853620 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound
(malware.rules)
2853621 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound
(malware.rules)
2853622 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound
(malware.rules)
2853623 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853624 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853625 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations
Outbound (malware.rules)
2853626 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Inbound (malware.rules)
2853627 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Outbound (malware.rules)
2853628 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound
(malware.rules)
[///] Modified inactive rules: [///]
2853606 - ETPRO MALWARE ReverseRAT Activity (POST) - Generic
(malware.rules)
[---] Disabled and modified rules: [---]
2035473 - ET MALWARE Win32/PlugX Related Activity (malware.rules)
2035517 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
(malware.rules)
2035653 - ET MALWARE Cobalt Strike Related Activity (GET) (malware.rules)
2035692 - ET MALWARE Suspected Lazarus APT Related Backdoor Activity
(POST) M1 (malware.rules)
2036590 - ET MALWARE Win32/Throwback CnC Activity (POST) (malware.rules)
2039028 - ET MALWARE TA569 sczriptzzbn JavaScript Inject (malware.rules)
2039029 - ET MALWARE TA569 Fake Captcha Download (malware.rules)
2039031 - ET MALWARE TA569 Fake Browser Update (malware.rules)
2039084 - ET MALWARE TA569 Obfuscated sczriptzzb JavaScript Inject
(malware.rules)
2043099 - ET MALWARE TA569 Domain in DNS Lookup (luxurycompare .com)
(malware.rules)
2043405 - ET MALWARE DOUBLEBACK Related Domain in DNS Lookup (barricks
.org) (malware.rules)
2043406 - ET MALWARE Observed DOUBLEBACK Related Domain (barricks .org in
TLS SNI) (malware.rules)
[---] Disabled rules: [---]
2029200 - ET MALWARE Observed Malicious SSL Cert (jssLoader CnC)
(malware.rules)
2029245 - ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)
(malware.rules)
2029295 - ET MALWARE Observed Malicious SSL Cert (AZORult CnC)
(malware.rules)
2029296 - ET MALWARE Observed Malicious SSL Cert (AZORult CnC)
(malware.rules)
2035374 - ET MALWARE Kimsuky APT BabyShark/SHARPEXT Related Domain in DNS
Lookup (worldinfocontact .club) (malware.rules)
2035389 - ET MALWARE Cobalt Strike Activity (GET) (malware.rules)
2035447 - ET PHISHING Successful Generic Phish 2022-03-11 (phishing.rules)
2035471 - ET MALWARE Win32/44Caliber Stealer Discord Activity (POST)
(malware.rules)
2836358 - ETPRO MALWARE Win32.Raccoon Stealer Checkin Error Response M1
(malware.rules)
2839970 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2840046 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC)
(malware.rules)
2840080 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2840114 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC)
(malware.rules)
2840227 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC)
2020-01-02 (malware.rules)
2840228 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC)
2020-01-02 (malware.rules)
2840229 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC)
2020-01-02 (malware.rules)
2840357 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC)
(malware.rules)
2840389 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2840390 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC)
(malware.rules)
2840417 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC)
2020-01-13 (malware.rules)
2840506 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2840507 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC)
(malware.rules)
2840508 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC)
(malware.rules)
2840547 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2840548 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC)
2020-01-21 (malware.rules)
2840618 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC)
(malware.rules)
2840740 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC)
(malware.rules)
2840778 - ETPRO MALWARE Observed Malicious SSL Cert (DonotGroup CnC)
(malware.rules)
2840781 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC)
(malware.rules)
2840868 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC)
(malware.rules)
2840869 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID CnC)
(malware.rules)