Daily Ruleset Update Summary 2023/03/07

[***] Summary: [***]

65 new OPEN, 74 new PRO (65 + 9) Several dynamic DNS, Android Mobile
Malware, SYS01 infostealer, and many more.

Thanks @morphisec, @sans_isc, @BlackLotusLabs

The Emerging Threats mailing list is migrating to Discourse. Please
visit us at https://community.emergingthreats.net

The mailing list is being retired on April 3, 2023.

[+++] Added rules: [+++]

Open:

2044453 - ET INFO External IP Address Lookup - myip.ch (info.rules)
2044454 - ET INFO DYNAMIC_DNS Query to a *.pagostepeapulco .gob .mx
Domain (info.rules)
2044455 - ET INFO DYNAMIC_DNS HTTP Request to a *.pagostepeapulco
.gob.mx Domain (info.rules)
2044456 - ET INFO DYNAMIC_DNS Query to a *.tecalideherrera .gob .mx
Domain (info.rules)
2044457 - ET INFO DYNAMIC_DNS HTTP Request to a
*.tecalideherrera.gob.mx Domain (info.rules)
2044458 - ET INFO DYNAMIC_DNS Query to a *.custom-gaming .net Domain
(info.rules)
2044459 - ET INFO DYNAMIC_DNS HTTP Request to a *.custom-gaming .net
Domain (info.rules)
2044460 - ET INFO DYNAMIC_DNS Query to a *.panel-laboralcj .gob .mx
Domain (info.rules)
2044461 - ET INFO DYNAMIC_DNS HTTP Request to a *.panel-laboralcj
.gob .mx Domain (info.rules)
2044462 - ET INFO DYNAMIC_DNS Query to a *.minecraft .id .lv Domain
(info.rules)
2044463 - ET INFO DYNAMIC_DNS HTTP Request to a *.minecraft .id .lv
Domain (info.rules)
2044464 - ET INFO DYNAMIC_DNS Query to a *.aneisa .com Domain (info.rules)
2044465 - ET INFO DYNAMIC_DNS HTTP Request to a *.aneisa .com Domain
(info.rules)
2044466 - ET INFO DYNAMIC_DNS Query to a *.reason .org .nz Domain (info.rules)
2044467 - ET INFO DYNAMIC_DNS HTTP Request to a *.reason .org .nz
Domain (info.rules)
2044468 - ET INFO DYNAMIC_DNS Query to a *.capim .com .mx Domain (info.rules)
2044469 - ET INFO DYNAMIC_DNS HTTP Request to a *.capim .com .mx
Domain (info.rules)
2044470 - ET INFO DYNAMIC_DNS Query to a *.mcwrite .net Domain (info.rules)
2044471 - ET INFO DYNAMIC_DNS HTTP Request to a *.mcwrite .net
Domain (info.rules)
2044472 - ET INFO DYNAMIC_DNS Query to a *.visorideags .gob .mx
Domain (info.rules)
2044473 - ET INFO DYNAMIC_DNS HTTP Request to a *.visorideags .gob
.mx Domain (info.rules)
2044474 - ET INFO DYNAMIC_DNS Query to a *.bbs .io Domain (info.rules)
2044475 - ET INFO DYNAMIC_DNS HTTP Request to a *.bbs .io Domain (info.rules)
2044476 - ET INFO DYNAMIC_DNS Query to a *.bbgc .com .my Domain (info.rules)
2044477 - ET INFO DYNAMIC_DNS HTTP Request to a *.bbgc .com .my
Domain (info.rules)
2044478 - ET INFO DYNAMIC_DNS Query to a *.drtonywang .com Domain (info.rules)
2044479 - ET INFO DYNAMIC_DNS HTTP Request to a *.drtonywang .com
Domain (info.rules)
2044480 - ET INFO DYNAMIC_DNS Query to a *.fernando-botero-sculpture
.com Domain (info.rules)
2044481 - ET INFO DYNAMIC_DNS HTTP Request to a
*.fernando-botero-sculpture .com Domain (info.rules)
2044482 - ET INFO DYNAMIC_DNS Query to a *.ku4oy .us Domain (info.rules)
2044483 - ET INFO DYNAMIC_DNS HTTP Request to a *.ku4oy .us Domain
(info.rules)
2044484 - ET INFO DYNAMIC_DNS Query to a *.ireland .mx Domain (info.rules)
2044485 - ET INFO DYNAMIC_DNS HTTP Request to a *.ireland .mx Domain
(info.rules)
2044486 - ET INFO DYNAMIC_DNS Query to a *.giseler .com Domain (info.rules)
2044487 - ET INFO DYNAMIC_DNS HTTP Request to a *.giseler .com
Domain (info.rules)
2044488 - ET INFO DYNAMIC_DNS Query to a *.absl .ro Domain (info.rules)
2044489 - ET INFO DYNAMIC_DNS HTTP Request to a *.absl .ro Domain (info.rules)
2044490 - ET INFO DYNAMIC_DNS Query to a *.vix .ro Domain (info.rules)
2044491 - ET INFO DYNAMIC_DNS HTTP Request to a *.vix .ro Domain (info.rules)
2044492 - ET INFO DYNAMIC_DNS Query to a *.frostcatcher .com Domain
(info.rules)
2044493 - ET INFO DYNAMIC_DNS HTTP Request to a *.frostcatcher .com
Domain (info.rules)
2044494 - ET INFO DYNAMIC_DNS Query to a *.peeramidspirits .com
Domain (info.rules)
2044495 - ET INFO DYNAMIC_DNS HTTP Request to a *.peeramidspirits
.com Domain (info.rules)
2044496 - ET INFO DYNAMIC_DNS Query to a *.johanson .ee Domain (info.rules)
2044497 - ET INFO DYNAMIC_DNS HTTP Request to a *.johanson .ee
Domain (info.rules)
2044498 - ET INFO Public Proxy Service Domain in DNS Lookup
(api.proxyscrape .com) (info.rules)
2044499 - ET INFO Observed Public Proxy Service Domain
(api.proxyscrape.com in TLS SNI) (info.rules)
2044500 - ET INFO Public Proxy Service Domain in DNS Lookup (89ip
.cn) (info.rules)
2044501 - ET INFO Observed Public Proxy Service Domain (www .89ip
.cn in TLS SNI) (info.rules)
2044502 - ET MALWARE Maldoc Retrieving Payload (malware.rules)
2044503 - ET MALWARE Hiatus RAT CnC Checkin (malware.rules)
2044504 - ET INFO Request for Visual Studio Code sftp.json -
Possible Information Leak (info.rules)
2044505 - ET MALWARE SYS01 Information Stealer - CnC Checkin (malware.rules)
2044506 - ET MALWARE SYS01 Information Stealer CnC Domain
(seemlabie.top) in DNS Lookup (malware.rules)
2044507 - ET MALWARE SYS01 Information Stealer CnC Domain
(craceruib.top) in DNS Lookup (malware.rules)
2044508 - ET MALWARE SYS01 Information Stealer CnC Domain
(oscarnaija.com) in DNS Lookup (malware.rules)
2044509 - ET MALWARE SYS01 Information Stealer CnC Domain
(caseiden.com) in DNS Lookup (malware.rules)
2044510 - ET MALWARE SYS01 Information Stealer CnC Domain
(mahinetain.top) in DNS Lookup (malware.rules)
2044511 - ET MALWARE SYS01 Information Stealer CnC Domain
(makananwisata .com) in DNS Lookup (malware.rules)
2044512 - ET MALWARE SYS01 Information Stealer CnC Domain
(graeslavur.com) in DNS Lookup (malware.rules)
2044513 - ET MALWARE SYS01 Information Stealer CnC Domain
(rapadtrai.com) in DNS Lookup (malware.rules)
2044514 - ET MALWARE SYS01 Information Stealer CnC Domain
(baglamanotalari .com) in DNS Lookup (malware.rules)
2044515 - ET MALWARE SYS01 Information Stealer CnC Domain (seleriti
.com) in DNS Lookup (malware.rules)
2044516 - ET MALWARE SocGholish Domain in DNS Lookup (profit
.3stepsprofit.com) (malware.rules)
2044517 - ET MALWARE SocGholish Domain in DNS Lookup (use
.solqueen.com) (malware.rules)

Pro:

2853630 - ETPRO MOBILE_MALWARE Android.Spy.1030 CnC Domain in DNS
Lookup (mobile_malware.rules)
2853631 - ETPRO MOBILE_MALWARE Android/Harly.AF CnC Domain in DNS
Lookup (mobile_malware.rules)
2853632 - ETPRO MOBILE_MALWARE Android/Harly.AF CnC Domain in DNS
Lookup (mobile_malware.rules)
2853633 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Doina.C CnC Domain
in DNS Lookup (mobile_malware.rules)
2853634 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.FakeApp.r
Checkin (mobile_malware.rules)
2853635 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.adh CnC
Domain in DNS Lookup (mobile_malware.rules)
2853636 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Agent.ga CnC
Domain in DNS Lookup (mobile_malware.rules)
2853637 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Goatrat.a CnC
Domain in DNS Lookup (mobile_malware.rules)
2853638 - ETPRO MALWARE DarkCloudBot Stealer Exfil via Telegram M3
(malware.rules)

[---] Disabled and modified rules: [---]

2034099 - ET MALWARE Observed Cobalt Strike CnC Domain (yawero .com
in TLS SNI) (malware.rules)
2034100 - ET MALWARE Observed Cobalt Strike CnC Domain (sazoya .com
in TLS SNI) (malware.rules)
2034140 - ET MALWARE Observed Ursnif CnC Domain (Gloderuniok
.website in TLS SNI) (malware.rules)
2034141 - ET MALWARE Observed Ursnif CnC Domain (Vloderuniok
.website in TLS SNI) (malware.rules)
2034142 - ET MALWARE Observed Cobalt Strike CnC Domain (Gojihu .com
in TLS SNI) (malware.rules)
2034143 - ET MALWARE Observed Cobalt Strike CnC Domain (Yuxicu .com
in TLS SNI) (malware.rules)
2034441 - ET MALWARE Observed Compromised Domain (cryptoarenastore
.com in TLS SNI) (2021-11-12) (malware.rules)
2034880 - ET MALWARE Quasar CnC Domain in DNS Lookup (malware.rules)
2035955 - ET EXPLOIT Razer Sila Router - Command Injection Attempt
Inbound (No CVE) (exploit.rules)
2035956 - ET EXPLOIT Razer Sila Router - LFI Attempt Inbound (No
CVE) (exploit.rules)
2042999 - ET MALWARE SocGholish Domain in DNS Lookup
(group5.corralphacap .com) (malware.rules)
2044055 - ET MALWARE Observed DNS Query to IcedID Domain
(alijhaborta.com) (malware.rules)
2044057 - ET MALWARE Observed DNS Query to IcedID Domain
(windmencherser .com) (malware.rules)
2044058 - ET MALWARE Observed DNS Query to IcedID Domain
(leftcatrheringg .com) (malware.rules)
2044059 - ET MALWARE Observed DNS Query to IcedID Domain
(yelsopotre.com) (malware.rules)
2044060 - ET MALWARE Observed DNS Query to IcedID Domain
(headertolz.com) (malware.rules)
2044257 - ET MALWARE SocGholish CnC Domain in DNS Lookup (*
.calendar.wishmarkets .com) (malware.rules)

[---] Removed rules: [---]

2823420 - ETPRO POLICY External IP Address Lookup - myip.ch (policy.rules)

Date:
Summary title:
65 new OPEN, 74 new PRO (65 + 9) Several dynamic DNS, Android Mobile Malware, SYS01 infostealer, and many more.