[***] Summary: [***]

30 new OPEN, 73 new PRO (30 + 43) XWorm, HMR RAT, LIGHTSHOW

Thanks @suyog41, @Mandiant, @travisbgreen, @ASEC_Analysis,
@corelight_inc, @benreardon, @Gi7w0rm, @corelight_inc, @benreardon

The Emerging Threats mailing list is migrating to Discourse. Please
visit us at https://community.emergingthreats.net

The mailing list is being retired on April 3, 2023.

[+++] Added rules: [+++]

Open:

2044585 - ET EXPLOIT TP-Link Archer AX21 Unauthenticated Command
Injection Inbound (CVE-2023-1389) (exploit.rules)
2044586 - ET INFO DYNAMIC_DNS Query to a *.adoubleu .de Domain (info.rules)
2044587 - ET INFO DYNAMIC_DNS HTTP Request to a *.adoubleu .de
Domain (info.rules)
2044588 - ET INFO DYNAMIC_DNS Query to a *.4twenty .us Domain (info.rules)
2044589 - ET INFO DYNAMIC_DNS HTTP Request to a *.4twenty .us Domain
(info.rules)
2044590 - ET INFO playit .gg Tunneling Domain in DNS Lookup (info.rules)
2044591 - ET INFO DYNAMIC_DNS Query to a *.aarogyamnepal .org .np
Domain (info.rules)
2044592 - ET INFO DYNAMIC_DNS HTTP Request to a *.aarogyamnepal .org
.np Domain (info.rules)
2044593 - ET INFO DYNAMIC_DNS Query to a *.adistra .com Domain (info.rules)
2044594 - ET INFO DYNAMIC_DNS HTTP Request to a *.adistra .com
Domain (info.rules)
2044595 - ET MALWARE Win32/HMR RAT Sending System Information M3
(malware.rules)
2044596 - ET MALWARE Win32/HMR RAT Sending System Information M4
(malware.rules)
2044597 - ET MALWARE Amadey Bot Activity (POST) (malware.rules)
2044598 - ET MALWARE Win32/Unknown Stealer CnC Exfil via Telegram M1
(malware.rules)
2044599 - ET MALWARE Win32/Unknown Stealer CnC Exfil via Telegram M2
(malware.rules)
2044600 - ET MALWARE SIDESHOW CnC Authentication Over HTTP (malware.rules)
2044601 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (sede
.lamarinadevalencia .com) (malware.rules)
2044602 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain
(abba-servicios .mx) (malware.rules)
2044603 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (doug
.org) (malware.rules)
2044604 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain
(fainstec .com) (malware.rules)
2044605 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain
(webinternal .anyplex .com) (malware.rules)
2044606 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain
(leadsblue .com) (malware.rules)
2044607 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain
(ruscheltelefonia .com .br) (malware.rules)
2044608 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain
(ajayjangid .in) (malware.rules)
2044609 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (keewoom
.co .kr) (malware.rules)
2044610 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain
(olidhealth .com) (malware.rules)
2044611 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (mantis
.quick .net .pl) (malware.rules)
2044612 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain
(toptradenews .com) (malware.rules)
2044613 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain
(crickethighlights .today) (malware.rules)
2044614 - ET MALWARE Observed DNS Query to Kimsuky Domain (mpevalr
.ria .monster) (malware.rules)

Pro:

2853646 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound
(malware.rules)
2853647 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853648 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853649 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2853650 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound
(malware.rules)
2853651 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound
(malware.rules)
2853652 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto
Inbound (malware.rules)
2853653 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin
Outbound (malware.rules)
2853654 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin
Inbound (malware.rules)
2853655 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations
Outbound (malware.rules)
2853656 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Inbound (malware.rules)
2853657 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Outbound (malware.rules)
2853658 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown
Inbound (malware.rules)
2853659 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound
(malware.rules)
2853660 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853661 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853662 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2853663 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound
(malware.rules)
2853664 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound
(malware.rules)
2853665 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto
Inbound (malware.rules)
2853666 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin
Inbound (malware.rules)
2853667 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin
Outbound (malware.rules)
2853668 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations
Outbound (malware.rules)
2853669 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Inbound (malware.rules)
2853670 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Outbound (malware.rules)
2853671 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown
Inbound (malware.rules)
2853672 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound
(malware.rules)
2853673 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853674 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853675 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2853676 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound
(malware.rules)
2853677 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound
(malware.rules)
2853678 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto
Inbound (malware.rules)
2853679 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin
Outbound (malware.rules)
2853680 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin
Inbound (malware.rules)
2853681 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations
Outbound (malware.rules)
2853682 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Inbound (malware.rules)
2853683 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown
Inbound (malware.rules)
2853684 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Outbound (malware.rules)
2853685 - ETPRO MALWARE Win32/XWorm Checkin via Telegram (malware.rules)
2853686 - ETPRO HUNTING Google Referer POST (hunting.rules)
2853687 - ETPRO INFO Observed Phishing/Security Simulation Service
Domain DNS Lookup (info.rules)
2853688 - ETPRO INFO Observed Phishing/Security Simulation Service
Domain in TLS SNI (info.rules)

[---] Disabled and modified rules: [---]

2034683 - ET MALWARE Linux/Tsunami Downloader (malware.rules)
2034684 - ET MALWARE Linux/Tsunami Remote Shell M1 (malware.rules)
2034685 - ET MALWARE Linux/Tsunami Downloader (malware.rules)
2034686 - ET MALWARE Linux/Tsunami Remote Shell M2 (malware.rules)
2034739 - ET MALWARE DCRat CnC Activity M11 (malware.rules)
2034740 - ET MALWARE DCRat CnC Activity M12 (malware.rules)
2034741 - ET MALWARE DCRat CnC Activity M13 (malware.rules)
2034838 - ET SCAN WordPress HelloThinkCMF Scan (scan.rules)
2034914 - ET EXPLOIT Windows Defender POWERLIKS Detection Bypass
(exploit.rules)
2034961 - ET EXPLOIT GitLab Unauthenticated Remote ExifTool Command
Injection (CVE-2021-24563) (exploit.rules)
2034982 - ET MALWARE Win32/ClipBanker.OC CnC Activity M1 (malware.rules)
2034983 - ET MALWARE Win32/ClipBanker.OC CnC Activity M2 (malware.rules)
2035031 - ET MALWARE StrifeWater Rat CnC Activity (malware.rules)
2035040 - ET MALWARE StrifeWater RAT CnC Activity M2 (malware.rules)
2035098 - ET MALWARE Win32/Trojan.Agent.FSTT CnC Activity (malware.rules)
2035099 - ET MALWARE Win32/Pteranodon CnC Exfil (POST) (malware.rules)
2035207 - ET MALWARE MSIL/GenKryptik.FQRH Download Request (malware.rules)
2035211 - ET MALWARE Win32/QuasarRAT CnC Traffic (malware.rules)
2035400 - ET MALWARE JS/Skimmer Inbound (Likely MageCart) M2 (malware.rules)
2035421 - ET MALWARE Win32/ArmyOfUkraine Bot Activity (malware.rules)
2035459 - ET MALWARE MSIL/TrojanDownloader.Agent.KUO CnC Activity M1
(malware.rules)
2035536 - ET MALWARE Backdoor/Win.Gh0stRAT CnC Exfil (malware.rules)
2035565 - ET MALWARE ConPtyShell Client Response (malware.rules)
2035566 - ET MALWARE ConPtyShell Server Command (whoami) (malware.rules)
2035567 - ET MALWARE ConPtyShell Server Close Shell (malware.rules)
2035605 - ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Command
Fetch (malware.rules)
2035606 - ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Domain
Fetch (malware.rules)
2035693 - ET MALWARE Win32/Killav.CM CnC Response (malware.rules)
2035694 - ET MALWARE Win32/Killav.CM Checkin M2 (malware.rules)
2035753 - ET MALWARE MSIL/Unk.CoinMiner Downloader (malware.rules)
2035754 - ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader)
(malware.rules)
2035755 - ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader)
(malware.rules)
2035756 - ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader)
(malware.rules)
2035768 - ET HUNTING Kaspov Related Hex In HTTP Accept Header (hunting.rules)
2035900 - ET MALWARE Win32/Farfli.CUY Downloader (malware.rules)
2035918 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (showsvc .com) (malware.rules)
2035919 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (wicommerece .com) (malware.rules)
2035920 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (upservicemc .com) (malware.rules)
2035921 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (netpixelds .com) (malware.rules)
2035922 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (allmyad .com) (malware.rules)
2035923 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (ananoka .com) (malware.rules)
2035924 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (gvgnci .com) (malware.rules)
2035925 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (msfbckupsc .com) (malware.rules)
2035926 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (polanicia .com) (malware.rules)
2035927 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (informaxima .org) (malware.rules)
2035928 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (worldchangeos .com) (malware.rules)
2035929 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (liongracem .com) (malware.rules)
2035930 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (jmarrycs .com) (malware.rules)
2035931 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (am-reader .com) (malware.rules)
2036244 - ET MALWARE MSIL/Crimson Client Command Response (info)
(malware.rules)
2036268 - ET HUNTING Request To Suspicious Filename via Powershell
(payload) (hunting.rules)
2036281 - ET MALWARE Win64/CobaltStrike.Beacon.J CnC Checkin (malware.rules)
2036282 - ET MALWARE Cobalt Strike X-Client Header (notevil) (malware.rules)
2036291 - ET MALWARE Win32/Shuckworm CnC Exfil M1 (malware.rules)
2036292 - ET MALWARE Win32/Shuckworm CnC Exfil M2 (malware.rules)
2036293 - ET MALWARE Win32/Pterodo CnC VNC Connect Request (malware.rules)
2036294 - ET MALWARE Win32/ChromeBack Extention Payload Fetch (malware.rules)
2036295 - ET MALWARE Win32/ChromeBack CnC Checkin (malware.rules)
2036296 - ET MALWARE Win32/ChromeBack Browser Hijacker Query
Redirection (malware.rules)
2036297 - ET MALWARE Win32/ChromeBack Browser Hijacker Sync (malware.rules)
2036354 - ET MALWARE Win32/Agent.VAZ Bot CnC Checkin (StatusTime)
(malware.rules)
2036355 - ET MALWARE Win32/Agent.VAZ Bot CnC Checkin (Comands) (malware.rules)
2036356 - ET MALWARE Win32/Agent.VAZ Bot CnC Checkin (Checkupdate)
(malware.rules)
2036357 - ET MALWARE Win32/Agent.VAZ Bot CnC Checkin M1 (malware.rules)
2036378 - ET EXPLOIT WSO2 Server RCE (CVE-2022-29464) (exploit.rules)
2036392 - ET EXPLOIT [ConnectWise CRU] Java ECDSA (Psychic) Signed
JWT Bypass (CVE-2022-21449) (exploit.rules)
2036468 - ET MALWARE PoshC2 Downloader Activity (GET) (malware.rules)
2036469 - ET INFO DYNAMIC_DNS HTTP Request to a *.4nmn .com Domain
(info.rules)
2036470 - ET INFO DYNAMIC_DNS Query to 4nmn .com Domain (info.rules)
2036509 - ET MALWARE Kimsuky APT PebbleDash Related Activity (GET)
(malware.rules)
2036510 - ET MALWARE PoshC2 - Observed Default URI Structure M1
(malware.rules)
2850657 - ETPRO MALWARE Valyria Maldoc/BazarLoader Activity (GET)
(malware.rules)
2850671 - ETPRO MALWARE Valyria CnC Activity (GET) (malware.rules)
2850800 - ETPRO MALWARE Valyria Maldoc Activity (GET) (malware.rules)
2850831 - ETPRO MALWARE Valyria Maldoc Activity (GET) (malware.rules)
2850838 - ETPRO MALWARE DCRAT CnC Activity (GET) (malware.rules)
2850839 - ETPRO MALWARE DCRAT CnC Response (malware.rules)
2850853 - ETPRO MALWARE Trojan:Win32/Wacatac Payload Download (malware.rules)
2850871 - ETPRO MALWARE Win32/Spy.Banker CnC Exfil (POST) (malware.rules)
2850940 - ETPRO MALWARE Win32/TrojanDownloader.Agent.DSF CnC
Activity (malware.rules)
2850941 - ETPRO MALWARE Win32/TrojanDownloader.Agent.DSF CnC
Activity (malware.rules)
2851042 - ETPRO MALWARE Trojan:Win32/Sabsik Payload Request M2 (malware.rules)
2851043 - ETPRO MALWARE Trojan:Win32/Sabsik Payload Request M1 (malware.rules)
2851113 - ETPRO MALWARE Win32/Induc.A CnC Activity (GET) (malware.rules)
2851115 - ETPRO MALWARE Win32/Fabookie.ek CnC Activity M2 (malware.rules)
2851152 - ETPRO MALWARE Koadic CnC Activity (POST) (malware.rules)
2851180 - ETPRO MALWARE Trojan:Win32/Sabsik Payload Request M2 (malware.rules)
2851206 - ETPRO MALWARE Win32/LokiBot Payload Download Request M2
(malware.rules)
2851244 - ETPRO MALWARE Win32/Packed.BlackMoon.A Arguments Fetch
(malware.rules)
2851279 - ETPRO MALWARE PowerShell/TrojanDownloader.Agent.BHN
Payload Request (power.txt) (malware.rules)
2851280 - ETPRO MALWARE PowerShell/TrojanDownloader.Agent.BHN
Payload Request (kill.txt) (malware.rules)
2851281 - ETPRO MALWARE PowerShell/TrojanDownloader.Agent.BHN
Payload Request (uninstall.txt) (malware.rules)
2851282 - ETPRO MALWARE PowerShell/TrojanDownloader.Agent.BHN
Payload Request (download.txt) (malware.rules)
2851290 - ETPRO MALWARE Win32/AsyncRAT CnC Activity (Get Commands)
(malware.rules)
2851291 - ETPRO MALWARE Win32/AsyncRAT CnC Activity (Fake Avast
Antivirus) (malware.rules)
2851292 - ETPRO MALWARE Win32/AsyncRAT CnC Activity (Fake AVG
AntiVirus) (malware.rules)
2851293 - ETPRO MALWARE Win32/AsyncRAT CnC Activity (Fake
MalwareBytes AV) (malware.rules)
2851294 - ETPRO MALWARE Win32/AsyncRAT Successful Payload Download
(malware.rules)
2851313 - ETPRO MALWARE VBS/TrojanDownloader.Agent.WVY Obfuscated
ShellExecute Command (SilentlyContinue) (malware.rules)
2851423 - ETPRO MALWARE Trojan.Win32.Scar.DSUU CnC Exfil (malware.rules)
2851575 - ETPRO MALWARE Observed Qbot Domain (psmyanmar .com in TLS
SNI) (malware.rules)
2851576 - ETPRO MALWARE Observed Qbot Domain (fastesol .com in TLS
SNI) (malware.rules)
2851580 - ETPRO MALWARE Win32/Trojan.Agent.FRPG Exfil Activity
(POST) (malware.rules)

---------------------------------------------------------

Date:
Summary title:
30 new OPEN, 73 new PRO (30 + 43) XWorm, HMR RAT, LIGHTSHOW