Daily Ruleset Update Summary 2023/03/16

Daily Ruleset Update Summary

[***] Summary: [***]

32 new OPEN, 66 new PRO (32 + 34) XWorm, Wintern Vivern, Gamaredon, others

Thanks @fmc_nan, @_CPResearch, @SentinelOne, @osipov_ar,
@malPileDriver, @t3ft3lb, @StopMalvertisin

The Emerging Threats mailing list is migrating to Discourse. Please
visit us at https://community.emergingthreats.net

The mailing list is being retired on April 3, 2023.

[+++] Added rules: [+++]

Open:

2044633 - ET INFO DYNAMIC_DNS Query to a *.stkhome .de Domain (info.rules)
2044634 - ET INFO DYNAMIC_DNS HTTP Request to a *.stkhome .de Domain
(info.rules)
2044635 - ET MALWARE IcedID CnC Domain in DNS Lookup
(applicatwindomz .com) (malware.rules)
2044636 - ET MALWARE IcedID CnC Domain in DNS Lookup (skanfordiporka
.com) (malware.rules)
2044637 - ET MALWARE IcedID CnC Domain in DNS Lookup (avroralikhaem
.com) (malware.rules)
2044638 - ET MALWARE IcedID CnC Domain in DNS Lookup (villageskaier
.com) (malware.rules)
2044639 - ET MALWARE Mustang Panda APT Related Activity (GET) (malware.rules)
2044640 - ET MALWARE Mustang Panda APT Related Activity (Response)
(malware.rules)
2044641 - ET MALWARE Mustang Panda APT Related Activity (POST) (malware.rules)
2044642 - ET MALWARE Mustang Panda APT Related Activity M2
(Response) (malware.rules)
2044643 - ET INFO OpenDrive Cloud Storage Domain in DNS Lookup (od
.lk) (info.rules)
2044644 - ET INFO Observed OpenDrive Cloud Storage SSL Cert (info.rules)
2044645 - ET MALWARE Sidecopy APT Related Activity (POST) (malware.rules)
2044646 - ET PHISHING EDD Credential Phish Landing Page 2023-03-16
M1 (phishing.rules)
2044647 - ET PHISHING EDD Credential Phish Landing Page M2
2023-03-16 (phishing.rules)
2044648 - ET PHISHING Generic Credential Phish Landing Page
2023-03-16 (phishing.rules)
2044649 - ET MALWARE Observed DNS Query to Gamaredon Domain (talehgi
.ru) (malware.rules)
2044650 - ET MALWARE Observed DNS Query to Gamaredon Domain (ravaet
.ru) (malware.rules)
2044651 - ET MALWARE Observed DNS Query to Gamaredon Domain
(talgatgi .ru) (malware.rules)
2044652 - ET MALWARE Observed DNS Query to Gamaredon Domain (barakal
.ru) (malware.rules)
2044653 - ET MALWARE Observed DNS Query to Gamaredon Domain
(taysirgi .ru) (malware.rules)
2044654 - ET MALWARE Observed DNS Query to Gamaredon Domain (takyygi
.ru) (malware.rules)
2044655 - ET MOBILE_MALWARE Android/FakeCalls CnC Server Response
(mobile_malware.rules)
2044656 - ET MALWARE Wintern Vivern CnC Domain (bugiplaysec .com) in
DNS Lookup (malware.rules)
2044657 - ET MALWARE Wintern Vivern CnC Domain (marakanas .com) in
DNS Lookup (malware.rules)
2044658 - ET MALWARE Wintern Vivern CnC Domain (ocs-romastassec
.com) in DNS Lookup (malware.rules)
2044659 - ET MALWARE Wintern Vivern CnC Domain (troadsecow .com) in
DNS Lookup (malware.rules)
2044660 - ET MALWARE Wintern Vivern CnC Domain (ocspdep .com) in DNS
Lookup (malware.rules)
2044661 - ET MALWARE Wintern Vivern CnC Domain (security-ocsp .com)
in DNS Lookup (malware.rules)
2044662 - ET MALWARE Winter Vivern APT Aperetif CnC Checkin (malware.rules)
2044663 - ET MALWARE Winter Vivern APT Aperetif Payload Retrieval
Attempt M1 (malware.rules)
2044664 - ET MALWARE Winter Vivern APT Aperetif Payload Retrieval
Attempt M2 (malware.rules)

Pro:

2853692 - ETPRO MALWARE Emotet Payload Inbound (2023-03-16) (malware.rules)
2853693 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853694 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations
Outbound (malware.rules)
2853695 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Inbound (malware.rules)
2853696 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Outbound (malware.rules)
2853697 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown
Inbound (malware.rules)
2853698 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound
(malware.rules)
2853699 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853700 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853701 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2853702 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound
(malware.rules)
2853703 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound
(malware.rules)
2853704 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto
Inbound (malware.rules)
2853705 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin
Outbound (malware.rules)
2853706 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin
Inbound (malware.rules)
2853707 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations
Outbound (malware.rules)
2853708 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Inbound (malware.rules)
2853709 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Outbound (malware.rules)
2853710 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown
Inbound (malware.rules)
2853711 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound
(malware.rules)
2853712 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853713 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853714 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound
(malware.rules)
2853715 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound
(malware.rules)
2853716 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin
Outbound (malware.rules)
2853717 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin
Inbound (malware.rules)
2853718 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto
Inbound (malware.rules)
2853719 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations
Outbound (malware.rules)
2853720 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Inbound (malware.rules)
2853721 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Outbound (malware.rules)
2853722 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown
Inbound (malware.rules)
2853723 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2853724 - ETPRO MALWARE LNK/Agent.XN Variant Payload Request (GET)
(malware.rules)
2853725 - ETPRO ATTACK_RESPONSE SnakeKeylogger Config Inbound
(attack_response.rules)

[---] Disabled and modified rules: [---]

2035598 - ET MALWARE Win32/CrimsonRAT Variant Sending Command
(inbound) (malware.rules)
2035599 - ET MALWARE Win32/CrimsonRAT Variant Sending Command M2
(inbound) (malware.rules)
2035600 - ET MALWARE Win32/CrimsonRAT Variant Sending System
Information (outbound) (malware.rules)
2035603 - ET MALWARE GhostWriter APT Related Cobalt Strike Activity
(GET) (malware.rules)
2035624 - ET MALWARE TransparentTribe APT Related Activity (POST)
(malware.rules)
2035625 - ET MALWARE TransparentTribe APT Related Backdoor Activity
(malware.rules)
2035654 - ET INFO Abused Hosting Domain in DNS Lookup
(digital-ministry .ru) (info.rules)
2035682 - ET MALWARE MustangPanda APT Dropper Activity (POST) (malware.rules)
2035689 - ET MALWARE Win32/PlugX/Talisman Activity (POST) (malware.rules)
2035889 - ET INFO Observed Commonly Abused Domain in DNS Lookup
(blogattach .naver .com) (info.rules)
2035890 - ET INFO Observed Commonly Abused Domain (blogattach .naver
.com in TLS SNI) (info.rules)
2035915 - ET MALWARE Cobalt Strike Related Activity (GET) (malware.rules)
2036210 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
(malware.rules)
2036211 - ET MALWARE Malicious VBS Sending System Information (POST)
(malware.rules)
2036213 - ET MALWARE Gamaredon APT Related Activity (GET) (malware.rules)
2036228 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
(malware.rules)
2036237 - ET USER_AGENTS Observed Bumblebee Loader User-Agent
(bumblebee) (user_agents.rules)
2036257 - ET MALWARE Suspected TA404 APT Related Activity M1 (malware.rules)
2036258 - ET MALWARE Suspected TA404 APT Related Activity M2 (malware.rules)
2036278 - ET MALWARE DPRK APT Related Domain in DNS Lookup
(beastmodser .club) (malware.rules)

---------------------------------------------------------

Date:

Thursday, March 16, 2023

Summary title:

32 new OPEN, 66 new PRO (32 + 34) XWorm, Wintern Vivern, Gamaredon, others