[***] Summary: [***]

13 new OPEN, 15 new PRO (13 + 2) Silicon Valley Bank Phishing,
Gamaredon, THINCRUST and Others

Thanks @suyog41, @500mk500, @Cyber0verload

The Emerging Threats mailing list is migrating to Discourse. Please
visit us at https://community.emergingthreats.net

The mailing list is being retired on April 3, 2023.

[+++] Added rules: [+++]

Open:

2044667 - ET MALWARE Golang/Linux Kaiji Variant Activity (malware.rules)
2044668 - ET MALWARE Observed DNS Query To Gamaredon Domain (balatu
.ru) (malware.rules)
2044669 - ET MALWARE Observed DNS Query To Gamaredon Domain (paratai
.ru) (malware.rules)
2044670 - ET MALWARE Observed DNS Query To Gamaredon Domain (gokols
.ru) (malware.rules)
2044671 - ET MALWARE Observed DNSQuery to Gamaredon Domain (omranpo
.ru) (malware.rules)
2044672 - ET MALWARE Observed DNSQuery to Gamaredon Domain
(orduhanpo .ru) (malware.rules)
2044673 - ET INFO Free Online Form Builder Domain in DNS Lookup
(tally .so) (info.rules)
2044674 - ET PHISHING Silicon Valley Bank Credential Phish Landing
Page M1 (phishing.rules)
2044675 - ET PHISHING Silicon Valley Bank Credential Phish Landing
Page M2 (phishing.rules)
2044676 - ET PHISHING Silicon Valley Bank Phish Domain in DNS Lookup
(cash4svb .com) (phishing.rules)
2044677 - ET MALWARE Fortigate TABLEFLIP Backdoor Trigger - Magic
Number Sequence (malware.rules)
2044678 - ET MALWARE Fortigate THINCRUST Backdoor Activity M1 (malware.rules)
2044679 - ET MALWARE Fortigate THINCRUST Backdoor Activity M2 (malware.rules)

Pro:

2853734 - ETPRO EXPLOIT Possible CVE-2023-23415 Xbit Threshold Set
(noalert) (exploit.rules)
2853735 - ETPRO EXPLOIT Inbound Fragmented ICMP Flood - Possible
Exploit Activity (CVE-2023-23415) (exploit.rules)

[///] Modified inactive rules: [///]

2044597 - ET MALWARE Amadey Bot Activity (POST) (malware.rules)
2044623 - ET MALWARE Amadey Bot Activity (POST) (malware.rules)
2853606 - ETPRO MALWARE ReverseRAT Activity (POST) - Generic (malware.rules)

---------------------------------------------------------