Daily Ruleset Update Summary
Daily Ruleset Update Summary 2023/03/20

[***] Summary: [***]

29 new OPEN, 33 new PRO (29 + 4) Ares Loader, Gamaredon, IcedID,
Keitaro, Konni, PikaBot, SocGholish, Win32/Amadey, Win32/keyzetsu,
Possible Microsoft Outlook Elevation of Privilege Payload, Unknown
Powershell Profiler Exfil

Thanks @malPileDriver, @suyog41, @0xToxin, @James_inthe_box, @1ZRR4H,
@ShadowChasing1

The Emerging Threats mailing list is migrating to Discourse. Please
visit us at https://community.emergingthreats.net/

The mailing list is being retired on April 3, 2023.

[+++] Added rules: [+++]

Open:

2044680 - ET EXPLOIT Possible Microsoft Outlook Elevation of
Privilege Payload Observed M1 (CVE-2023-23397) (exploit.rules)
2044681 - ET EXPLOIT Possible Microsoft Outlook Elevation of
Privilege Payload Observed M2 (CVE-2023-23397) (exploit.rules)
2044682 - ET EXPLOIT Possible Microsoft Outlook Elevation of
Privilege Payload Observed M3 (CVE-2023-23397) (exploit.rules)
2044683 - ET EXPLOIT Possible Microsoft Outlook Elevation of
Privilege Payload Observed M4 (CVE-2023-23397) (exploit.rules)
2044684 - ET EXPLOIT Possible Microsoft Outlook Elevation of
Privilege Payload Observed M5 (CVE-2023-23397) (exploit.rules)
2044685 - ET EXPLOIT Possible Microsoft Outlook Elevation of
Privilege Payload Observed M6 (CVE-2023-23397) (exploit.rules)
2044686 - ET EXPLOIT Possible Microsoft Outlook Elevation of
Privilege Payload Observed M7 (CVE-2023-23397) (exploit.rules)
2044687 - ET EXPLOIT Possible Microsoft Outlook Elevation of
Privilege Payload Observed M8 (CVE-2023-23397) (exploit.rules)
2044688 - ET MALWARE Ares Loader Observed User-Agent M1 (malware.rules)
2044689 - ET MALWARE Ares Loader Observed User-Agent M2 (malware.rules)
2044690 - ET MALWARE Ares Loader Checkin (malware.rules)
2044691 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2044692 - ET MALWARE Win32/keyzetsu Stealer exfil via Telegram
(Response) (malware.rules)
2044693 - ET MALWARE Win32/keyzetsu Stealer Variant Exfil via
Telegram (Response) (malware.rules)
2044694 - ET MALWARE Konni APT Related Activity (GET) (malware.rules)
2044695 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
(malware.rules)
2044696 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
(malware.rules)
2044697 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M3
(malware.rules)
2044698 - ET MALWARE Observed DNS Query to Gamaredon Domain (makasd
.ru) (malware.rules)
2044699 - ET MALWARE Observed DNS Query to Gamaredon Domain (gojoxa
.ru) (malware.rules)
2044700 - ET MALWARE Observed DNS Query to Gamaredon Domain (baralap
.ru) (malware.rules)
2044701 - ET MALWARE Observed DNS Query to Gamaredon Domain (rasulla
.ru) (malware.rules)
2044702 - ET MALWARE Unknown Powershell Profiler Exfiltrating System
Data (malware.rules)
2044703 - ET MALWARE TA569 Keitaro TDS Domain in DNS Lookup
(jqueryns .com) (malware.rules)
2044704 - ET MALWARE TA569 Keitaro TDS Domain in DNS Lookup (jqscr
.com) (malware.rules)
2044705 - ET MALWARE SocGholish CnC Domain in DNS Lookup (*
.language .sebtomato .com) (malware.rules)
2044706 - ET MALWARE SocGholish Domain in DNS Lookup (archive
.vibezik .com) (malware.rules)
2044707 - ET MALWARE SocGholish Domain in DNS Lookup (scripts .asi
.services) (malware.rules)
2044708 - ET MALWARE SocGholish Domain in DNS Lookup (trackrecord
.wheresbecky .com) (malware.rules)

Pro:

2853743 - ETPRO MALWARE PikaBot CnC Activity M1 (malware.rules)
2853744 - ETPRO MALWARE PikaBot CnC Activity M2 (malware.rules)
2853745 - ETPRO MALWARE PikaBot CnC Activity M3 (malware.rules)
2853746 - ETPRO MALWARE PikaBot CnC Activity M4 (malware.rules)

[---] Disabled and modified rules: [---]

2034631 - ET MALWARE Maldoc Activity (set) (malware.rules)
2034632 - ET MALWARE Maldoc Retrieving Binary (malware.rules)
2035184 - ET MALWARE Go/Anubis Registration Activity (malware.rules)
2035185 - ET MALWARE Go/Anubis CnC Activity (POST) (malware.rules)
2035293 - ET MALWARE PlugX Activity (POST) (malware.rules)
2035304 - ET INFO Observed URL Shortening Service Domain (0sh .org
in TLS SNI) (info.rules)
2035305 - ET INFO Observed URL Shortening Service Domain (prourl .in
in TLS SNI) (info.rules)
2035308 - ET MALWARE Suspected PlugX Checkin Activity (udp) (malware.rules)
2035360 - ET MALWARE SunSeed Lua Downloader Activity (GET) (malware.rules)
2035362 - ET MALWARE SunSeed Download Retrieving Binary (malware.rules)
2850667 - ETPRO PHISHING Successful Generic Phish 2021-12-10 (phishing.rules)

[---] Removed rules: [---]

2853726 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of
Privilege Payload Observed M1 (CVE-2023-23397) (exploit.rules)
2853727 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of
Privilege Payload Observed M2 (CVE-2023-23397) (exploit.rules)
2853728 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of
Privilege Payload Observed M3 (CVE-2023-23397) (exploit.rules)
2853729 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of
Privilege Payload Observed M4 (CVE-2023-23397) (exploit.rules)
2853730 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of
Privilege Payload Observed M5 (CVE-2023-23397) (exploit.rules)
2853731 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of
Privilege Payload Observed M6 (CVE-2023-23397) (exploit.rules)
2853732 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of
Privilege Payload Observed M7 (CVE-2023-23397) (exploit.rules)
2853733 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of
Privilege Payload Observed M8 (CVE-2023-23397) (exploit.rules)

Date:
Summary title:
29 new OPEN, 33 new PRO (29 + 4) Ares Loader, Gamaredon, IcedID, Keitaro, Konni, PikaBot, SocGholish, Win32/Amadey, Win32/keyzetsu, Possible Microsoft Outlook Elevation of Privilege Payload, Unknown Powershell Profiler Exfil