Daily Ruleset Update Summary 2023/03/22

[***] Summary: [***]

24 new OPEN, 45 new PRO (24 + 21) Android Malware, Stealers (DarkCloud,
HookSpoofer, ZaRaza, PennyWise), Qbot, Lucky Volunteer, Donot, SOMNIRECORD,
TrojanDownloader.AHK.CH

Thanks @RedDrip7, @suyog41, @bzvr_, @Yeti_Sec, @crep1x

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at https://community.emergingthreats.net

The mailing list is being retired on April 3, 2023.

[+++] Added rules: [+++]

Open:

2044723 - ET MOBILE_MALWARE Android/Spy.Banker.BTO CnC Domain in DNS
Lookup (mobile_malware.rules)
2044724 - ET MALWARE QBot Payload Request (2023-03-21) M1 (malware.rules)
2044725 - ET MALWARE QBot Payload Request (2023-03-21) M2 (malware.rules)
2044726 - ET MALWARE QBot Payload Request (2023-03-21) M3 (malware.rules)
2044727 - ET MALWARE QBot Payload Request (2023-03-21) M4 (malware.rules)
2044728 - ET MALWARE QBot Payload Request (2023-03-21) M5 (malware.rules)
2044729 - ET MALWARE QBot Payload Request (2023-03-21) M6 (malware.rules)
2044730 - ET MALWARE QBot Payload Request (2023-03-21) M7 (malware.rules)
2044731 - ET MALWARE QBot Payload Request (2023-03-21) M8 (malware.rules)
2044732 - ET MALWARE QBot Payload Request (2023-03-21) M9 (malware.rules)
2044733 - ET MALWARE Donot Group Related Domain in DNS Lookup (roosterguy
.online) (malware.rules)
2044734 - ET MALWARE Suspected Donot Group Maldoc Activity (GET)
(malware.rules)
2044735 - ET MALWARE Win32/ZaRaza Stealer Activity via Telegram
(Response) (malware.rules)
2044738 - ET MALWARE Xaview Stealer Admin Panel Inbound (malware.rules)
2044739 - ET INFO Chinese CDN Domain in DNS Lookup (ctcontents .com)
(info.rules)
2044740 - ET MALWARE Win32/HookSpoofer Stealer Sending System Information
via Telegram (GET) (malware.rules)
2044741 - ET MALWARE DarkCloud Stealer File Grabber Function Exfiltrating
Data via Telegram (malware.rules)
2044742 - ET MALWARE DarkCloud Stealer FirefoxCookies.json Exfiltration
via Telegram (malware.rules)
2044743 - ET MALWARE SOMNIRECORD CnC Domain in DNS Lookup (dafadfweer
.top) (malware.rules)
2044744 - ET MALWARE SOMNIRECORD Backdoor PROBE Command in DNS Query
(malware.rules)
2044745 - ET MALWARE SOMNIRECORD Backdoor CMD Command in DNS Query
(malware.rules)
2044746 - ET MALWARE SOMNIRECORD Backdoor DATA Command in DNS Query
(malware.rules)
2044747 - ET MALWARE Win64/TrojanDownloader.AHK.CH Checkin (malware.rules)
2044748 - ET MALWARE PennyWise Stealer Exfil (malware.rules)

Pro:

2853750 - ETPRO MOBILE_MALWARE Android/Spy.Agent.COX Checkin
(mobile_malware.rules)
2853751 - ETPRO MOBILE_MALWARE Android/Spy.Agent.COX CnC Domain in DNS
Lookup (mobile_malware.rules)
2853752 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CCM CnC Domain in DNS
Lookup (mobile_malware.rules)
2853753 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Fakeapp.fa CnC Domain in
DNS Lookup (mobile_malware.rules)
2853754 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Fakeapp.fa CnC Domain in
DNS Lookup (mobile_malware.rules)
2853755 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Rewardsteal.n CnC
Domain in DNS Lookup (mobile_malware.rules)
2853756 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CKR CnC Domain in DNS
Lookup (mobile_malware.rules)
2853757 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CML CnC Domain in DNS
Lookup (mobile_malware.rules)
2853758 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Piom.avcd CnC Domain in
DNS Lookup (mobile_malware.rules)
2853759 - ETPRO MOBILE_MALWARE Android/Obfus.TQ CnC Domain in DNS Lookup
(mobile_malware.rules)
2853760 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CNO CnC Domain in DNS
Lookup (mobile_malware.rules)
2853761 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.td CnC
Domain in DNS Lookup (mobile_malware.rules)
2853762 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.k CnC Domain
in DNS Lookup (mobile_malware.rules)
2853763 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Fakecalls.at CnC
Domain in DNS Lookup (mobile_malware.rules)
2853764 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Xhunter.a CnC Domain in
DNS Lookup (mobile_malware.rules)
2853765 - ETPRO MOBILE_MALWARE Android/Spy.Gravity.A CnC Domain in DNS
Lookup (mobile_malware.rules)
2853766 - ETPRO MOBILE_MALWARE Android/Spy.Vultur.D CnC Domain in DNS
Lookup (mobile_malware.rules)
2853767 - ETPRO MALWARE Win32/Lucky Volunteer CnC Activity M1
(malware.rules)
2853768 - ETPRO MALWARE Win32/Lucky Volunteer CnC Activity M2
(malware.rules)
2853769 - ETPRO MALWARE Win32/Lucky Volunteer CnC Activity M3
(malware.rules)
2853770 - ETPRO MALWARE Win32/Lucky Volunteer CnC Activity M4
(malware.rules)

[---] Disabled and modified rules: [---]

2030055 - ET MALWARE NAZAR EYService Pong response (malware.rules)
2030056 - ET MALWARE NAZAR EYService OSInfo response (malware.rules)
2035292 - ET MALWARE Suspected PlugX Checkin Activity (GET)
(malware.rules)
2036389 - ET INFO Commonly Abused SSL/TLS Certificate Observed
(mylnavyfederal .com) (info.rules)
2036390 - ET MALWARE DPRK APT Related Maldoc Activity (POST)
(malware.rules)
2036455 - ET MALWARE TeamTNT Related Domain in DNS Lookup (chimaera .cc)
(malware.rules)
2044536 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .tool
.pearldentalgroup .ca) (malware.rules)
2044630 - ET MALWARE SocGholish CnC Domain in DNS Lookup (*.
favor.thehouseplantblog.com) (malware.rules)
2851530 - ETPRO MALWARE Maldoc Sending System Information (GET)
(malware.rules)

Date:

Wednesday, March 22, 2023

Summary title:

24 new OPEN, 45 new PRO (24 + 21) Android Malware, Stealers (DarkCloud, HookSpoofer, ZaRaza, PennyWise), Qbot, Lucky Volunteer, Donot, SOMNIRECORD, TrojanDownloader.AHK.CH