[***] Summary: [***]

8 new OPEN, 11 new PRO (8 + 3) IcedID, TA444, Gamaredon, LogStih,
DealPly.EJ, JS/Unknown Downloader

Thanks @Cyber0verload

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at https://community.emergingthreats.net

The mailing list is being retired on April 3, 2023.

[+++] Added rules: [+++]

Open:

2044758 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2044759 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2044760 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2044761 - ET MALWARE Win32/Gamaredon Payload Request (GET) (malware.rules)
2044762 - ET MALWARE Observed DNS Query to Gamaredon Domain (sabitpo .ru)
(malware.rules)
2044763 - ET MALWARE LogStih Stealer CnC Checkin (malware.rules)
2044764 - ET MALWARE LogStih Stealer Data Exfiltration Attempt
(malware.rules)
2044765 - ET ADWARE_PUP Win32/DealPly.EJ Checkin (adware_pup.rules)

Pro:

2853802 - ETPRO MALWARE TA444 Related Activity (GET) (malware.rules)
2853803 - ETPRO HUNTING Observed TA444 Related User-Agent (hunting.rules)
2853804 - ETPRO MALWARE JS/Unknown Downloader Payload Request (GET)
(malware.rules)

[///] Modified inactive rules: [///]

2023658 - ET MALWARE APT28 DealersChoice DNS Lookup (malware.rules)
2023666 - ET MALWARE APT28 DealersChoice DNS Lookup (malware.rules)
2023940 - ET MALWARE MAGICHOUND.MPK Activity via IRC (malware.rules)
2043233 - ET MALWARE RedLine Stealer TCP CnC net.tcp Init (malware.rules)
2044565 - ET MALWARE Qbot Payload Request (2023-03-13) M1 (malware.rules)
2044566 - ET MALWARE Qbot Payload Request (2023-03-13) M2 (malware.rules)
2044567 - ET MALWARE Qbot Payload Request (2023-03-13) M3 (malware.rules)
2044568 - ET MALWARE Qbot Payload Request (2023-03-13) M4 (malware.rules)
2044569 - ET MALWARE Qbot Payload Request (2023-03-13) M5 (malware.rules)
2044570 - ET MALWARE Qbot Payload Request (2023-03-13) M6 (malware.rules)
2044571 - ET MALWARE Qbot Payload Request (2023-03-13) M7 (malware.rules)
2044572 - ET MALWARE Qbot Payload Request (2023-03-13) M8 (malware.rules)
2044573 - ET MALWARE Qbot Payload Request (2023-03-13) M9 (malware.rules)
2044724 - ET MALWARE Qbot Payload Request (2023-03-21) M1 (malware.rules)
2044725 - ET MALWARE Qbot Payload Request (2023-03-21) M2 (malware.rules)
2044726 - ET MALWARE Qbot Payload Request (2023-03-21) M3 (malware.rules)
2044727 - ET MALWARE Qbot Payload Request (2023-03-21) M4 (malware.rules)
2044728 - ET MALWARE Qbot Payload Request (2023-03-21) M5 (malware.rules)
2044729 - ET MALWARE Qbot Payload Request (2023-03-21) M6 (malware.rules)
2044730 - ET MALWARE Qbot Payload Request (2023-03-21) M7 (malware.rules)
2044731 - ET MALWARE Qbot Payload Request (2023-03-21) M8 (malware.rules)
2044732 - ET MALWARE Qbot Payload Request (2023-03-21) M9 (malware.rules)
2044751 - ET ATTACK_RESPONSE Interactive Reverse Shell Without TTY
(Outbound) (attack_response.rules)
2853606 - ETPRO MALWARE ReverseRAT Activity (POST) - Generic
(malware.rules)

[---] Disabled and modified rules: [---]

2025541 - ET MALWARE MSIL/GX Stealer/GravityRAT Uploading File
(malware.rules)
2025631 - ET MALWARE [PTsecurity] Paradise Ransomware Check-in
(malware.rules)
2027810 - ET MALWARE Win32/Onliner Mailer Module Communicating with CnC
(malware.rules)
2033987 - ET MALWARE APT/Bitter Maldoc Activity (malware.rules)
2036309 - ET MALWARE BlackTech FlagPro Dropper Activity (GET)
(malware.rules)
2044555 - ET MALWARE SocGholish NetSupport Dropper Domain in DNS Lookup
(gybvhxu .top) (malware.rules)
2830492 - ETPRO MALWARE Win32/Agent.ZKU CnC Checkin (malware.rules)
2830495 - ETPRO MALWARE BlackCarat Sending System Information to CnC
(malware.rules)
2833565 - ETPRO EXPLOIT Possible Novidade EK Attempting Intranet Router
Compromise M7 (Bruteforce) (exploit.rules)
2833566 - ETPRO EXPLOIT Possible Novidade EK Attempting Intranet Router
Compromise M8 (Bruteforce) (exploit.rules)