Daily Ruleset Update Summary
Daily Ruleset Update Summary 2023/03/27

[***] Summary: [***]

28 new OPEN, 29 new PRO (28 + 1) Gamaredon, Muggle Stealer, Vidar
Stealer, MacOS/MacStealer, and SocGholish

Thanks @suyog41, @Cyber0verload, @uptycs

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at
https://community.emergingthreats.net/t/ruleset-update-summary-2023-03-…

The mailing list is being retired on April 3, 2023.

[+++] Added rules: [+++]

Open:

2044766 - ET MALWARE WorldWind Stealer Checkin via Telegram (GET)
(malware.rules)
2044767 - ET MALWARE Snake Keylogger Exfil via SMTP (malware.rules)
2044768 - ET MALWARE Suspected Muggle Stealer Activity M1 (malware.rules)
2044769 - ET MALWARE Suspected Muggle Stealer Activity M2 (malware.rules)
2044770 - ET HUNTING Whoami Command Inbound On High Port (hunting.rules)
2044771 - ET HUNTING PowerShell Command Prompt Outbound On High Port
(hunting.rules)
2044772 - ET MALWARE Observed DNS Query to Gamaredon Domain (cumbersome
.ru) (malware.rules)
2044773 - ET MALWARE Observed DNS Query to Gamaredon Domain (narutasx
.ru) (malware.rules)
2044774 - ET MALWARE Observed DNS Query to Gamaredon Domain (vohod .ru)
(malware.rules)
2044775 - ET MALWARE Observed DNS Query to Gamaredon Domain (highfalutin
.ru) (malware.rules)
2044776 - ET MALWARE Observed DNS Query to Gamaredon Domain (parsimonious
.ru) (malware.rules)
2044777 - ET MALWARE Observed DNS Query to Gamaredon Domain (caramelas
.ru) (malware.rules)
2044778 - ET MALWARE Observed DNS Query to Gamaredon Domain (quizzical
.ru) (malware.rules)
2044779 - ET MALWARE Observed DNS Query to Gamaredon Domain
(heartbreaking .ru) (malware.rules)
2044780 - ET MALWARE Observed DNS Query to Gamaredon Domain (baoris .ru)
(malware.rules)
2044781 - ET MALWARE Possible Bitter APT Activity (GET) (malware.rules)
2044782 - ET MALWARE Observed DNS Query to Gamaredon Domain (.ruzipo .ru)
(malware.rules)
2044783 - ET MALWARE Observed DNS Query to Gamaredon Domain (narama .ru)
(malware.rules)
2044784 - ET MALWARE Observed DNS Query to Gamaredon Domain (rustampo
.ru) (malware.rules)
2044785 - ET MALWARE Observed DNS Query to Gamaredon Domain (sabihpo .ru)
(malware.rules)
2044786 - ET MALWARE Observed DNS Query to Gamaredon Domain (savalanpo
.ru) (malware.rules)
2044787 - ET MALWARE Observed DNS Query to Gamaredon Domain (ruslanpo
.ru) (malware.rules)
2044788 - ET MALWARE Vidar Stealer CnC Checkin (malware.rules)
2044789 - ET MALWARE MacOS/MacStealer Data Exfiltration Attempt
(malware.rules)
2044790 - ET MALWARE Win32/Inido!rts Checkin (malware.rules)
2044791 - ET MALWARE TA569 Keitaro TDS Domain in DNS Lookup (jsqur .com)
(malware.rules)
2044792 - ET MALWARE TA569 Keitaro TDS Domain in DNS Lookup (jqueryh
.org) (malware.rules)
2044793 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .lap
.detroitdragway .com) (malware.rules)

Pro:

2853805 - ETPRO MALWARE TA551 Maldoc Payload Request (2023-03-23)
(malware.rules)

[---] Disabled and modified rules: [---]

2037815 - ET MALWARE 8220 Gang Related Domain in DNS Lookup (onlypirate
.top) (malware.rules)
2037816 - ET MALWARE 8220 Gang Related Domain in DNS Lookup (letmaker
.top) (malware.rules)
2037817 - ET MALWARE 8220 Gang Related Domain in DNS Lookup
(oracleservice .top) (malware.rules)
2038744 - ET PHISHING Successful Generic Credential Phish (.ngrok .io)
(phishing.rules)
2038831 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (appledocs
.ru) (malware.rules)
2038832 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (gurumades
.ru) (malware.rules)
2038833 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (kinksdoc
.ru) (malware.rules)
2038834 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (superdocs
.ru) (malware.rules)
2038835 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (cosmodron
.com) (malware.rules)
2038836 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (gismolow
.com) (malware.rules)
2038837 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (melindas
.ru) (malware.rules)
2038838 - ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (adobefile
.ru) (malware.rules)
2038860 - ET MALWARE Sidewinder APT Related Domain in DNS Lookup
(ptcl-gov .com) (malware.rules)
2038914 - ET MALWARE DonotGroup Related Domain in DNS Lookup (furnish
.spacequery .live) (malware.rules)

Date:
Summary title:
28 new OPEN, 29 new PRO (28 + 1) Gamaredon, Muggle Stealer, Vidar Stealer, MacOS/MacStealer, and SocGholish