Daily Ruleset Update Summary
Daily Ruleset Update Summary 2023/03/28

[***] Summary: [***]

9 new OPEN, 63 new PRO (9 + 54) XWorm, DLL Hunting, and Generic Phishing

Thanks @malPileDiver

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at
https://community.emergingthreats.net/t/ruleset-update-summary-2023-03-…

The mailing list is being retired on April 3, 2023.

[+++] Added rules: [+++]

Open:

2030707 - ET PHISHING Possible Successful Credential Phish - Form
submitted to submit-form Form Hosting (phishing.rules)
2044794 - ET HUNTING Connectivity Check With Go User-Agent (hunting.rules)
2044795 - ET PHISHING Generic Credential Phish Landing Page using
submit-form .com (phishing.rules)
2044796 - ET MALWARE Win32/PSWStealer Data Exfiltration Attempt
(malware.rules)
2044797 - ET HUNTING HTTP GET Request for system.data.sqlite.dll -
Possible Infostealer Activity (hunting.rules)
2044798 - ET HUNTING HTTP GET Request for newtonsoft.json.dll - Possible
Infostealer Activity (hunting.rules)
2044799 - ET HUNTING HTTP GET Request for bouncycastle.crypto.dll -
Possible Infostealer Activity (hunting.rules)
2044800 - ET HUNTING HTTP GET Request for sqlite.interop.dll - Possible
Infostealer Activity (hunting.rules)
2044801 - ET HUNTING HTTP GET Request for dotnetzip.dll - Possible
Infostealer Activity (hunting.rules)

Pro:

2853808 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound
(malware.rules)
2853809 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853810 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853811 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound
(malware.rules)
2853812 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound
(malware.rules)
2853813 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound
(malware.rules)
2853814 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound
(malware.rules)
2853815 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853816 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853817 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations
Outbound (malware.rules)
2853818 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Inbound (malware.rules)
2853819 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Outbound (malware.rules)
2853820 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound
(malware.rules)
2853821 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound
(malware.rules)
2853822 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853823 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853824 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound
(malware.rules)
2853825 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound
(malware.rules)
2853826 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound
(malware.rules)
2853827 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound
(malware.rules)
2853828 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853829 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853830 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations
Outbound (malware.rules)
2853831 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Inbound (malware.rules)
2853832 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Outbound (malware.rules)
2853833 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound
(malware.rules)
2853834 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound
(malware.rules)
2853835 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853836 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853837 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound
(malware.rules)
2853838 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound
(malware.rules)
2853839 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound
(malware.rules)
2853840 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound
(malware.rules)
2853841 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853842 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853843 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations
Outbound (malware.rules)
2853844 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Inbound (malware.rules)
2853845 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Outbound (malware.rules)
2853846 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound
(malware.rules)
2853847 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound
(malware.rules)
2853848 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853849 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound
(malware.rules)
2853850 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound
(malware.rules)
2853851 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound
(malware.rules)
2853852 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound
(malware.rules)
2853853 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound
(malware.rules)
2853854 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound
(malware.rules)
2853855 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound
(malware.rules)
2853856 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations
Outbound (malware.rules)
2853857 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Inbound (malware.rules)
2853858 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations
Outbound (malware.rules)
2853859 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound
(malware.rules)
2853860 - ETPRO ATTACK_RESPONSE Linux/CoinMiner.WV Variant Inbound
(attack_response.rules)
2853861 - ETPRO PHISHING Twitter Credential Phish Landing Page 2023-03-28
(phishing.rules)

[---] Disabled and modified rules: [---]

2853348 - ETPRO MALWARE SocGholish CnC Initial Request M2 (malware.rules)

[---] Removed rules: [---]

2030707 - ET HUNTING Possible Phishing - Form submitted to submit-form
Form Hosting (hunting.rules)

Date:
Summary title:
9 new OPEN, 63 new PRO (9 + 54) XWorm, DLL Hunting, and Generic Phishing