[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] 2030394: ET TROJAN GoldenSpy CnC Activity
From: Jason Taylor <jastaylor () emergingthreats ! net>
Date: 2021-02-17 21:01:28
Message-ID: CACDW1-Vd00--4iRS8aJetXqvBH7qR1-=+5JCur_jCYLsg0OMLw () mail ! gmail ! com
[Download RAW message or body]
Thanks for the report Eric!
It does appear from the article that communication to i-xinnuo[.]com
doesn't happen with the malware mentioned in the article. We will get
the rule updated and out with todays push.
JT
On Wed, Feb 17, 2021 at 3:19 PM Eric Urban via Emerging-sigs
<emerging-sigs@lists.emergingthreats.net> wrote:
>
> Hello,
>
> For rule with SID 2030394, in the metadata reference article at \
> https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/, \
> it is written that "GoldenSpy does not contact the tax software's network \
> infrastructure (i-xinnuo[.]com), rather it reaches out to ningzhidata[.]com, a \
> domain known to host other variations of GoldenSpy malware."
> Does this mean that communication to i-xinnuo[.]com should not trigger this rule, \
> so whitelisted in the definition? I saw activity triggering this rule and after \
> reading the article am interpreting it to be a false positive. The site in my case \
> was dc.i-xinnuo[.]com.
> Thank you,
> Eric
>
> --
> Eric Urban
> Security Analyst | University Information Security (UIS)
> University of Minnesota | umn.edu
> Keep your home network, computer, and mobile devices secure while working remotely. \
> Learn more at: https://it.umn.edu/secure-u \
> _______________________________________________ Emerging-sigs mailing list
> Emerging-sigs@lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro \
> http://www.emergingthreats.net
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro \
http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic