Daily Ruleset Update Summary 2021/10/18

Daily Ruleset Update Summary

[***] Summary: [***]

22 new OPEN, 43 new PRO (22 + 21). Multiple Tech Support Scam, FIN7,
IcedID, ELF/FontOnLake, Harvester Group.

Thanks @h2jazi, @ffforward, @threatintel and @ESETresearch

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2034203 - ET CURRENT_EVENTS Tech Support Scam - Windows Firewall M1
2021-08-17 (current_events.rules)
2034204 - ET CURRENT_EVENTS Tech Support Scam - Windows Firewall M2
2021-08-17 (current_events.rules)
2034205 - ET CURRENT_EVENTS Tech Support Scam - Windows Firewall M3
2021-08-17 (current_events.rules)
2034206 - ET CURRENT_EVENTS Tech Support Scam - Windows Firewall M4
2021-08-17 (current_events.rules)
2034207 - ET CURRENT_EVENTS Tech Support Scam - Windows Firewall M5
2021-08-17 (current_events.rules)
2034208 - ET CURRENT_EVENTS Tech Support Scam - Generic Components
(current_events.rules)
2034209 - ET TROJAN Observed Malicious SSL/TLS Certificate (FIN7
CnC) (trojan.rules)
2034210 - ET TROJAN FIN7 URI Path Observed M1 (trojan.rules)
2034211 - ET TROJAN FIN7 URI Path Observed M2 (trojan.rules)
2034212 - ET INFO Outbound .png HTTP GET flowbit set (info.rules)
2034213 - ET TROJAN Possible BlackByte Ransomware Encryption Key
Inbound (fake .png) (trojan.rules)
2034214 - ET TROJAN Observed Malicious SSL/TLS Certificate (IcedID
CnC) (trojan.rules)
2034215 - ET TROJAN Observed Malicious SSL/TLS Certificate (IcedID
CnC) (trojan.rules)
2034216 - ET TROJAN IcedID CnC Domain in SSL/TLS SNI (trojan.rules)
2034217 - ET TROJAN IcedID CnC Domain in SSL/TLS SNI (trojan.rules)
2034218 - ET TROJAN IcedID CnC Domain in SSL/TLS SNI (trojan.rules)
2034219 - ET TROJAN Win32/Agent.UHC CnC Activity (trojan.rules)
2034220 - ET TROJAN W32/Witch.3FA0!tr CnC Actiivty M2 (trojan.rules)
2034221 - ET TROJAN Maldoc Activity (GET) (trojan.rules)
2034222 - ET TROJAN ELF/FontOnLake Related CnC Domain in DNS Lookup
(hm2 .yrnykx .com) (trojan.rules)
2034223 - ET TROJAN Harvester Group Downloader Activity (GET) (trojan.rules)
2034224 - ET TROJAN Win32/Backdoor.Graphon Checkin Activity (GET)
(trojan.rules)

Pro:

2850222 - ETPRO TROJAN Win32/Sabsik.FL.B!ml Retrieving Payload (trojan.rules)
2850223 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-14 1) (trojan.rules)
2850224 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-14 2) (trojan.rules)
2850225 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-14 3) (trojan.rules)
2850226 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-14 4) (trojan.rules)
2850227 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-14 5) (trojan.rules)
2850228 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-14 6) (trojan.rules)
2850229 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-14 7) (trojan.rules)
2850230 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-17 1) (trojan.rules)
2850231 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-17 2) (trojan.rules)
2850232 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-17 3) (trojan.rules)
2850233 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-17 4) (trojan.rules)
2850234 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-17 5) (trojan.rules)
2850235 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-17 6) (trojan.rules)
2850236 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-17 7) (trojan.rules)
2850237 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-17 8) (trojan.rules)
2850238 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-17 9) (trojan.rules)
2850239 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-17 11) (trojan.rules)
2850240 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-17 12) (trojan.rules)
2850241 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-10-17 13) (trojan.rules)
2850242 - ETPRO CURRENT_EVENTS Successful Generic Phish 2021-10-18
(BR) (current_events.rules)

[///] Modified active rules: [///]

2033085 - ET TROJAN Lyceum Group Activity (DNS) (trojan.rules)
2033727 - ET TROJAN Stealbit Variant Data Exfil M1 (trojan.rules)
2033728 - ET TROJAN Stealbit Variant Data Exfil M2 (trojan.rules)
2849661 - ETPRO TROJAN Observed Lyceum Group CnC Domain in DNS
Lookup (trojan.rules)
2849663 - ETPRO TROJAN Lyceum Group Checkin Activity (POST) (trojan.rules)

[---] Disabled and modified rules: [---]

2823039 - ETPRO TROJAN RedTeam SSL Cert (trojan.rules)

[---] Disabled rules: [---]

2034097 - ET INFO Observed AutoDesk Domain in TLS SNI (autodesk360
.com) (info.rules)

Date:

Monday, October 18, 2021

Summary title:

22 new OPEN, 43 new PRO (22 + 21). Multiple Tech Support Scam, FIN7, IcedID, ELF/FontOnLake, Harvester Group.