Daily Ruleset Update Summary 2021/11/16

[***] Summary: [***]

14 new OPEN, 26 new PRO (14 + 12). Matanbuchus, Danabot, Cobalt
Strike, Gamaredon, More_eggs, Win32/Farfli.CUY, Various PHISH.

Thanks @zscaler, @malwrhunterteam, @h2jazi

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

We are hiring a Threat Detection Engineer!
https://proofpoint.wd5.myworkdayjobs.com/ProofpointCareers/job/Illinois…

[+++] Added rules: [+++]

Open:

2034465 - ET TROJAN Danabot Key Exchange Request (trojan.rules)
2034466 - ET TROJAN Matanbuchus Loader CnC M1 (trojan.rules)
2034467 - ET TROJAN Matanbuchus Loader CnC M2 (trojan.rules)
2034468 - ET TROJAN Matanbuchus Loader CnC M3 (trojan.rules)
2034469 - ET MALWARE Matanbuchus Loader CnC M4 (malware.rules)
2034470 - ET TROJAN Matanbuchus Loader Server Response (trojan.rules)
2034471 - ET TROJAN Danabot Associated Activity (GET) (trojan.rules)
2034472 - ET CURRENT_EVENTS ghayt_Zone Phishing Kit (current_events.rules)
2034473 - ET TROJAN Cobalt Strike CnC Domain in DNS Lookup (bg
.knonwsec .com) (trojan.rules)
2034474 - ET TROJAN Cobalt Strike Activity (GET) (trojan.rules)
2034475 - ET TROJAN Gamaredon Related Maldoc Activity (GET) (trojan.rules)
2034476 - ET CURRENT_EVENTS Nourblog1 Phish Kit (current_events.rules)
2034477 - ET CURRENT_EVENTS Nourblog1 Phish Kit (current_events.rules)
2034478 - ET CURRENT_EVENTS Nourblog1 Phish Kit (current_events.rules)

Pro:

2850467 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-11-16 1) (trojan.rules)
2850468 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-11-16 2) (trojan.rules)
2850469 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-11-16 3) (trojan.rules)
2850470 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-11-16 4) (trojan.rules)
2850471 - ETPRO TROJAN Win32/Farfli.CUY Checkin (trojan.rules)
2850472 - ETPRO TROJAN Win32/Farfli.CUY KeepAlive (trojan.rules)
2850473 - ETPRO POLICY Your Freedom VPN - DNS Mode - Server Lookup
(policy.rules)
2850474 - ETPRO POLICY Your Freedom VPN - DNS Mode - Tunnel Traffic
M1 (policy.rules)
2850475 - ETPRO POLICY Your Freedom VPN - Observed SOA Record M1
(policy.rules)
2850476 - ETPRO TROJAN More_eggs CnC Activity (trojan.rules)
2850477 - ETPRO TROJAN Win32.Raccoon Stealer Checkin M6 (trojan.rules)
2850478 - ETPRO TROJAN AZORult CnC Domain in DNS Lookup (trojan.rules)

[///] Modified active rules: [///]

2014366 - ET TROJAN Suspicious User-Agent (Post) (trojan.rules)
2022985 - ET TROJAN Trojan Generic - POST To gate.php with no accept
headers (trojan.rules)
2022986 - ET TROJAN Generic Request to gate.php Dotted-Quad (trojan.rules)
2850456 - ETPRO CURRENT_EVENTS Generic Credential Phish Landing Page
2021-11-15 (current_events.rules)
2850457 - ETPRO CURRENT_EVENTS Generic Credential Phish Landing Page
2021-11-15 (current_events.rules)
2850460 - ETPRO CURRENT_EVENTS Successful Paypal Credential Phish
2021-11-15 (current_events.rules)

[---] Removed rules: [---]

2846515 - ETPRO TROJAN Danabot Key Exchange Request (trojan.rules)

Date:

Tuesday, November 16, 2021

Summary title:

14 new OPEN, 26 new PRO (14 + 12). Matanbuchus, Danabot, Cobalt Strike, Gamaredon, More_eggs, Win32/Farfli.CUY, Various PHISH.