Daily Ruleset Update Summary
Daily Ruleset Update Summary 2022/01/10

[***] Summary: [***]

21 new OPEN, 25 new PRO (21 + 4). ELEFANTE/ElephantBeetle, NOBELIUM,
PurpleFox Backdoor, Bitter APT, Sidewinder APT, Quasar and Various
PHISH.

Thanks to @shadowchasing1, @h2jazi and @malwrhunterteam

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2034861 - ET EXPLOIT Possible ELEFANTE/ElephantBeetle WebShell
Access Inbound (exploit.rules)
2034862 - ET ATTACK_RESPONSE Possible ELEFANTE/ElephantBeetle
Command Tunneling M1 (attack_response.rules)
2034863 - ET ATTACK_RESPONSE Possible ELEFANTE/ElephantBeetle
Command Tunneling M2 (attack_response.rules)
2034864 - ET ATTACK_RESPONSE Possible ELEFANTE/ElephantBeetle
Enumeration Activity M1 (attack_response.rules)
2034865 - ET ATTACK_RESPONSE Possible ELEFANTE/ElephantBeetle
Enumeration Activity M2 (attack_response.rules)
2034866 - ET ATTACK_RESPONSE Possible ELEFANTE/ElephantBeetle
Lateral Movement Activity (attack_response.rules)
2034867 - ET TROJAN NOBELIUM Cobalt Strike CnC Domain in DNS Lookup
(trojan.rules)
2034868 - ET TROJAN NOBELIUM - Cobalt Strike Malleable Profile M1
(trojan.rules)
2034869 - ET TROJAN NOBELIUM Cobalt Strike CnC Domain in DNS Lookup
(trojan.rules)
2034870 - ET INFO Possible NOBELIUM CnC Traffic (Observed UA) (info.rules)
2034871 - ET TROJAN PurpleFox Backdoor/Rootkit Download Request M2
(trojan.rules)
2034872 - ET TROJAN PurpleFox Backdoor/Rootkit Download Server
Response M2 (trojan.rules)
2034873 - ET TROJAN PurpleFox Backdoor/Rootkit Checkin (trojan.rules)
2034874 - ET INFO Possible cs2nginx Proxy Redirect (info.rules)
2034875 - ET TROJAN Maldoc Retrieving Remote Template (GET) (trojan.rules)
2034876 - ET TROJAN APT/Bitter Related Checkin Activity (GET) (trojan.rules)
2034877 - ET TROJAN APT/Sidewinder CnC Domain in DNS Lookup (afcat
.xyz) (trojan.rules)
2034878 - ET TROJAN APT/Donot Group CnC Domain in DNS Lookup
(request .soundedge .live) (trojan.rules)
2034879 - ET TROJAN APT/Donot Group Checkin Activity (GET) (trojan.rules)
2034880 - ET TROJAN Quasar CnC Domain in DNS Lookup (trojan.rules)
2034881 - ET TROJAN Quasar CnC Domain in DNS Lookup (trojan.rules)

Pro:

2850832 - ETPRO CURRENT_EVENTS Successful Generic Phish 2022-01-10
(current_events.rules)
2850833 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2022-01-10
(current_events.rules)
2850834 - ETPRO TROJAN Win32/Sabsik CnC Activity (GET) (trojan.rules)
2850835 - ETPRO CURRENT_EVENTS Generic Phish Landing Page 2022-01-07
(current_events.rules)

[///] Modified active rules: [///]

2032365 - ET CURRENT_EVENTS Phishing Landing via Weebly.com (set)
2016-02-02 (current_events.rules)
2033987 - ET TROJAN APT/Bitter Maldoc Activity (trojan.rules)
2034848 - ET TROJAN Win32/X-Files Stealer Activity (trojan.rules)
2034856 - ET TROJAN PurpleFox Backdoor/Rootkit Download Server
Response M1 (trojan.rules)
2034859 - ET TROJAN PurpleFox Backdoor/Rootkit Download Request M1
(trojan.rules)
2850800 - ETPRO TROJAN Valyria Maldoc Activity (GET) (trojan.rules)

Date:
Summary title:
21 new OPEN, 25 new PRO (21 + 4). ELEFANTE/ElephantBeetle, NOBELIUM, PurpleFox Backdoor, Bitter APT, Sidewinder APT, Quasar and Various PHISH.