[***] Summary: [***]
10 new OPEN, 20 new PRO (10 + 10) OctoberCMS Auth Bypass, Octopus
Backdoor, Kimsuky and OceanLotus APT DNS sigs, SpyBanker and various
CoinMiner sigs.
Many rules have changed categories, please see the changelogs for full
details.
Thanks @kevthehermit, @ShadowChasing1, @hyperdefined
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2034929 - ET EXPLOIT OctoberCMS Auth Bypass Inbound M1 trigger_reset
(CVE-2021-32648) (exploit.rules)
2034930 - ET EXPLOIT OctoberCMS Auth Bypass Inbound M2 set_password
(CVE-2021-32648) (exploit.rules)
2034931 - ET TROJAN Win32/Small.NQT!tr CnC Activity (trojan.rules)
2034932 - ET INFO Observed URL Shortening Service Domain (dik .si in TLS
SNI) (info.rules)
2034933 - ET TROJAN Kimsuky APT Related Domain in DNS Lookup (gooeglle
.mypressonline .com) (trojan.rules)
2034934 - ET TROJAN OceanLotus APT Related Domain in DNS Lookup
(confusion-cerulean-samba .glitch .me) (trojan.rules)
2034935 - ET TROJAN Powershell Octopus Backdoor Sending System
Information (POST) (trojan.rules)
2034936 - ET TROJAN Win32/Injector.DSQR CnC Activity (POST) (trojan.rules)
2034937 - ET CURRENT_EVENTS Generic DarkX Phish 2022-01-22
(current_events.rules)
2034938 - ET POLICY Observed DNS Query to Pastebin-style Service (wtools
.io) (policy.rules)
Pro:
2850868 - ETPRO TROJAN Win32/DelfInject Variant Activity (GET)
(trojan.rules)
2850869 - ETPRO TROJAN Win32/DelfInject Variant Activity (POST)
(trojan.rules)
2850871 - ETPRO TROJAN Win32/Spy.Banker CnC Exfil (POST) (trojan.rules)
2850872 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-01-14 1) (trojan.rules)
2850873 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-01-14 2) (trojan.rules)
2850874 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-01-14 3) (trojan.rules)
2850875 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-01-14 4) (trojan.rules)
2850876 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-01-14 5) (trojan.rules)
2850877 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-01-14 6) (trojan.rules)
2850878 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-01-14 7) (trojan.rules)
[///] Modified active rules: [///]
2013688 - ET TROJAN Shylock Module Server Response (trojan.rules)
2025424 - ET TROJAN Observed Malicious SSL Cert (OSX/Calender 2 Mining)
(trojan.rules)
2805862 - ETPRO MOBILE_MALWARE Android/Adware.Uapush.A Checkin
(mobile_malware.rules)
2847434 - ETPRO CURRENT_EVENTS Successful Generic DarkX Phish 2021-03-03
(current_events.rules)
[///] Modified inactive rules: [///]
2010333 - ET MALWARE User-Agent (CrazyBro) (malware.rules)
2012908 - ET TROJAN Backdoor Win32/Begman.A Checkin (trojan.rules)
2801322 - ETPRO TROJAN Win32.Dogrobot activity on port 123 (trojan.rules)
2804905 - ETPRO TROJAN Win32/Horst.gen!C Checkin (trojan.rules)
2804934 - ETPRO TROJAN Dropper-FQE Checkin (trojan.rules)
2804955 - ETPRO TROJAN Trojan-Downloader.Win32.Banload.arqa Checkin
(trojan.rules)
2805168 - ETPRO MALWARE Adware.TimeSink.P Checkin (malware.rules)
2805207 - ETPRO TROJAN Win32/Delf.W Checkin (trojan.rules)
2805212 - ETPRO TROJAN Win32/Delf.DL Checkin (trojan.rules)
2805224 - ETPRO TROJAN Win32/TrojanDownloader.Banload.OKO Checkin
(trojan.rules)
2805249 - ETPRO TROJAN Spy.Banker.QEP Checkin (trojan.rules)
2805253 - ETPRO MALWARE Win32/Adware.Kraddare.W Checkin (malware.rules)
2805332 - ETPRO TROJAN Win32/Fragat.A Checkin (trojan.rules)
2805334 - ETPRO TROJAN Trojan.Win32.Heur.089 Checkin (trojan.rules)
2805368 - ETPRO TROJAN Win32/Pangu.A Checkin (trojan.rules)
2805405 - ETPRO TROJAN Win32/SchwarzeSonne.AP Checkin (trojan.rules)
2805822 - ETPRO TROJAN Android/Gmaster.A Checkin (trojan.rules)
2805853 - ETPRO MOBILE_MALWARE Trojan/AndroidOS.eee Checkin
(mobile_malware.rules)
2805857 - ETPRO TROJAN Virus.Win32.Virut.a Proxy Registration 2
(trojan.rules)