[***] Summary: [***]
1 new OPEN, 2 new PRO (1 + 1) OnionRAT and Lazarus APT DNS Sig.
Thanks @s1ckb017 and @NicoleFishi19
Additional modifications were made to remove trailing and leading
spaces in rule messages.
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2034956 - ET TROJAN Lazarus APT Maldoc Related Domain in DNS Lookup
(markettrendingcenter .com) (trojan.rules)
Pro:
2850898 - ETPRO TROJAN OnionRAT Cnc Activity (trojan.rules)
[///] Modified active rules: [///]
2001736 - ET MALWARE UCMore Spyware User-Agent (UCmore) (malware.rules)
2009374 - ET TROJAN Virut Counter/Check-in (trojan.rules)
2009521 - ET TROJAN Win32/Nubjub.A HTTP Check-in (trojan.rules)
2009888 - ET WEB_SPECIFIC_APPS MAXcms RFI attempt (1)
(web_specific_apps.rules)
2009889 - ET WEB_SPECIFIC_APPS MAXcms RFI attempt (2)
(web_specific_apps.rules)
2009890 - ET WEB_SPECIFIC_APPS MAXcms RFI attempt (3)
(web_specific_apps.rules)
2009891 - ET WEB_SPECIFIC_APPS MAXcms RFI attempt (4)
(web_specific_apps.rules)
2010768 - ET SCAN Open-Proxy ScannerBot (webcollage-UA) (scan.rules)
2012645 - ET TROJAN GET to Google with specific HTTP lib likely
Cycbot/Bifrose/Kryptic checking Internet connection (trojan.rules)
2015938 - ET CURRENT_EVENTS Chase/Bank of America Phishing Landing
Uri Structure Nov 27 2012 (current_events.rules)
2016187 - ET TROJAN W32/Tobfy.Ransomware Invalid URI CnC Request
(trojan.rules)
2018197 - ET MALWARE Win32.AdWare.iBryte.C Install (malware.rules)
2018297 - ET CURRENT_EVENTS GoonEK encrypted binary (3) (current_events.rules)
2018570 - ET TROJAN HTTP Request to a *.su domain with direct
request/fakebrowser (multiple families flowbit set) (trojan.rules)
2018571 - ET TROJAN HTTP Request to a *.pw domain with direct
request/fake browser (multiple families flowbit set) (trojan.rules)
2018572 - ET TROJAN HTTP Executable Download from suspicious domain
with direct request/fake browser (multiple families) (trojan.rules)
2018793 - ET TROJAN EUPUDS.A Requests for Boleto replacement (trojan.rules)
2021316 - ET TROJAN Linux/ChinaZ DDoS Bot Checkin 2 (trojan.rules)
2022345 - ET TROJAN Win32/Bulta CnC Beacon (trojan.rules)
2026914 - ET USER_AGENTS SFML User-Agent (libsfml-network) (user_agents.rules)
2029185 - ET POLICY External IP Lookup - free .ipwhois .io (policy.rules)
2032795 - ET CURRENT_EVENTS Observed DNS Query to Phishing Domain
(apiujpnkbrhsdn57oi0ns0qmbaj0wcdzjhblj6frlh1tr .eur .lc)
(current_events.rules)
2032796 - ET CURRENT_EVENTS Observed DNS Query to Phishing Domain
(hombreymaquina .com) (current_events.rules)
2032797 - ET CURRENT_EVENTS Observed DNS Query to Phishing Domain
(igconsulting. pe) (current_events.rules)
2032798 - ET TROJAN Observed DNS Query to Ursnif CnC Domain
(vorulenuke. us) (trojan.rules)
2032799 - ET TROJAN Observed DNS Query to Ursnif CnC Domain
(horulenuke .us) (trojan.rules)
2032806 - ET TROJAN Observed DNS Query to MoserPass Download Domain
(passwordstate-18ed2 .kxcdn .com) (trojan.rules)
2032927 - ET MALWARE lolzilla JS/PHP WebSkimmer - Data Exfil (malware.rules)
2033743 - ET TROJAN MSIL/Agent.DNL CnC Activity M1 (trojan.rules)
2033891 - ET INFO Observed Suspicious Request nc.exe in URI (info.rules)
2034724 - ET MALWARE Win32/2345.H Variant Activity (POST) (malware.rules)
2034750 - ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi
(udp) (Outbound) (CVE-2021-44228) (exploit.rules)
2034791 - ET EXPLOIT Possible Apache log4j RCE Attempt (udp nds)
(Outbound) (CVE-2021-44228) (exploit.rules)
2803525 - ETPRO TROJAN Backdoor.Win32.Derusbi.A Checkin (trojan.rules)
2815142 - ETPRO TROJAN Bergard Checkin 1 (trojan.rules)
2821144 - ETPRO TROJAN Backdoor.WaterTiger Checkin M1 (trojan.rules)
2822077 - ETPRO MALWARE Win32/Funshion Adware Install Checkin M2
(malware.rules)
2827461 - ETPRO MALWARE Win32/Funshion Adware Install Checkin M1
(malware.rules)
[///] Modified inactive rules: [///]
2009457 - ET TROJAN Virut Counter/Check-in (trojan.rules)
2009587 - ET WEB_SPECIFIC_APPS Virtualmin left.cgi XSS attempt
(web_specific_apps.rules)
2009588 - ET WEB_SPECIFIC_APPS Virtualmin link.cgi XSS attempt
(web_specific_apps.rules)
2011970 - ET CURRENT_EVENTS SWF served from /tmp/ (current_events.rules)
2013353 - ET CURRENT_EVENTS Wordpress possible Malicious
DNS-Requests - flickr.com.* (current_events.rules)
2013354 - ET CURRENT_EVENTS Wordpress possible Malicious
DNS-Requests - picasa.com.* (current_events.rules)
2013355 - ET CURRENT_EVENTS Wordpress possible Malicious
DNS-Requests - blogger.com.* (current_events.rules)
2013357 - ET CURRENT_EVENTS Wordpress possible Malicious
DNS-Requests - wordpress.com.* (current_events.rules)
2013358 - ET CURRENT_EVENTS Wordpress possible Malicious
DNS-Requests - img.youtube.com.* (current_events.rules)
2013359 - ET CURRENT_EVENTS Wordpress possible Malicious
DNS-Requests - upload.wikimedia.com.* (current_events.rules)
2013360 - ET CURRENT_EVENTS Wordpress possible Malicious
DNS-Requests - photobucket.com.* (current_events.rules)
2016129 - ET CURRENT_EVENTS Unknown_gmf/Styx EK - fnts.html
(current_events.rules)
2019519 - ET TROJAN Win32/Chanitor.A DNS Lookup (trojan.rules)