Daily Ruleset Update Summary 2022/02/03

[***] Summary: [***]

52 new OPEN, 52 new PRO (52 + 0). Multiple Subterranean Crimson RAT,
Multiple Arid Viper APT, SManager, Citrix CVE and Various Phish.

Thanks to @TI_ESC, @TalosSecurity and @James_inthe_box

In an effort to increase visibility/detection for everyone, we moved
all Emotet signatures from the PRO set to OPEN today.

We are aware of a bug in the feedback portal and are working on a fix.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2035042 - ET TROJAN Emotet Post Drop C2 Comms (trojan.rules)
2035043 - ET TROJAN Likely Geodo/Emotet Downloading PE (trojan.rules)
2035044 - ET TROJAN Likely Geodo/Emotet Downloading PE - Fake UA
(trojan.rules)
2035045 - ET TROJAN Likely Geodo/Emotet CnC Beacon (trojan.rules)
2035046 - ET TROJAN W32/Emotet Empty CnC Beacon (trojan.rules)
2035047 - ET TROJAN W32/Emotet.v4 Checkin (trojan.rules)
2035048 - ET TROJAN W32/Emotet.v4 Checkin 2 (trojan.rules)
2035049 - ET TROJAN Emotet Post Drop C2 Comms M2 (trojan.rules)
2035050 - ET TROJAN W32/Emotet.v4 Checkin 3 (trojan.rules)
2035051 - ET TROJAN IcedID/Emotet Certificate Observed M1 (trojan.rules)
2035052 - ET TROJAN W32/Emotet CnC Checkin (trojan.rules)
2035053 - ET TROJAN Win32/Emotet CnC Checkin (POST) (trojan.rules)
2035054 - ET TROJAN Win32/Emotet CnC Checkin Response (trojan.rules)
2035055 - ET TROJAN Win32/Emotet CnC Activity (POST) (trojan.rules)
2035056 - ET TROJAN Win32/Emotet CnC Activity (POST) M2 (trojan.rules)
2035057 - ET TROJAN Win32/Spy.Agent.POX Variant CnC (trojan.rules)
2035058 - ET TROJAN Win32/Emotet CnC Activity (POST) M3 (trojan.rules)
2035059 - ET TROJAN Win32/Emotet CnC Activity (POST) M4 (trojan.rules)
2035060 - ET TROJAN Evil PDF Retrieving Emotet Payload (trojan.rules)
2035061 - ET TROJAN Group 21 Payload CnC Checkin (trojan.rules)
2035062 - ET TROJAN W32.Geodo/Emotet Checkin Fake 404 Response (trojan.rules)
2035063 - ET TROJAN Emotet Certificate Observed M2 (trojan.rules)
2035064 - ET TROJAN Office Macro Emotet Download URI Nov 24 2021
(trojan.rules)
2035065 - ET TROJAN W32/Emotet.v4 Checkin Fake 404 Payload Response
(trojan.rules)
2035066 - ET TROJAN Parallax CnC Activity M17 (set) (trojan.rules)
2035067 - ET TROJAN Parallax CnC Response Activity M17 (trojan.rules)
2035068 - ET TROJAN Subterranean Security Domain in DNS Lookup (trojan.rules)
2035069 - ET MALWARE Subterranean Crimson Rat - GetInfo Command
(malware.rules)
2035070 - ET MALWARE Subterranean Crimson Rat - AssignID Command
(malware.rules)
2035071 - ET MALWARE Subterranean Crimson Rat - FileManager List
Command (malware.rules)
2035072 - ET MALWARE Subterranean Crimson Rat - FileManager pwd
Command (malware.rules)
2035073 - ET MALWARE Subterranean Crimson Rat - GetClientLog Command
(malware.rules)
2035074 - ET MALWARE Subterranean Crimson Rat - Client Traffic (malware.rules)
2035075 - ET TROJAN Emotet CnC Beacon (trojan.rules)
2035076 - ET TROJAN Win32/Emotet CnC Activity (POST) M9 (trojan.rules)
2035077 - ET TROJAN Win32/Emotet CnC Activity (POST) M11 (trojan.rules)
2035078 - ET INFO Doc Template Downloaded from DDNS Site (info.rules)
2035079 - ET TROJAN Arid Viper APT Related Domain in DNS Lookup
(deangelomcnay .news) (trojan.rules)
2035080 - ET TROJAN Arid Viper APT Related Domain in DNS Lookup
(earlahenry .com) (trojan.rules)
2035081 - ET TROJAN Arid Viper APT Related Domain in DNS Lookup
(nicholasuhl .website) (trojan.rules)
2035082 - ET TROJAN Arid Viper APT Related Domain in DNS Lookup
(cooperron .me) (trojan.rules)
2035083 - ET TROJAN Arid Viper APT Related Domain in DNS Lookup
(dorothymambrose .live) (trojan.rules)
2035084 - ET TROJAN Arid Viper APT Related Domain in DNS Lookup
(juliansturgill .info) (trojan.rules)
2035085 - ET TROJAN MacOS/UpdateAgent.A CnC Activity M1 (trojan.rules)
2035086 - ET TROJAN MacOS/UpdateAgent.A CnC Activity M2 (trojan.rules)
2035087 - ET INFO Gophish X-Server (info.rules)
2035088 - ET CURRENT_EVENTS Successful Intuit Phish 2022-02-03
(current_events.rules)
2035089 - ET POLICY Http Client Body contains pin= in cleartext (policy.rules)
2035090 - ET POLICY Http Client Body contains otp= in cleartext (policy.rules)
2035091 - ET TROJAN SManager Backdoor Domain in DNS Lookup (trojan.rules)
2035092 - ET TROJAN SManager Backdoor Domain in DNS Lookup (trojan.rules)
2035093 - ET EXPLOIT Citrix SD-WAN Unauthenticated RCE
(CVE-2020-8271) (exploit.rules)

[///] Modified active rules: [///]

2024658 - ET TROJAN KHRAT DNS Lookup (upload-dropbox .com) (trojan.rules)
2034936 - ET TROJAN Win32/Injector.DSQR CnC Activity (POST) (trojan.rules)
2034961 - ET EXPLOIT GitLab Unauthenticated Remote ExifTool Command
Injection (CVE-2021-24563) (exploit.rules)
2034982 - ET TROJAN Win32/ClipBanker.OC CnC Activity M1 (trojan.rules)
2034983 - ET TROJAN Win32/ClipBanker.OC CnC Activity M2 (trojan.rules)
2035039 - ET TROJAN Gamaredon Related VBS Activity (GET) (trojan.rules)
2850891 - ETPRO INFO Suspicious Reversed String Inbound
(mscoree.dll) (info.rules)
2850917 - ETPRO TROJAN VB:Trojan.Valyria CnC Activity (trojan.rules)
2850940 - ETPRO TROJAN Win32/TrojanDownloader.Agent.DSF CnC Activity
(trojan.rules)
2850941 - ETPRO TROJAN Win32/TrojanDownloader.Agent.DSF CnC Activity
(trojan.rules)

[---] Removed rules: [---]

2810105 - ETPRO TROJAN Likely Geodo/Emotet Downloading PE -
/mss[0-9]+.exe (trojan.rules)
2810106 - ETPRO TROJAN Likely Geodo/Emotet Downloading PE - Fake UA
(trojan.rules)
2810107 - ETPRO TROJAN Likely Geodo/Emotet CnC Beacon (trojan.rules)
2811402 - ETPRO TROJAN Emotet CnC Beacon (trojan.rules)
2823571 - ETPRO TROJAN W32.Geodo/Emotet Checkin Fake 404 Response
(trojan.rules)
2826327 - ETPRO TROJAN W32/Emotet Empty CnC Beacon (trojan.rules)
2827279 - ETPRO TROJAN W32/Emotet.v4 Checkin (trojan.rules)
2827580 - ETPRO TROJAN W32/Emotet.v4 Checkin 2 (trojan.rules)
2828005 - ETPRO TROJAN Emotet Post Drop C2 Comms (trojan.rules)
2828006 - ETPRO TROJAN Emotet Post Drop C2 Comms M2 (trojan.rules)
2828008 - ETPRO TROJAN W32/Emotet.v4 Checkin 3 (trojan.rules)
2828060 - ETPRO TROJAN W32/Emotet.v4 Checkin Fake 404 Payload
Response (trojan.rules)
2830173 - ETPRO TROJAN IcedID/Emotet Certificate Observed M1 (trojan.rules)
2830174 - ETPRO TROJAN Emotet Certificate Observed M2 (trojan.rules)
2830701 - ETPRO TROJAN W32/Emotet CnC Checkin (trojan.rules)
2831209 - ETPRO TROJAN Win32/Emotet CnC Checkin (POST) (trojan.rules)
2835400 - ETPRO TROJAN Win32/Emotet CnC Checkin Response (trojan.rules)
2835435 - ETPRO TROJAN Win32/Emotet CnC Activity (POST) (trojan.rules)
2835461 - ETPRO TROJAN Win32/Emotet CnC Activity (POST) M2 (trojan.rules)
2835513 - ETPRO TROJAN Win32/Spy.Agent.POX Variant CnC (trojan.rules)
2835565 - ETPRO TROJAN Win32/Emotet CnC Activity (POST) M3 (trojan.rules)
2835566 - ETPRO TROJAN Win32/Emotet CnC Activity (POST) M4 (trojan.rules)
2835591 - ETPRO TROJAN Evil PDF Retrieving Emotet Payload (trojan.rules)
2840477 - ETPRO TROJAN Group 21 Payload CnC Checkin (trojan.rules)
2842317 - ETPRO TROJAN Win32/Emotet CnC Activity (POST) M9 (trojan.rules)
2844955 - ETPRO TROJAN Win32/Emotet CnC Activity (POST) M11 (trojan.rules)
2850559 - ETPRO TROJAN Office Macro Emotet Download URI Nov 24 2021
(trojan.rules)

Date:

Thursday, February 3, 2022

Summary title:

52 new OPEN, 52 new PRO (52 + 0). Multiple Subterranean Crimson RAT, Multiple Arid Viper APT, SManager, Citrix CVE and Various Phish.