Daily Ruleset Update Summary
Daily Ruleset Update Summary 2022/02/07

[***] Summary: [***]

12 new OPEN, 16 new PRO (12 + 4). Win32/Colibri, Multiple CVE,
Lazarus APT, Gamaredon APT and Various Phish.

Thanks @s1ckb017

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2035107 - ET TROJAN Win32/Colibri Loader Activity M2 (trojan.rules)
2035108 - ET TROJAN Win32/Colibri Loader Activity M3 (trojan.rules)
2035109 - ET EXPLOIT Possible Citrix Application Delivery Controller
Arbitrary Code Execution Attempt (CVE-2019-19781) M4 (exploit.rules)
2035110 - ET EXPLOIT Citrix Application Delivery Controller
Arbitrary Code Execution Attempt Scanner Attempt (CVE-2019-19781)
(exploit.rules)
2035111 - ET EXPLOIT Citrix Application Delivery Controller
Arbitrary Code Execution Attempt Scanner Attempt - Server Response
(CVE-2019-19781) (exploit.rules)
2035114 - ET INFO Observed External IP Lookup Domain (geoiplookup
.io in TLS SNI) (info.rules)
2035115 - ET TROJAN Observed Lazarus APT Related Domain
(designautocad .org in TLS SNI) (trojan.rules)
2035116 - ET TROJAN Lazarus APT Related CnC Domain in DNS Lookup
(designautocad .org) (trojan.rules)
2035117 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET) (trojan.rules)
2035118 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET) (trojan.rules)
2035119 - ET TROJAN Win32/Pteranodon CnC Exfil (POST) M2 (trojan.rules)
2035124 - ET CURRENT_EVENTS Generic Bank Login Phish 2022-02-04
(current_events.rules)

Pro:

2851058 - ETPRO POLICY Observed Google DNS over HTTPS Domain (dns
.google in TLS SNI) (policy.rules)
2851059 - ETPRO TROJAN MSIL/White Clipper CnC Exfil via Discord (trojan.rules)
2851060 - ETPRO CURRENT_EVENTS Successful MailUpdateFresh Phish Kit
(current_events.rules)
2851061 - ETPRO CURRENT_EVENTS MailUpdateFresh Phish Kit
(current_events.rules)

[///] Modified active rules: [///]

2029206 - ET EXPLOIT Possible Citrix Application Delivery Controller
Arbitrary Code Execution Attempt (CVE-2019-19781) (exploit.rules)
2032321 - ET CURRENT_EVENTS Observed CloudFlare Interstitial
Phishing Page (current_events.rules)
2035032 - ET USER_AGENTS Suspicious User-Agent (example/1.0)
(user_agents.rules)
2838109 - ETPRO POLICY Google DNS Over HTTPS Certificate Inbound
(policy.rules)

Date:
Summary title:
12 new OPEN, 16 new PRO (12 + 4). Win32/Colibri, Multiple CVE, Lazarus APT, Gamaredon APT and Various Phish.