Daily Ruleset Update Summary 2022/02/08

[***] Summary: [***]

29 new OPEN, 30 new PRO (29 + 1). Various DNS over HTTP(S), Various
Cobalt Strike, Various Gamaredon APT and Various CVE

Thanks @Sophos, @_CPResearch_ and @h2jazi

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2035121 - ET TROJAN TA402/Molerats External IP Lookup Activity (trojan.rules)
2035122 - ET TROJAN TA402/Molerats Related Malware Domain in DNS
Lookup (trojan.rules)
2035123 - ET TROJAN TA402/Molerats Related Malware Domain in DNS
Lookup (trojan.rules)
2035125 - ET POLICY Applied Privacy DNS over HTTPS Certificate
Inbound (policy.rules)
2035126 - ET POLICY UncensoredDNS DNS Over HTTPS Certificate Inbound
(policy.rules)
2035127 - ET TROJAN Cobalt Strike Related Domain in DNS Lookup
(sdilok .com) (trojan.rules)
2035128 - ET TROJAN Observed Cobalt Strike Related Domain (world
.healthamericacu .com in TLS SNI) (trojan.rules)
2035129 - ET TROJAN Cobalt Strike Related Domain in DNS Lookup
(world .healthamericacu .com) (trojan.rules)
2035130 - ET TROJAN Cobalt Strike Activity (GET) (trojan.rules)
2035131 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET) (trojan.rules)
2035132 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET) (trojan.rules)
2035133 - ET TROJAN Observed ZLoader Related Domain (lkjhgfgsdshja
.com in TLS SNI) (trojan.rules)
2035134 - ET TROJAN Maldoc Domain in DNS Lookup (travelcrimea .info)
(trojan.rules)
2035135 - ET TROJAN Observed Maldoc Domain (travelcrimea .info in
TLS SNI) (trojan.rules)
2035136 - ET EXPLOIT Cisco Viptela vManage Directory Traversal
(CVE-2020-27128) (exploit.rules)
2035137 - ET EXPLOIT Cisco SD-WAN vManage Software Directory
Traversal (CVE-2020-26073) (exploit.rules)
2035138 - ET EXPLOIT Possible Microsoft Exchange Server OWA
GetWacUrl Information Disclosure Attempt (CVE-2020-17143)
(exploit.rules)
2035139 - ET INFO Commonly Abused File Sharing Site Domain Observed
(transfer .sh in DNS Lookup) (info.rules)
2035140 - ET INFO Commonly Abused File Sharing Site Domain Observed
(sendspace .com in DNS Lookup) (info.rules)
2035141 - ET INFO Commonly Abused File Sharing Site Domain Observed
(anonfiles .com in DNS Lookup) (info.rules)
2035142 - ET INFO Commonly Abused File Sharing Site Domain Observed
(send .exploit .in in DNS Lookup) (info.rules)
2035143 - ET INFO Commonly Abused File Sharing Site Domain Observed
(fex .net in DNS Lookup) (info.rules)
2035144 - ET INFO Commonly Abused File Sharing Site Domain Observed
(privatlab .net in DNS Lookup) (info.rules)
2035145 - ET INFO Commonly Abused File Sharing Site Domain Observed
(transfer .sh in TLS SNI) (info.rules)
2035146 - ET INFO Commonly Abused File Sharing Site Domain Observed
(sendspace .com in TLS SNI) (info.rules)
2035147 - ET INFO Commonly Abused File Sharing Site Domain Observed
(anonfiles .com in TLS SNI) (info.rules)
2035148 - ET INFO Commonly Abused File Sharing Site Domain Observed
(send .exploit .in in TLS SNI) (info.rules)
2035149 - ET INFO Commonly Abused File Sharing Site Domain Observed
(fex .net in TLS SNI) (info.rules)
2035150 - ET INFO Commonly Abused File Sharing Site Domain Observed
(privatlab .net in TLS SNI) (info.rules)

Pro:

2851062 - ETPRO CURRENT_EVENTS Fidelity Investments Phish Landing
Page 2022-02-08 (current_events.rules)

[///] Modified active rules: [///]

2025980 - ET POLICY TRR DNS over HTTPS detected (policy.rules)
2027671 - ET POLICY Cloudflare DNS Over HTTPS Certificate Inbound
(policy.rules)
2027695 - ET POLICY Observed Cloudflare DNS over HTTPS Domain
(cloudflare-dns .com in TLS SNI) (policy.rules)
2034912 - ET POLICY Observed DNS Over HTTPS Domain (dns .alidns .com
in TLS SNI) (policy.rules)
2838109 - ETPRO POLICY Google DNS Over HTTPS Certificate Inbound
(policy.rules)
2838110 - ETPRO POLICY Observed Google DNS over HTTPS Domain (dns
.google .com in TLS SNI) (policy.rules)
2838907 - ETPRO POLICY Observed DNS over HTTPS Domain (doh
.securedns .eu in TLS SNI) (policy.rules)
2838927 - ETPRO POLICY SecureDNS .eu DNS Over HTTPS Certificate
Inbound (policy.rules)
2844697 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI
(dns .hostux .net) (policy.rules)
2844698 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI
(dns .dns-over-https .com) (policy.rules)
2844699 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI
(uncensored .lux1 .dns .nixnet .xyz) (policy.rules)
2844700 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI
(dns .rubyfish .cn) (policy.rules)
2844701 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI
(dns .twnic .tw) (policy.rules)
2844702 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI
(doh .centraleu .pi-dns .com) (policy.rules)
2844703 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI
(doh .dns .sb) (policy.rules)
2844704 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI
(doh-fi .blahdns .com) (policy.rules)
2844705 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (fi
.doh .dns .snopyta .org) (policy.rules)
2844706 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI
(dns .flatuslifir .is) (policy.rules)
2844707 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI
(doh .li) (policy.rules)
2844708 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI
(dns .digitale-gesellschaft .ch) (policy.rules)
2845027 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh .cleanbrowsing .org) (policy.rules)
2845028 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(dns .dnsoverhttps .net) (policy.rules)
2845029 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh .crypto .sx) (policy.rules)
2845030 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh .powerdns .org) (policy.rules)
2845031 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh-jp .blahdns .com) (policy.rules)
2845032 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(dns .dns-over-https .com) (policy.rules)
2845033 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(dns9 .quad9 .net) (policy.rules)
2845034 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(dns10 .quad9 .net) (policy.rules)
2845035 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh .dnswarden .com) (policy.rules)
2845036 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh .captnemo .in) (policy.rules)
2845037 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh .tiar .app) (policy.rules)
2845038 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI
(doh .xfinity .com) (policy.rules)
2851058 - ETPRO POLICY Observed Google DNS over HTTPS Domain (dns
.google in TLS SNI) (policy.rules)

Date:

Tuesday, February 8, 2022

Summary title:

29 new OPEN, 30 new PRO (29 + 1). Various DNS over HTTP(S), Various Cobalt Strike, Various Gamaredon APT and Various CVE