Daily Ruleset Update Summary 2022/02/09

Daily Ruleset Update Summary

[***] Summary: [***]

29 new OPEN, 87 new PRO (29 + 58). Various DNS over HTTPS, DangerousPassword APT, Gamaredon, sLoad

Thanks: @h2jazi, @shadowchasing1, @cyberoverdrive, @IntezerLabs, @JAMESWT_MHT

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback.

[+++] Added rules: [+++]

Open:

2025980 - ET INFO TRR DNS over HTTPS detected (info.rules)

2027671 - ET INFO Cloudflare DNS Over HTTPS Certificate Inbound (info.rules)

2027695 - ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) (info.rules)

2034912 - ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI) (info.rules)

2035125 - ET INFO Applied Privacy DNS over HTTPS Certificate Inbound (info.rules)

2035126 - ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound (info.rules)

2035151 - ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound (info.rules)

2035152 - ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound (info.rules)

2035153 - ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound (info.rules)

2035154 - ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound (info.rules)

2035155 - ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound (info.rules)

2035156 - ET INFO Keweon Center DNS Over HTTPS Certificate Inbound (info.rules)

2035157 - ET INFO Keweon Center DNS Over HTTPS Certificate Inbound (info.rules)

2035158 - ET TROJAN DangerousPassword APT Related Domain in DNS Lookup (shopapptech .com) (trojan.rules)

2035159 - ET TROJAN Observed DangerousPassword APT Related Domain (shopapptech .com in TLS SNI) (trojan.rules)

2035160 - ET TROJAN Observed DangerousPassword APT Related Domain (shopapppro .com in TLS SNI) (trojan.rules)

2035161 - ET TROJAN DangerousPassword APT Related Domain in DNS Lookup (shopapppro .com) (trojan.rules)

2035162 - ET TROJAN DangerousPassword APT Related Domain in DNS Lookup (www .datacentre .center) (trojan.rules)

2035163 - ET TROJAN Observed DangerousPassword APT Related Domain (datacentre .center in TLS SNI) (trojan.rules)

2035164 - ET TROJAN sLoad Related CnC Domain in DNS Lookup (angedionisu .eu) (trojan.rules)

2035165 - ET TROJAN Observed sLoad Related Domain (angedionisu .eu in TLS SNI) (trojan.rules)

2035166 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET) (trojan.rules)

2035167 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET) (trojan.rules)

2035168 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET) (trojan.rules)

2035169 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET) (trojan.rules)

2035170 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET) (trojan.rules)

2035171 - ET TROJAN Gamaredon APT Related Maldoc Activity (GET) (trojan.rules)

2035172 - ET TROJAN Gamaredon CnC Domain in DNS Lookup (trojan.rules)

2035173 - ET INFO Commonly Abused Github-like Site (codeberg .org in DNS Lookup) (info.rules)

Pro:

2807926 - ETPRO INFO Possible UltraVNC Usage Detected (info.rules)

2838109 - ETPRO INFO Google DNS Over HTTPS Certificate Inbound (info.rules)

2838110 - ETPRO INFO Observed Google DNS over HTTPS Domain (dns .google .com in TLS SNI) (info.rules)

2838907 - ETPRO INFO Observed DNS over HTTPS Domain (doh .securedns .eu in TLS SNI) (info.rules)

2838927 - ETPRO INFO SecureDNS .eu DNS Over HTTPS Certificate Inbound (info.rules)

2844697 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (dns .hostux .net) (info.rules)

2844698 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (dns .dns-over-https .com) (info.rules)

2844699 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (uncensored .lux1 .dns .nixnet .xyz) (info.rules)

2844700 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (dns .rubyfish .cn) (info.rules)

2844701 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (dns .twnic .tw) (info.rules)

2844702 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (doh .centraleu .pi-dns .com) (info.rules)

2844703 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (doh .dns .sb) (info.rules)

2844705 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (fi .doh .dns .snopyta .org) (info.rules)

2844706 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (dns .flatuslifir .is) (info.rules)

2844707 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (doh .li) (info.rules)

2844708 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (dns .digitale-gesellschaft .ch) (info.rules)

2845027 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (doh .cleanbrowsing .org) (info.rules)

2845028 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (dns .dnsoverhttps .net) (info.rules)

2845029 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (doh .crypto .sx) (info.rules)

2845030 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (doh .powerdns .org) (info.rules)

2845032 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (dns .dns-over-https .com) (info.rules)

2845033 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (dns9 .quad9 .net) (info.rules)

2845034 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (dns10 .quad9 .net) (info.rules)

2845035 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (doh .dnswarden .com) (info.rules)

2845036 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (doh .captnemo .in) (info.rules)

2845037 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (doh .tiar .app) (info.rules)

2845038 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (doh .xfinity .com) (info.rules)

2851058 - ETPRO INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI) (info.rules)

2851063 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (free .bravedns .com) (info.rules)

2851064 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (zero .bravedns .com) (info.rules)

2851065 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (basic .rethinkdns .com) (info.rules)

2851066 - ETPRO INFO BlahDNS DNS Over HTTPS Certificate Inbound (info.rules)

2851067 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (.blahdns .com) (info.rules)

2851068 - ETPRO INFO DigitalCourage DNS Over HTTPS Certificate Inbound (info.rules)

2851069 - ETPRO INFO DigitalCourage DNS Over HTTPS Certificate Inbound (info.rules)

2851070 - ETPRO INFO AdGuard DNS Over HTTPS Certificate Inbound (info.rules)

2851071 - ETPRO TROJAN Win32/Remcos RAT Checkin 771 (trojan.rules)

2851078 - ETPRO CURRENT_EVENTS Successful Generic Credential Phish 2022-02-09 (current_events.rules)

2851079 - ETPRO CURRENT_EVENTS Successful Generic Credential Phish 2022-02-09 (current_events.rules)

2851080 - ETPRO CURRENT_EVENTS Successful Generic Credential Phish 2022-02-09 (current_events.rules)

2851081 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 1) (trojan.rules)

2851082 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 2) (trojan.rules)

2851083 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 3) (trojan.rules)

2851084 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 4) (trojan.rules)

2851085 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 5) (trojan.rules)

2851086 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 6) (trojan.rules)

2851087 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 7) (trojan.rules)

2851088 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 8) (trojan.rules)

2851089 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 9) (trojan.rules)

2851090 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 10) (trojan.rules)

2851091 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 11) (trojan.rules)

2851092 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-09 12) (trojan.rules)

[///] Modified active rules: [///]

2033203 - ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) (trojan.rules)

2033204 - ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) (trojan.rules)

2035135 - ET TROJAN Observed Maldoc Domain (travelcrimea .info in TLS SNI) (trojan.rules)

2803810 - ETPRO TROJAN Win32/Unruy.R Checkin (trojan.rules)

2822391 - ETPRO TROJAN Possible Ursnif/Gamaredon Related VNC Module CnC Beacon (trojan.rules)

[---] Removed rules: [---]

2025980 - ET POLICY TRR DNS over HTTPS detected (policy.rules)

2027671 - ET POLICY Cloudflare DNS Over HTTPS Certificate Inbound (policy.rules)

2027695 - ET POLICY Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) (policy.rules)

2034912 - ET POLICY Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI) (policy.rules)

2035125 - ET POLICY Applied Privacy DNS over HTTPS Certificate Inbound (policy.rules)

2035126 - ET POLICY UncensoredDNS DNS Over HTTPS Certificate Inbound (policy.rules)

2807926 - ETPRO POLICY Possible UltraVNC Usage Detected (policy.rules)

2838109 - ETPRO POLICY Google DNS Over HTTPS Certificate Inbound (policy.rules)

2838110 - ETPRO POLICY Observed Google DNS over HTTPS Domain (dns .google .com in TLS SNI) (policy.rules)

2838907 - ETPRO POLICY Observed DNS over HTTPS Domain (doh .securedns .eu in TLS SNI) (policy.rules)

2838927 - ETPRO POLICY SecureDNS .eu DNS Over HTTPS Certificate Inbound (policy.rules)

2844697 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (dns .hostux .net) (policy.rules)

2844698 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (dns .dns-over-https .com) (policy.rules)

2844699 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (uncensored .lux1 .dns .nixnet .xyz) (policy.rules)

2844700 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (dns .rubyfish .cn) (policy.rules)

2844701 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (dns .twnic .tw) (policy.rules)

2844702 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (doh .centraleu .pi-dns .com) (policy.rules)

2844703 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (doh .dns .sb) (policy.rules)

2844704 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (doh-fi .blahdns .com) (policy.rules)

2844705 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (fi .doh .dns .snopyta .org) (policy.rules)

2844706 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (dns .flatuslifir .is) (policy.rules)

2844707 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (doh .li) (policy.rules)

2844708 - ETPRO POLICY Observed DNS over HTTPS Domain in TLS SNI (dns .digitale-gesellschaft .ch) (policy.rules)

2845027 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (doh .cleanbrowsing .org) (policy.rules)

2845028 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (dns .dnsoverhttps .net) (policy.rules)

2845029 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (doh .crypto .sx) (policy.rules)

2845030 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (doh .powerdns .org) (policy.rules)

2845031 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (doh-jp .blahdns .com) (policy.rules)

2845032 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (dns .dns-over-https .com) (policy.rules)

2845033 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (dns9 .quad9 .net) (policy.rules)

2845034 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (dns10 .quad9 .net) (policy.rules)

2845035 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (doh .dnswarden .com) (policy.rules)

2845036 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (doh .captnemo .in) (policy.rules)

2845037 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (doh .tiar .app) (policy.rules)

2845038 - ETPRO POLICY Observed DNS Over HTTPS Domain in TLS SNI (doh .xfinity .com) (policy.rules)

2851058 - ETPRO POLICY Observed Google DNS over HTTPS Domain (dns .google in TLS SNI) (policy.rules)

Date:

Wednesday, February 9, 2022

Summary title:

29 new OPEN, 87 new PRO (29 + 58). Various DNS over HTTPS, DangerousPassword APT, Gamaredon, sLoad