Daily Ruleset Update Summary 2022/02/25

[***] Summary: [***]

18 new OPEN, 20 new PRO (18 + 2) Additional Zerologon Post Compromise
Signature, Gamaredon APT sigs, PlugX, TA445 Spearphishing Domains and
Coinminers.

Thanks @500mk500

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2035285 - ET EXPLOIT CreateService via SMB to
Reset-ComputerMachinePassword - Observed Post Zerologon Activity
(exploit.rules)
2035286 - ET TROJAN Buhtrap SourSnack Domain in DNS Lookup (widget
.forum-pokemon .com) (trojan.rules)
2035287 - ET EXPLOIT Suspicious SVCCTL CreateService Command via SMB -
Observed Zerologon Post Compromise Activity (exploit.rules)
2035288 - ET TROJAN Gamaredon APT Related Activity (GET) (trojan.rules)
2035289 - ET TROJAN Gamaredon APT Related Activity (POST) (trojan.rules)
2035290 - ET TROJAN Malicious lnk Downloader Activity (GET) (trojan.rules)
2035291 - ET TROJAN Malicious Downloader Activity (GET) (trojan.rules)
2035292 - ET TROJAN Suspected PlugX Checkin Activity (GET) (trojan.rules)
2035293 - ET TROJAN PlugX Activity (POST) (trojan.rules)
2035294 - ET CURRENT_EVENTS Generic Credential Phish Landing Page
2022-02-25 (current_events.rules)
2035295 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain
in DNS Lookup (id .bigmir .space) (current_events.rules)
2035296 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain
in DNS Lookup (aplikacje .ron-mil .space) (current_events.rules)
2035297 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain
in DNS Lookup (i .ua-passport .space) (current_events.rules)
2035298 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain
in DNS Lookup (akademia-mil .space) (current_events.rules)
2035299 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain
(akademia-mil .space in TLS SNI) (current_events.rules)
2035300 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain
(aplikacje .ron-mil .space in TLS SNI) (current_events.rules)
2035301 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain
(id .bigmir .space in TLS SNI) (current_events.rules)
2035302 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain
(i .ua-passport .space in TLS SNI) (current_events.rules)

Pro:

2851167 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-02-25 1) (trojan.rules)
2851168 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-02-25 2) (trojan.rules)

[///] Modified active rules: [///]

2843894 - ETPRO TROJAN TAIDOOR APT RAT CnC (trojan.rules)

[---] Removed rules: [---]

2851163 - ETPRO EXPLOIT CreateService via SMB to
Reset-ComputerMachinePassword - Observed Post Zerologon Activity
(exploit.rules)

Date:

Friday, February 25, 2022

Summary title:

18 new OPEN, 20 new PRO (18 + 2) Additional Zerologon Post Compromise Signature, Gamaredon APT sigs, PlugX, TA445 Spearphishing Domains and Coinminers.