Daily Ruleset Update Summary
Daily Ruleset Update Summary 2022/02/28

[***] Summary: [***]

53 new OPEN, 58 new PRO (53 + 5). PurpleFox, PlugX, Pterodo, TA445 Phishing, CoinMiners

Thanks @h2jazi, @Max_Mal_

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback.

[+++] Added rules: [+++]

Open:

2035303 - ET INFO Observed Chocolatey Windows Package Management Domain (chocolatey .org in TLS SNI) (info.rules)

2035304 - ET INFO Observed URL Shortening Service Domain (0sh .org in TLS SNI) (info.rules)

2035305 - ET INFO Observed URL Shortening Service Domain (prourl .in in TLS SNI) (info.rules)

2035306 - ET INFO Chocolatey Windows Package Management Installation File Retrieval (info.rules)

2035307 - ET TROJAN PurpleFox Backdoor Related Domain in DNS Lookup (qq .c1c .ren) (trojan.rules)

2035308 - ET TROJAN Suspected PlugX Checkin Activity (udp) (trojan.rules)

2035309 - ET TROJAN Win32/Pterodo CnC Activity (GET) (trojan.rules)

2035310 - ET TROJAN Win32/Pterodo CnC Activity (POST) (trojan.rules)

2035311 - ET TROJAN Win32/Pterodo CnC Activity (POST) (trojan.rules)

2035312 - ET TROJAN Wi32/Pterodo CnC Activity (POST) (trojan.rules)

2035313 - ET TROJAN Win32/PurpleFox Related Activity (GET) (trojan.rules)

2035314 - ET USER_AGENTS Suspcious LeakIX User-Agent (l9explore) (user_agents.rules)

2035315 - ET EXPLOIT Linux/Attempted Hosts File Exfil (exploit.rules)

2035316 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain in DNS Lookup (creditals-email .space) (current_events.rules)

2035317 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain in DNS Lookup (ua-passport .space) (current_events.rules)

2035318 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain in DNS Lookup (mil-gov .space) (current_events.rules)

2035319 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain in DNS Lookup (verify-email .space) (current_events.rules)

2035320 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain in DNS Lookup (weryfikacja-konta .space) (current_events.rules)

2035321 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain in DNS Lookup (konto-verify .space) (current_events.rules)

2035322 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain in DNS Lookup (walidacja-uzytkownika .space) (current_events.rules)

2035323 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain in DNS Lookup (kontrola-poczty .space) (current_events.rules)

2035324 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain in DNS Lookup (weryfikacja-poczty .space) (current_events.rules)

2035325 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain in DNS Lookup (walidacja-poczty .space) (current_events.rules)

2035326 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain in DNS Lookup (bigmir .space) (current_events.rules)

2035327 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain in DNS Lookup (mod-mil .site) (current_events.rules)

2035328 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain in DNS Lookup (mirrohost .space) (current_events.rules)

2035329 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain in DNS Lookup (mirohost .online) (current_events.rules)

2035330 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain in DNS Lookup (meta-ua .space) (current_events.rules)

2035331 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain in DNS Lookup (mod-mil .online) (current_events.rules)

2035332 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain in DNS Lookup (kontrola-poczty .site) (current_events.rules)

2035333 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain in DNS Lookup (creditals-mirohost .space) (current_events.rules)

2035334 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain in DNS Lookup (verify-mail .space) (current_events.rules)

2035335 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain in DNS Lookup (mirohost .site) (current_events.rules)

2035336 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain (creditals-email .space in TLS SNI) (current_events.rules)

2035337 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain (ua-passport .space in TLS SNI) (current_events.rules)

2035338 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain (mil-gov .space in TLS SNI) (current_events.rules)

2035339 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain (verify-email .space in TLS SNI) (current_events.rules)

2035340 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain (weryfikacja-konta .space in TLS SNI) (current_events.rules)

2035341 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain (konto-verify .space in TLS SNI) (current_events.rules)

2035342 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain (walidacja-uzytkownika .space in TLS SNI) (current_events.rules)

2035343 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain (kontrola-poczty .space in TLS SNI) (current_events.rules)

2035344 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain (weryfikacja-poczty .space in TLS SNI) (current_events.rules)

2035345 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain (walidacja-poczty .space in TLS SNI) (current_events.rules)

2035346 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain (bigmir .space in TLS SNI) (current_events.rules)

2035347 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain (mod-mil .site in TLS SNI) (current_events.rules)

2035348 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain (mirrohost .space in TLS SNI) (current_events.rules)

2035349 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain (mirohost .online in TLS SNI) (current_events.rules)

2035350 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain (meta-ua .space in TLS SNI) (current_events.rules)

2035351 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain (mod-mil .online in TLS SNI) (current_events.rules)

2035352 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain (kontrola-poczty .site in TLS SNI) (current_events.rules)

2035353 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain (creditals-mirohost .space in TLS SNI) (current_events.rules)

2035354 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain (verify-mail .space in TLS SNI) (current_events.rules)

2035355 - ET CURRENT_EVENTS Suspected TA445 Spearphishing Related Domain (mirohost .site in TLS SNI) (current_events.rules)

Pro:

2851169 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-26 1) (trojan.rules)

2851170 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-02-26 2) (trojan.rules)

[///] Modified active rules: [///]

2013298 - ET POLICY Nessus Server SSL certificate detected (policy.rules)

2013659 - ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit) (policy.rules)

2014617 - ET POLICY Cisco IOS Self Signed Certificate Served to External Host (policy.rules)

2030183 - ET TROJAN BigLock Ransomware CnC Activity (gen) (trojan.rules)

2031194 - ET TROJAN Suspected Snugy DNS Backdoor CnC Activity (Hostname Send) (trojan.rules)

2032218 - ET TROJAN Trickbot Checkin Response (trojan.rules)

2034219 - ET TROJAN Win32/Agent.UHC CnC Activity (trojan.rules)

Date:
Summary title:
53 new OPEN, 58 new PRO (53 + 5). PurpleFox, PlugX, Pterodo, TA445 Phishing, CoinMiners