[***] Summary: [***]

14 new OPEN, 20 new PRO (14 + 6). Cobalt Strike, CVE-2022-23131, Kimsuky, Gamaredon, Various Phish, CVE-2022-22947, CoinMiners

Thanks @TheDFIRReport, @Unit42_Intel, @cyber__sloth, @500mk500

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback.

Please note there will be no release on Friday, 3/4 due to a company planned PTO holiday.

[+++] Added rules: [+++]

Open:

2035370 - ET TROJAN Cobalt Strike Activity (GET) (trojan.rules)

2035371 - ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M1 (exploit.rules)

2035372 - ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M2 (exploit.rules)

2035373 - ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M3 (exploit.rules)

2035374 - ET TROJAN Kimsuky APT BabyShark Related Domain in DNS Lookup (worldinfocontact .club) (trojan.rules)

2035375 - ET TROJAN Suspected Gamaredon APT Related Maldoc Activity (GET) (trojan.rules)

2035376 - ET TROJAN Cobalt Strike Activity (POST) (trojan.rules)

2035377 - ET CURRENT_EVENTS Successful Generic Credential Phish Landing Page 2022-03-02 (current_events.rules)

2035378 - ET CURRENT_EVENTS Successful Royal Bank of Canada Credential Phish 2022-03-02 (current_events.rules)

2035379 - ET CURRENT_EVENTS Successful Generic Credential Phish 2022-03-02 (current_events.rules)

2035380 - ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-22947) (set) (exploit.rules)

2035381 - ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-22947) (exploit.rules)

2035382 - ET TROJAN Observed DangerousPassword APT Related Domain (cop .osonlines .co in TLS SNI) (trojan.rules)

2035383 - ET TROJAN DangerousPassword APT Related Domain in DNS Lookup (trojan.rules)

Pro:

2851181 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-03-02 1) (trojan.rules)

2851182 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-03-02 2) (trojan.rules)

2851183 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2022-03-02 3) (trojan.rules)

2851184 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)

2851185 - ETPRO INFO Observed CheckMal AV/Anti-Ransomware Domain (www .checkmal .com in TLS SNI) (info.rules)

2851186 - ETPRO INFO Win32/AppCheck Application Retrieving Updates (GET) (info.rules)

[///] Modified active rules: [///]

2018979 - ET TROJAN Miras C2 Activity (trojan.rules)

2035365 - ET TROJAN Win32/Backdoor.Daxin CnC Activity (trojan.rules)

[---] Removed rules: [---]

2017281 - ET TROJAN Trojan-Ransom.Win32.Blocker.bjat (trojan.rules)

Date:
Summary title:
14 new OPEN, 20 new PRO (14 + 6). Cobalt Strike, CVE-2022-23131, Kimsuky, Gamaredon, Various Phish, CVE-2022-22947, CoinMiners