Daily Ruleset Update Summary 2022/03/10

Daily Ruleset Update Summary

[***] Summary: [***]

7 new OPEN, 22 new PRO (7 + 15). More HermeticWizard, MuddyWater APT
and Various Phishing and CVE.

Thanks @TalosSecurity, @ThreatFabric, @3xp0rtblog

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2035423 - ET TROJAN HermeticWizard - WMI Spreader - File Copy via
SMB1 (NT Create AndX Request) (trojan.rules)
2035424 - ET TROJAN HermeticWizard - File Copy via SMB (trojan.rules)
2035425 - ET TROJAN MuddyWater APT Related Activity (POST) (trojan.rules)
2035426 - ET TROJAN MuddyWater APT Related Activity (GET) (trojan.rules)
2035427 - ET TROJAN HermeticWizard - SMB Spreader - Remote Process
Creation (trojan.rules)
2035428 - ET TROJAN HermeticWizard - WMI Spreader - Remote Process
Creation M2 (trojan.rules)
2035429 - ET EXPLOIT Possible Oracle Access Manager RCE Attempt
(CVE-2021-35587) (exploit.rules)

Pro:

2851218 - ETPRO MOBILE_MALWARE Android.BankBot.11270 (DNS Lookup)
(mobile_malware.rules)
2851219 - ETPRO MOBILE_MALWARE Android.BankBot.11270 (TLS SNI)
(mobile_malware.rules)
2851220 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.GWO
Checkin (mobile_malware.rules)
2851221 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-03-10 1) (trojan.rules)
2851222 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-03-10 2) (trojan.rules)
2851223 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-03-10 3) (trojan.rules)
2851224 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-03-10 4) (trojan.rules)
2851225 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-03-10 5) (trojan.rules)
2851226 - ETPRO INFO POST to Discord via Curl (info.rules)
2851227 - ETPRO TROJAN Observed Malicious Discord Usage via Curl
(POST) (trojan.rules)
2851229 - ETPRO CURRENT_EVENTS Successful Generic Phish 2022-03-10
(current_events.rules)
2851230 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish
2022-03-10 (current_events.rules)
2851232 - ETPRO TROJAN Browser Data Exfil Via Telegram (trojan.rules)
2851233 - ETPRO TROJAN YouTube Profile Exfil Via Telegram (trojan.rules)
2851234 - ETPRO TROJAN Crypto Wallet Exfil Via Telegram (trojan.rules)

[///] Modified active rules: [///]

2014363 - ET TROJAN Lookup of Algorithm Generated Zeus CnC Domain
(DGA) (trojan.rules)
2035417 - ET TROJAN HermeticWizard - WMI Spreader - File Copy via
SMB2 (NT Create AndX Request) (trojan.rules)
2035418 - ET TROJAN HermeticWizard - WMI Spreader - Remote Process
Creation M1 (trojan.rules)
2035421 - ET TROJAN Win32/ArmyOfUkraine Bot Activity (trojan.rules)
2824801 - ETPRO TROJAN Lets Encrypt Free SSL Cert Observed in
Possible Paypal Phishing (trojan.rules)

Date:

Thursday, March 10, 2022

Summary title:

7 new OPEN, 22 new PRO (7 + 15). More HermeticWizard, MuddyWater APT and Various Phishing and CVE.