[***] Summary: [***]
12 new OPEN, 31 new PRO (12 + 19). CVE-2022-25064, CVE-2022-24112,
Win32/44Caliber, Ghostwriter, Others.
Thanks @c3rb3ru5d3d53c, @500mk500, @nstarke, @360Netlab, @sirpedrotavares
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2035455 - ET EXPLOIT TP-LINK TL-WR840N RCE Inbound (CVE-2022-25064)
(exploit.rules)
2035456 - ET TROJAN Win32/Webdor.NAC Variant CnC Activity (trojan.rules)
2035457 - ET TROJAN Ghostwriter/UNC1151 Related Domain in DNS Lookup
(trojan.rules)
2035458 - ET TROJAN Linux/B1txor20 Backdoor Related Domain in DNS Lookup
(trojan.rules)
2035459 - ET TROJAN MSIL/TrojanDownloader.Agent.KUO CnC Activity M1
(trojan.rules)
2035460 - ET TROJAN MSIL/TrojanDownloader.Agent.KUO CnC Activity M2
(trojan.rules)
2035461 - ET INFO Tor Proxy Domain in DNS Lookup (onion .pet) (info.rules)
2035462 - ET CURRENT_EVENTS Generic Credential Phish Redirection
2022-03-14 (current_events.rules)
2035463 - ET INFO Observed Discord Domain (discord .com in TLS SNI)
(info.rules)
2035464 - ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
(info.rules)
2035465 - ET INFO Observed Discord Domain in DNS Lookup (discord .com)
(info.rules)
2035466 - ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
(info.rules)
Pro:
2849880 - ETPRO INFO JavaScript Array Index Obfuscation Technique Inbound
(info.rules)
2851245 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-03-15 1) (trojan.rules)
2851246 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-03-15 2) (trojan.rules)
2851247 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-03-15 3) (trojan.rules)
2851248 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-03-15 4) (trojan.rules)
2851249 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-03-15 5) (trojan.rules)
2851250 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2022-03-15 6) (trojan.rules)
2851251 - ETPRO EXPLOIT Apache APISIX <2.12.1 RCE Inbound
(CVE-2022-24112) (exploit.rules)
2851252 - ETPRO TROJAN Observed MSIL/BlackGuard User-Agent (Y29va2llcw==)
(trojan.rules)
2851253 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
2851254 - ETPRO TROJAN Win32/44Caliber Stealer Discord Activity (POST)
(trojan.rules)
[///] Modified active rules: [///]
2014756 - ET POLICY Logmein.com/Join.me SSL Remote Control Access
(policy.rules)
2016806 - ET INFO Tor2Web .onion Proxy Service SSL Cert (1) (info.rules)
2017816 - ET TROJAN Possible Upatre Downloader SSL certificate
(trojan.rules)
2020084 - ET ATTACK_RESPONSE Microsoft Powershell Banner Outbound
(attack_response.rules)
2023931 - ET TROJAN APT29 Cache_DLL SSL Cert (trojan.rules)
2032962 - ET EXPLOIT Windows HTTP Protocol Stack UAF/RCE
(CVE-2021-31166), http.sys DOS (CVE-2022-21907) Inbound (exploit.rules)
2035397 - ET TROJAN MSIL/BlackGuard Stealer Variant Exfil via Telegram
(trojan.rules)
2035418 - ET TROJAN HermeticWizard - WMI Spreader - Remote Process
Creation M1 (trojan.rules)
2035451 - ET TROJAN Ghostwriter/UNC1151 Related Domain in DNS Lookup
(tvasahi .online) (trojan.rules)
2842961 - ETPRO CURRENT_EVENTS Successful Fortuneo Banque Phish
2020-06-10 (current_events.rules)
[---] Removed rules: [---]
2849880 - ETPRO ATTACK_RESPONSE JavaScript Array Index Obfuscation
Technique Inbound (attack_response.rules)
---------------------------------------
James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team