Daily Ruleset Update Summary 2022/03/16

Daily Ruleset Update Summary

[***] Summary: [***]

16 new OPEN, 36 new PRO (16 + 20). Cobalt Strike, Various Android,
Various Exfiltration Methods, Win32/PlugX, Others.

Thanks @0xrb, @500mk500, @James_inthe_box

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2035467 - ET POLICY Remote Desktop AeroAdmin handshake (policy.rules)
2035468 - ET MALWARE Observed Go Downloader User-Agent (-hubot-)
(malware.rules)
2035469 - ET MALWARE Observed Cobalt Strike CnC Domain in DNS Lookup
(nirsoft .me) (malware.rules)
2035470 - ET MALWARE Observed Cobalt Stike CnC Domain (nirsoft .me in
TLS SNI) (malware.rules)
2035471 - ET MALWARE Win32/44Caliber Stealer Discord Activity (POST)
(malware.rules)
2035472 - ET INFO Non Standard Port DNS Query to google .com (info.rules)
2035473 - ET MALWARE Win32/PlugX Related Activity (malware.rules)
2035474 - ET MALWARE SideCopy APT MargulasRAT Related Activity
(malware.rules)
2035475 - ET INFO imPcRemote Download (info.rules)
2035476 - ET HUNTING PNG image exfiltration over raw TCP (hunting.rules)
2035477 - ET MALWARE rat-test CnC Response (malware.rules)
2035478 - ET HUNTING ZIP file exfiltration over raw TCP (hunting.rules)
2035479 - ET HUNTING RAR file exfiltration over raw TCP (hunting.rules)
2035480 - ET HUNTING PE EXE Download over raw TCP (hunting.rules)
2035481 - ET HUNTING RAR file download over raw TCP (hunting.rules)
2035482 - ET HUNTING ZIP file download over raw TCP (hunting.rules)

Pro:

2851263 - ETPRO MOBILE_MALWARE Android Banker Gorgona (DNS Lookup)
(mobile_malware.rules)
2851264 - ETPRO MOBILE_MALWARE Android Banker Gorgona (TLS SNI)
(mobile_malware.rules)
2851265 - ETPRO MOBILE_MALWARE Android/Spy.Banker.AZQ (DNS Lookup)
(mobile_malware.rules)
2851266 - ETPRO MOBILE_MALWARE Android/Spy.Banker.AZQ (TLS SNI)
(mobile_malware.rules)
2851267 - ETPRO MOBILE_MALWARE Android/Spy.Banker.AZQ (DNS Lookup) 2
(mobile_malware.rules)
2851268 - ETPRO MOBILE_MALWARE Android/Spy.Banker.AZQ (TLS SNI) 2
(mobile_malware.rules)
2851269 - ETPRO MOBILE_MALWARE Android/Spy.Banker.AZQ (DNS Lookup) 3
(mobile_malware.rules)
2851270 - ETPRO MOBILE_MALWARE Android/Spy.Banker.AZQ (TLS SNI) 3
(mobile_malware.rules)
2851271 - ETPRO MOBILE_MALWARE Android/Spy.Banker.AZQ (DNS Lookup) 4
(mobile_malware.rules)
2851272 - ETPRO MOBILE_MALWARE Android/Spy.Banker.AZQ (TLS SNI) 4
(mobile_malware.rules)
2851273 - ETPRO MOBILE_MALWARE Android/Spy.Banker.AZQ (DNS Lookup) 5
(mobile_malware.rules)
2851274 - ETPRO MOBILE_MALWARE Android/Spy.Banker.AZQ (TLS SNI) 5
(mobile_malware.rules)
2851275 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Basdoor.c (DNS Lookup)
(mobile_malware.rules)
2851276 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Basdoor.c (TLS SNI)
(mobile_malware.rules)
2851277 - ETPRO MOBILE_MALWARE Android/Spy.SpyMax.T Checkin
(mobile_malware.rules)
2851278 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-16 1) (coinminer.rules)
2851279 - ETPRO MALWARE PowerShell/TrojanDownloader.Agent.BHN Payload
Request (power.txt) (malware.rules)
2851280 - ETPRO MALWARE PowerShell/TrojanDownloader.Agent.BHN Payload
Request (kill.txt) (malware.rules)
2851281 - ETPRO MALWARE PowerShell/TrojanDownloader.Agent.BHN Payload
Request (uninstall.txt) (malware.rules)
2851282 - ETPRO MALWARE PowerShell/TrojanDownloader.Agent.BHN Payload
Request (download.txt) (malware.rules)

[///] Modified active rules: [///]

2018364 - ET HUNTING SUSPICIOUS OVH Shared Host SSL Certificate (Observed
In Use by Some Trojans) (hunting.rules)
2021432 - ET MALWARE Possible Dyre SSL Cert M1 (L O) (malware.rules)
2021433 - ET MALWARE Possible Dyre SSL Cert M2 (L CN) (malware.rules)
2021434 - ET MALWARE Possible Dyre SSL Cert M3 (O CN) (malware.rules)
2030962 - ET MALWARE Observed FinSpy Domain (browserupdate .download in
TLS SNI) (malware.rules)
2031205 - ET MALWARE Observed Card Skimmer CnC Domain in TLS SNI
(malware.rules)
2031362 - ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(thedoccloud .com in TLS SNI) (malware.rules)
2031363 - ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(incomeudpate .com in TLS SNI) (malware.rules)
2031364 - ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(panhardware .com in TLS SNI) (malware.rules)
2031365 - ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(freescanonline .com in TLS SNI) (malware.rules)
2031366 - ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(databasegalore .com in TLS SNI) (malware.rules)
2031367 - ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(highdatabase .com in TLS SNI) (malware.rules)
2031368 - ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(websitetheme .com in TLS SNI) (malware.rules)
2031369 - ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(zupertech .com in TLS SNI) (malware.rules)
2031370 - ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(deftsecurity .com in TLS SNI) (malware.rules)
2031393 - ET MALWARE Dark Halo/SUNBURST CnC Domain (solartrackingsystem
.net in TLS SNI) (malware.rules)
2031394 - ET MALWARE Dark Halo/SUNBURST CnC Domain (webcodez .com in TLS
SNI) (malware.rules)
2031395 - ET MALWARE Dark Halo/SUNBURST CnC Domain (lcomputers .com in
TLS SNI) (malware.rules)
2031396 - ET MALWARE Dark Halo/SUNBURST CnC Domain (seobundlekit .com in
TLS SNI) (malware.rules)
2031397 - ET MALWARE Dark Halo/SUNBURST CnC Domain (kubecloud .com in TLS
SNI) (malware.rules)
2031398 - ET MALWARE Dark Halo/SUNBURST CnC Domain (globalnetworkissues
.com in TLS SNI) (malware.rules)
2031439 - ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI
(img565vv6 .holdmydoor .com) (mobile_malware.rules)
2031440 - ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI
(crashparadox .net) (mobile_malware.rules)
2031441 - ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI
(f15fwd322 .regularhours .net) (mobile_malware.rules)
2033651 - ET MALWARE Observed SSV Agent CnC Domain (edgecloudc .com in
TLS SNI) (malware.rules)
2033652 - ET MALWARE Observed SSV Agent CnC Domain (be-government .com in
TLS SNI) (malware.rules)
2033653 - ET MALWARE Observed SSV Agent CnC Domain (gitcloudcache .com in
TLS SNI) (malware.rules)
2033654 - ET MALWARE Observed SSV Agent CnC Domain (hostupoeui .com in
TLS SNI) (malware.rules)
2033655 - ET MALWARE Observed SSV Agent CnC Domain (drmtake .tk in TLS
SNI) (malware.rules)
2033656 - ET MALWARE Observed SSV Agent CnC Domain (rsnet-devel .com in
TLS SNI) (malware.rules)
2033657 - ET MALWARE Observed SSV Agent CnC Domain (flushcdn .com in TLS
SNI) (malware.rules)
2033865 - ET MALWARE Observed Pegasus Domain (api1r3f4 .redirectweburl
.com in TLS SNI) (malware.rules)
2034441 - ET MALWARE Observed Compromised Domain (cryptoarenastore .com
in TLS SNI) (2021-11-12) (malware.rules)
2034506 - ET POLICY Burp Collaborator Domain in TLS SNI (policy.rules)
2035299 - ET PHISHING Suspected TA445 Spearphishing Related Domain
(akademia-mil .space in TLS SNI) (phishing.rules)
2035300 - ET PHISHING Suspected TA445 Spearphishing Related Domain
(aplikacje .ron-mil .space in TLS SNI) (phishing.rules)
2035301 - ET PHISHING Suspected TA445 Spearphishing Related Domain (id
.bigmir .space in TLS SNI) (phishing.rules)
2035302 - ET PHISHING Suspected TA445 Spearphishing Related Domain (i
.ua-passport .space in TLS SNI) (phishing.rules)
2035336 - ET PHISHING Suspected TA445 Spearphishing Related Domain
(creditals-email .space in TLS SNI) (phishing.rules)
2035337 - ET PHISHING Suspected TA445 Spearphishing Related Domain
(ua-passport .space in TLS SNI) (phishing.rules)
2035338 - ET PHISHING Suspected TA445 Spearphishing Related Domain
(mil-gov .space in TLS SNI) (phishing.rules)
2035339 - ET PHISHING Suspected TA445 Spearphishing Related Domain
(verify-email .space in TLS SNI) (phishing.rules)
2035340 - ET PHISHING Suspected TA445 Spearphishing Related Domain
(weryfikacja-konta .space in TLS SNI) (phishing.rules)
2035341 - ET PHISHING Suspected TA445 Spearphishing Related Domain
(konto-verify .space in TLS SNI) (phishing.rules)
2035342 - ET PHISHING Suspected TA445 Spearphishing Related Domain
(walidacja-uzytkownika .space in TLS SNI) (phishing.rules)
2035343 - ET PHISHING Suspected TA445 Spearphishing Related Domain
(kontrola-poczty .space in TLS SNI) (phishing.rules)
2035344 - ET PHISHING Suspected TA445 Spearphishing Related Domain
(weryfikacja-poczty .space in TLS SNI) (phishing.rules)
2035345 - ET PHISHING Suspected TA445 Spearphishing Related Domain
(walidacja-poczty .space in TLS SNI) (phishing.rules)
2035346 - ET PHISHING Suspected TA445 Spearphishing Related Domain
(bigmir .space in TLS SNI) (phishing.rules)
2035347 - ET PHISHING Suspected TA445 Spearphishing Related Domain
(mod-mil .site in TLS SNI) (phishing.rules)
2035348 - ET PHISHING Suspected TA445 Spearphishing Related Domain
(mirrohost .space in TLS SNI) (phishing.rules)
2035349 - ET PHISHING Suspected TA445 Spearphishing Related Domain
(mirohost .online in TLS SNI) (phishing.rules)
2035350 - ET PHISHING Suspected TA445 Spearphishing Related Domain
(meta-ua .space in TLS SNI) (phishing.rules)
2035351 - ET PHISHING Suspected TA445 Spearphishing Related Domain
(mod-mil .online in TLS SNI) (phishing.rules)
2035352 - ET PHISHING Suspected TA445 Spearphishing Related Domain
(kontrola-poczty .site in TLS SNI) (phishing.rules)
2035353 - ET PHISHING Suspected TA445 Spearphishing Related Domain
(creditals-mirohost .space in TLS SNI) (phishing.rules)
2035354 - ET PHISHING Suspected TA445 Spearphishing Related Domain
(verify-mail .space in TLS SNI) (phishing.rules)
2035355 - ET PHISHING Suspected TA445 Spearphishing Related Domain
(mirohost .site in TLS SNI) (phishing.rules)
2035463 - ET INFO Observed Discord Domain (discord .com in TLS SNI)
(info.rules)
2035464 - ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
(info.rules)
2844798 - ETPRO MALWARE Observed Card Skimmer CnC Domain in TLS SNI
(malware.rules)
2846798 - ETPRO MALWARE Observed Unicorn Stealer CnC Domain in TLS SNI
(malware.rules)

[///] Modified inactive rules: [///]

2019628 - ET MALWARE AnubisNetworks Sinkhole SSL Cert lolcat - specific
IPs (malware.rules)
2020888 - ET INFO invalid.cab domain in SNI (info.rules)

[---] Removed rules: [---]

2851254 - ETPRO MALWARE Win32/44Caliber Stealer Discord Activity (POST)
(malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Wednesday, March 16, 2022

Summary title:

16 new OPEN, 36 new PRO (16 + 20). Cobalt Strike, Various Android, Various Exfiltration Methods, Win32/PlugX, Others.