Daily Ruleset Update Summary
Daily Ruleset Update Summary 2022/03/18

[***] Summary: [***]

18 new OPEN, 25 new PRO (18 + 7). Linux/B1txor20, VNCStartServer,
Win32/Remcos, Others.

Thanks @SentinelOne, @AmitaiBs3, @hatching_io, @ShadowChasing1, @AhnLab1

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2035523 - ET MALWARE VNCStartServer USR Variant CnC Beacon (malware.rules)
2035524 - ET MALWARE VNCStartServer BOT Variant CnC Beacon (malware.rules)
2035525 - ET MALWARE Win32/Qbot CnC Activity M2 (malware.rules)
2035526 - ET MALWARE Linux/B1txor20 Backdoor Connectivity Check
(malware.rules)
2035527 - ET MALWARE Linux/B1txor20 Backdoor DNS Tunnel Activity M1
(malware.rules)
2035528 - ET MALWARE Linux/B1txor20 Backdoor DNS Tunnel Activity M2
(malware.rules)
2035529 - ET MALWARE Linux/B1txor20 Backdoor DNS Tunnel Activity M3
(malware.rules)
2035530 - ET MALWARE Observed Qbot Style SSL Certificate (malware.rules)
2035531 - ET MALWARE TA471/UNC2589 Related Activity (GET) (malware.rules)
2035532 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (runfs
.icu) (malware.rules)
2035533 - ET MALWARE Bitter APT Backdoor Related Activity (malware.rules)
2035534 - ET MALWARE DonotGroup Pult Downloader Activity (POST)
(malware.rules)
2035535 - ET INFO DNS Query to google .com Non Standard Port (tcp)
(info.rules)
2035536 - ET MALWARE Backdoor/Win.Gh0stRAT CnC Exfil (malware.rules)
2035537 - ET USER_AGENTS Observed Malicious User-Agent (CobaltStrike)
(user_agents.rules)
2035538 - ET INFO infinityfree .net Domain in DNS Lookup (info.rules)
2035539 - ET PHISHING Successful Generic Credential Phish 2022-03-18
(phishing.rules)
2035540 - ET PHISHING Generic Credential Phish 2022-03-18 (phishing.rules)

Pro:

2851295 - ETPRO MOBILE_MALWARE Android.Trojan.Anubis.n (DNS Lookup)
(mobile_malware.rules)
2851296 - ETPRO MOBILE_MALWARE Android.Trojan.Anubis.n (TLS SNI)
(mobile_malware.rules)
2851297 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-18 1) (coinminer.rules)
2851298 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-18 2) (coinminer.rules)
2851299 - ETPRO MALWARE Win32/Remcos RAT Checkin 783 (malware.rules)
2851300 - ETPRO MALWARE Win32/Remcos RAT Checkin 784 (malware.rules)
2851301 - ETPRO PHISHING Successful Columbia University Information
Technology Service Desk Credential Phish 2022-03-18 (phishing.rules)

[///] Modified active rules: [///]

2016464 - ET MALWARE EMAIL SSL Cert APT1 (malware.rules)
2018477 - ET MALWARE Downloader.Win32.Tesch.A Server CnC Checkin Reply
(malware.rules)
2018620 - ET MALWARE Downloader.Win32.Tesch.A Bot Command Checkin 2
(malware.rules)
2020728 - ET MALWARE Possible Adwind/jSocket SSL Cert (assylias.Inc)
(malware.rules)
2024285 - ET MALWARE OSX/Proton.B Domain in SNI (malware.rules)
2024889 - ET MALWARE OSX/Proton.C/D Domain (eltima .in in TLS SNI)
(malware.rules)
2024891 - ET MALWARE OSX/Proton.C/D Domain (handbrakestore .com in TLS
SNI) (malware.rules)
2024893 - ET MALWARE OSX/Proton.C/D Domain (handbrake .cc in TLS SNI)
(malware.rules)
2033109 - ET MALWARE ELF/Facefish Empty Payload (set) (malware.rules)
2033110 - ET MALWARE ELF/Facefish Server Response (201) (malware.rules)
2033111 - ET MALWARE ELF/Facefish Client Response (202) (malware.rules)
2033112 - ET MALWARE ELF/Facefish Session Closing (400) (malware.rules)
2035468 - ET MALWARE Observed TA471/UNC2589 Go Downloader User-Agent
(-hubot-) (malware.rules)
2035472 - ET INFO Non Standard Port DNS Query to google .com (udp)
(info.rules)

[///] Modified inactive rules: [///]

2018624 - ET MALWARE Downloader.Win32.Tesch.A Server Command (Confirm C2
IP and port) (malware.rules)

[---] Disabled and modified rules: [---]

2019832 - ET MALWARE Possible Dyre SSL Cert (fake org name)
(malware.rules)

[---] Removed rules: [---]

2834895 - ETPRO MALWARE Observed Qbot Style SSL Certificate
(malware.rules)
2839392 - ETPRO MALWARE VNCStartServer USR Variant CnC Beacon
(malware.rules)
2839393 - ETPRO MALWARE VNCStartServer BOT Variant CnC Beacon
(malware.rules)
2845945 - ETPRO MALWARE Win32/Qbot CnC Activity M2 (malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
18 new OPEN, 25 new PRO (18 + 7). Linux/B1txor20, VNCStartServer, Win32/Remcos, Others.