Daily Ruleset Update Summary 2022/03/21

Daily Ruleset Update Summary

[***] Summary: [***]

14 new OPEN, 20 new PRO (14 + 6) AllaKore RAT, Arid Gopher, Mustang
Panda, StrongPIty and Various ConMiners.

Thanks @Unit42_Intel, @DeepInstinctSec, @h2jazi, @HONKONE_K and
@malwareforme

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2035541 - ET MALWARE StrongPity Host Checkin (malware.rules)
2035542 - ET MALWARE AllaKore RAT CnC Checkin (malware.rules)
2035543 - ET MALWARE AllaKore RAT Set Keep-Alive Observed (malware.rules)
2035544 - ET MALWARE AllaKore RAT ID Command Observed (malware.rules)
2035545 - ET MALWARE Lazarus APT Related Maldoc Activity (GET)
(malware.rules)
2035546 - ET MALWARE Cobalt Strike Related Activity (GET) (malware.rules)
2035547 - ET MALWARE Cobalt Strike Related Activity (POST) (malware.rules)
2035548 - ET MALWARE Arid Gopher Related Domain in DNS Lookup
(grace-fraser .site) (malware.rules)
2035549 - ET MALWARE Arid Gopher Related Domain in DNS Lookup (pam-beesly
.site) (malware.rules)
2035550 - ET MALWARE Arid Gopher Related Domain in DNS Lookup
(mozelllittel .com) (malware.rules)
2035551 - ET MALWARE Suspected Mustang Panda APT Related Activity (GET)
(malware.rules)
2035552 - ET MALWARE Suspected Mustang Panda APT Related Activity (GET)
(malware.rules)
2035553 - ET MALWARE StrongPity APT Related Domain in DNS Lookup
(sessionprotocol .com) (malware.rules)
2035554 - ET INFO Observed testcookie-nginx-module (info.rules)

Pro:

2851302 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-19 1) (coinminer.rules)
2851303 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-19 2) (coinminer.rules)
2851304 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-19 3) (coinminer.rules)
2851305 - ETPRO HUNTING Suspicious User-Agent - No space after Mozilla
version (hunting.rules)
2851306 - ETPRO MALWARE MudFix Checkin (malware.rules)
2851307 - ETPRO MALWARE MSIL/Agent.DTZ CnC Activity (malware.rules)

[///] Modified active rules: [///]

2016462 - ET MALWARE Fake Virtually SSL Cert APT1 (malware.rules)
2016463 - ET MALWARE Fake IBM SSL Cert APT1 (malware.rules)
2016464 - ET MALWARE EMAIL SSL Cert APT1 (malware.rules)
2016465 - ET MALWARE LAME SSL Cert APT1 (malware.rules)
2016466 - ET MALWARE NS SSL Cert APT1 (malware.rules)
2016469 - ET MALWARE FAKE AOL SSL Cert APT1 (malware.rules)
2016470 - ET MALWARE FAKE YAHOO SSL Cert APT1 (malware.rules)
2018457 - ET MALWARE Possible Upatre Downloader SSL certificate (fake
loc) (malware.rules)
2018610 - ET MALWARE Likely CryptoWall .onion Proxy domain in SNI
(malware.rules)
2019833 - ET MALWARE Possible Dyre SSL Cert (fake state) (malware.rules)
2020289 - ET MALWARE Possible Dyre SSL Cert Jan 22 2015 (malware.rules)
2020974 - ET MALWARE CozyDuke APT Possible SSL Cert 8 (malware.rules)
2035468 - ET MALWARE Observed TA471/UNC2589 Go Downloader User-Agent
(-hobot-) (malware.rules)

[---] Disabled and modified rules: [---]

2021743 - ET MALWARE Possible Dyre SSL Cert Sept 2 2015 (malware.rules)

[---] Removed rules: [---]

2840663 - ETPRO MALWARE StrongPity Host Checkin (malware.rules)

Date:

Monday, March 21, 2022

Summary title:

14 new OPEN, 20 new PRO (14 + 6) AllaKore RAT, Arid Gopher, Mustang Panda, StrongPIty and Various ConMiners.