[***] Summary: [***]
7 new OPEN, 13 new PRO (7 + 6) Scarab APT, Sidecopy, Gamaredon,
Win32/Pterodo, and various Coinminer rules.
Thanks @h2jazo, @0xrb, @bofheaded, @500mk500
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2035555 - ET HUNTING Possible Fake Edu Host with __test Cookie
(hunting.rules)
2035556 - ET MALWARE Arid Gopher Related User-Agent (aimxxhwpcc)
(malware.rules)
2035557 - ET MALWARE Scarab APT Related Domain in DNS Lookup
(malware.rules)
2035558 - ET MALWARE Sidecopy APT Backdoor Related Activity (POST)
(malware.rules)
2035559 - ET MALWARE Sidecopy APT Backdoor Related Domain in DNS Lookup
(kokotech .xyz) (malware.rules)
2035560 - ET MALWARE Win32/Pterodo Activity (POST) (malware.rules)
2035561 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
(malware.rules)
Pro:
2851308 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-22 1) (coinminer.rules)
2851309 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-22 2) (coinminer.rules)
2851310 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-22 3) (coinminer.rules)
2851311 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-22 4) (coinminer.rules)
2851312 - ETPRO MALWARE Win32/Remcos RAT Checkin 785 (malware.rules)
2851313 - ETPRO MALWARE VBS/TrojanDownloader.Agent.WVY Obfuscated
ShellExecute Command (SilentlyContinue) (malware.rules)
[///] Modified active rules: [///]
2016445 - ET MALWARE SWORD Sending Sword Marker (malware.rules)
2016468 - ET MALWARE SUR SSL Cert APT1 (malware.rules)
2020223 - ET MALWARE Known Sinkhole Response abuse.ch (malware.rules)
2020290 - ET MALWARE Possible Upatre or Dyre SSL Cert Jan 22 2015
(malware.rules)
2021289 - ET MALWARE Malicious SSL certificate detected (FindPOS)
(malware.rules)
2026773 - ET MALWARE FlawedGrace CnC Activity (malware.rules)
2035512 - ET MALWARE Loki Locker Ransomware Server Response (Public Key)
M1 (malware.rules)
2035542 - ET MALWARE AllaKore RAT CnC Checkin (malware.rules)
2035543 - ET MALWARE AllaKore RAT Set Keep-Alive Observed (malware.rules)
2035544 - ET MALWARE AllaKore RAT ID Command Observed (malware.rules)
[///] Modified inactive rules: [///]
2021772 - ET MALWARE Malicious SSL certificate detected (FindPOS)
(malware.rules)
2022095 - ET MALWARE ABUSE.CH <http://abuse.ch/> SSL Blacklist Malicious
SSL certificate detected (FindPOS CnC) (malware.rules)
2022096 - ET MALWARE ABUSE.CH <http://abuse.ch/> SSL Blacklist Malicious
SSL certificate detected (FindPOS CnC) (malware.rules)
2022097 - ET MALWARE ABUSE.CH <http://abuse.ch/> SSL Blacklist Malicious
SSL certificate detected (FindPOS CnC) (malware.rules)
2022098 - ET MALWARE ABUSE.CH <http://abuse.ch/> SSL Blacklist Malicious
SSL certificate detected (Gootkit) (malware.rules)