Daily Ruleset Update Summary 2022/03/23

Daily Ruleset Update Summary

[***] Summary: [***]

6 new OPEN, 22 new PRO (6 + 16) Kumsuky Exfil, ConPtyShell, Orion
Grabber, and Android/Spy.SmsSpy.TN.

Continued performance improvements to TLS based rules.

Thank @ahnlab

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2035562 - ET INFO URL Shortening Service Domain in DNS Lookup
(vtaurl .com) (info.rules)
2035563 - ET INFO Observed URL Shortening Service Domain (vtaurl
.com in TLS SNI) (info.rules)
2035564 - ET MALWARE Kimsuky APT Related Host Data Exfil M4 (malware.rules)
2035565 - ET MALWARE ConPtyShell Client Response (malware.rules)
2035566 - ET MALWARE ConPtyShell Server Command (whoami) (malware.rules)
2035567 - ET MALWARE ConPtyShell Server Close Shell (malware.rules)

Pro:

2851314 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.sm
(DNS Lookup) (mobile_malware.rules)
2851315 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.sm
(TLS SNI) (mobile_malware.rules)
2851316 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.TN (DNS Lookup)
(mobile_malware.rules)
2851317 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.TN (TLS SNI)
(mobile_malware.rules)
2851318 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.sm
Checkin (mobile_malware.rules)
2851319 - ETPRO MALWARE Win32/Orion Grabber/Stealer Related Domain
in DNS Lookup (malware.rules)
2851320 - ETPRO MALWARE Win32/Orion Grabber/Stealer Activity (POST)
(malware.rules)

[///] Modified active rules: [///]

2013295 - ET POLICY Self Signed SSL Certificate (Snake Oil CA) (policy.rules)
2013659 - ET POLICY Self Signed SSL Certificate
(SomeOrganizationalUnit) (policy.rules)
2017015 - ET POLICY DropBox User Content Access over SSL (policy.rules)
2017929 - ET POLICY bridges.torproject.org over TLS with SNI (policy.rules)
2018284 - ET MALWARE Self-Signed Cert Observed in Various Zbot
Strains (malware.rules)
2018879 - ET POLICY onion.cab tor2web .onion Proxy domain in SNI
(policy.rules)
2018892 - ET MALWARE Zbot .onion Proxy domain in SNI Aug 04 2014
(malware.rules)
2019387 - ET POLICY SSL Certificate IRC GEEKS Likely Encrypted IRC
or CnC (policy.rules)
2020493 - ET MALWARE SuperFish Possible SSL Cert Signed By
Compromised Root CA (malware.rules)
2020805 - ET POLICY Remote Access - RView - SSL Certificate Seen
(policy.rules)
2022194 - ET MALWARE Send-Safe Bulk Mailer SSL Cert - Observed in
Spam Campaigns (malware.rules)
2024043 - ET MALWARE Spora Ransomware SSL Certificate Detected (malware.rules)
2024486 - ET MALWARE Shifr Ransomware Malicious Domain in SNI
Observed (malware.rules)
2025387 - ET MALWARE SteamStealer Domain in SNI (malware.rules)
2025388 - ET MALWARE SteamStealer Malicious SSL Certificate Detected
(malware.rules)
2025416 - ET MALWARE StrongPity APT SSL Certificate Detected (malware.rules)
2029910 - ET MALWARE Suspected SPECULOOS Backdoor CnC Init Packet
Masquerading as SNI Request to live .com (malware.rules)

Date:

Wednesday, March 23, 2022

Summary title:

6 new OPEN, 22 new PRO (6 + 16) Kumsuky Exfil, ConPtyShell, Orion Grabber, and Android/Spy.SmsSpy.TN.