Daily Ruleset Update Summary 2022/03/30

Daily Ruleset Update Summary

[***] Summary: [***]

19 new OPEN, 25 new PRO (19 + 6). Cobalt Strike, Trojan.Verblecon,
Various EvilNum and Baza.

Thanks @MBThreatIntel, @symantec and @malwrhunterteam

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2035651 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
(malware.rules)
2035652 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup
(wikipedia-book .vote) (malware.rules)
2035653 - ET MALWARE Cobalt Strike Related Activity (GET) (malware.rules)
2035654 - ET INFO Abused Hosting Domain in DNS Lookup
(digital-ministry .ru) (info.rules)
2035655 - ET INFO Image Hosting Domain in DNS Lookup (hizliresim
.com) (info.rules)
2035656 - ET INFO Observed SSL Cert (hizliresim .com) (info.rules)
2035657 - ET INFO URL Shortener Service Domain in DNS Lookup (kisa
.link) (info.rules)
2035658 - ET INFO Observed URL Shortener Service Domain (www .kisa
.link in TLS SNI) (info.rules)
2035659 - ET MALWARE Trojan.Verblecon User Agent Observed (malware.rules)
2035660 - ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup
(gaymers .ax) (malware.rules)
2035661 - ET MALWARE Observed Trojan.Verblecon Related Domain
(gaymers .ax in TLS SNI) (malware.rules)
2035662 - ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup
(jonathanhardwick .me) (malware.rules)
2035663 - ET MALWARE Observed Trojan.Verblecon Related Domain
(jonathanhardwick .me in TLS SNI) (malware.rules)
2035664 - ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup
(.verble .rocks) (malware.rules)
2035665 - ET MALWARE Observed Trojan.Verblecon Related Domain
(.verble .rocks in TLS SNI) (malware.rules)
2035666 - ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup
(verble .software) (malware.rules)
2035667 - ET MALWARE Observed Trojan.Verblecon Related Domain
(verble .software in TLS SNI) (malware.rules)
2035668 - ET POLICY Pastebin-style service note .youdao .com in DNS
query (policy.rules)
2035669 - ET POLICY Pastebin-style service (note .youdao .com) in
TLS SNI (policy.rules)

Pro:

2851359 - ETPRO MALWARE Possible EvilNum PowerShell Checkin (malware.rules)
2851360 - ETPRO MALWARE EvilNum CnC Domain in DNS Lookup (malware.rules)
2851361 - ETPRO MALWARE EvilNum CnC Domain in DNS Lookup (malware.rules)
2851362 - ETPRO MALWARE Suspected BazaLoader Related Activity (GET)
(malware.rules)
2851363 - ETPRO MALWARE Suspected BazaLoader Related Activity (POST)
(malware.rules)
2851364 - ETPRO MALWARE Observed DNS Query to TA453 Domain (malware.rules)

[///] Modified active rules: [///]

2021591 - ET MALWARE APT CozyCar SSL Cert 1 (malware.rules)
2027237 - ET RPC DCERPC SVCCTL - Remote Service Control Manager
Access (rpc.rules)
2029201 - ET MALWARE Observed Malicious SSL Cert (Upatre CnC) (malware.rules)
2035641 - ET MALWARE Win32/Backdoor Checkin (POST) (malware.rules)
2035642 - ET MALWARE Win32/Backdoor Retrieving Task (POST) (malware.rules)
2035643 - ET MALWARE Win32/Backdoor Sending Task Status (POST) (malware.rules)
2035644 - ET MALWARE Win32/Backdoor Related Domain in DNS Lookup
(swordoke .com) (malware.rules)
2035645 - ET MALWARE Observed Win32/Backdoor Related Domain
(swordoke .com in TLS SNI) (malware.rules)
2850657 - ETPRO MALWARE Valyria Maldoc/BazarLoader Activity (GET)
(malware.rules)

[---] Removed rules: [---]

2814013 - ETPRO MALWARE Meterpreter or Other Reverse Shell SSL Cert
(malware.rules)

Date:

Wednesday, March 30, 2022

Summary title:

19 new OPEN, 25 new PRO (19 + 6). Cobalt Strike, Trojan.Verblecon, Various EvilNum and Baza.