[***] Summary: [***]
25 new OPEN, 25 new PRO (25 + 0). Lazarus APT, Win32/Killav.CM, Deep
Panda and BlackGuard.
Thanks @FortiGuardLabs, @zscaler and @AuCyble
Free sig Friday, all rules went into the OPEN set today!
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2035692 - ET MALWARE Suspected Lazarus APT Related Backdoor Activity
(POST) (malware.rules)
2035693 - ET MALWARE Win32/Killav.CM CnC Response (malware.rules)
2035694 - ET MALWARE Win32/Killav.CM Checkin M2 (malware.rules)
2035695 - ET MALWARE MSIL/Unk.CoinMiner Downloader (malware.rules)
2035696 - ET MALWARE Win32/WindowsDefender Bypass Download Request
(malware.rules)
2035697 - ET INFO Image Hosting Domain in DNS Lookup (imgyukle .com)
(info.rules)
2035698 - ET INFO Observed Image Hosting Domain (imgyukle .com in
TLS SNI) (info.rules)
2035699 - ET INFO Image Hosting Domain in DNS Lookup (resimag .com)
(info.rules)
2035700 - ET INFO Observed Image Hosting Domain (resimag .com in TLS
SNI) (info.rules)
2035701 - ET INFO Observed Image Hosting Domain (resimupload .org in
TLS SNI) (info.rules)
2035702 - ET INFO Image Hosting Domain in DNS Lookup (resimupload
.org) (info.rules)
2035703 - ET MALWARE Deep Panda Downloader User-Agent
(mozilla_horizon) GET request observed (malware.rules)
2035704 - ET MALWARE Deep Panda Domain in DNS Lookup (vpn2
.smi1egate .com) (malware.rules)
2035705 - ET MALWARE Deep Panda Domain in DNS Lookup (svn1
.smi1egate .com) (malware.rules)
2035706 - ET MALWARE Deep Panda Domain in DNS Lookup (giga .gnisoft
.com) (malware.rules)
2035707 - ET MALWARE Deep Panda CnC Check-In (malware.rules)
2035708 - ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup
(win .mirtonewbacker .com) (malware.rules)
2035709 - ET MALWARE Observed BlackGuard_v2 Domain (win
.mirtonewbacker .com) in TLS SNI (malware.rules)
2035710 - ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup
(umpulumpu .ru) (malware.rules)
2035711 - ET MALWARE Observed BlackGuard_v2 Domain (umpulumpu .ru)
in TLS SNI (malware.rules)
2035712 - ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup
(greenblguard .shop) (malware.rules)
2035713 - ET MALWARE Observed BlackGuard_v2 Domain (greenblguard
.shop) in TLS SNI (malware.rules)
2035714 - ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup
(onetwostep .at) (malware.rules)
2035715 - ET MALWARE Observed BlackGuard_v2 Domain (onetwostep .at)
in TLS SNI (malware.rules)
2035716 - ET MALWARE BlackGuard_v2 Data Exfiltration Observed (malware.rules)
[///] Modified active rules: [///]
2035462 - ET PHISHING Generic Credential Phish Redirection
2022-03-14 (phishing.rules)
2035690 - ET INFO Custom Logo Domain in DNS Lookup (seeklogo .com)
(info.rules)
2809637 - ETPRO MALWARE Kakfum CnC Beacon 1 (malware.rules)
2851362 - ETPRO MALWARE Win32/MetaStealer Related Activity (GET)
(malware.rules)
2851363 - ETPRO MALWARE Win32/MetaStealer Related Activity (POST)
(malware.rules)