[***] Summary: [***]
27 new OPEN, 36 new PRO (27 + 9). CVE-2022-27643, CVE-2022-0543,
Win32/POWERPLANT, Win32/LOADOUT, Others.
Thanks @mandiant.
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2035717 - ET EXPLOIT NetGear R6700v3 upnpd Buffer Overflow Inbound
(CVE-2022-27643) (exploit.rules)
2035718 - ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M1 (exploit.rules)
2035719 - ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M2 (exploit.rules)
2035720 - ET EXPLOIT Possible Redis RCE Attempt - Dynamic Importing of
liblua (CVE-2022-0543) (exploit.rules)
2035721 - ET MALWARE Observed DNS Query to POWERPLANT Domain
(malware.rules)
2035722 - ET MALWARE Observed DNS Query to POWERPLANT Domain
(malware.rules)
2035723 - ET MALWARE Observed DNS Query to POWERPLANT Domain
(malware.rules)
2035724 - ET MALWARE Observed DNS Query to POWERPLANT Domain
(malware.rules)
2035725 - ET MALWARE Observed DNS Query to POWERPLANT Domain
(malware.rules)
2035726 - ET MALWARE Observed DNS Query to POWERPLANT Domain
(malware.rules)
2035727 - ET MALWARE Observed DNS Query to POWERPLANT Domain
(malware.rules)
2035728 - ET MALWARE Observed DNS Query to POWERPLANT Domain
(malware.rules)
2035729 - ET MALWARE Win32/POWERPLANT CnC Exfil (Query) (malware.rules)
2035730 - ET MALWARE Win32/POWERPLANT CnC Exfil (INIT) (malware.rules)
2035731 - ET MALWARE Observed DNS Query to LOADOUT Domain (malware.rules)
2035732 - ET MALWARE Observed DNS Query to LOADOUT Domain (malware.rules)
2035733 - ET MALWARE Observed DNS Query to LOADOUT Domain (malware.rules)
2035734 - ET MALWARE Observed DNS Query to LOADOUT Domain (malware.rules)
2035735 - ET MALWARE Win32/LOADOUT CnC Activity (malware.rules)
2035736 - ET INFO Instagram Story Viewer Domain in DNS Lookup (dumpor
.com) (info.rules)
2035737 - ET INFO Instagram Story Viewer Domain in DNS Lookup (smihub
.com) (info.rules)
2035738 - ET INFO Instagram Story Viewer Domain in DNS Lookup (greatfon
.com) (info.rules)
2035739 - ET INFO Observed Instagram Story Viewer Domain (dumpor .com in
TLS SNI) (info.rules)
2035740 - ET INFO Observed Instagram Story Viewer Domain (smihub .com in
TLS SNI) (info.rules)
2035741 - ET INFO Observed Instagram Story Viewer Domain (greatfon .com
in TLS SNI) (info.rules)
2035742 - ET INFO URL Shortener Domain in DNS Lookup (lk .tc)
(info.rules)
2035743 - ET INFO Observed URL Shortener Domain (lk .tc in TLS SNI)
(info.rules)
Pro:
2851373 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-01 1) (coinminer.rules)
2851374 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-04 1) (coinminer.rules)
2851375 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-04 2) (coinminer.rules)
2851376 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-04 3) (coinminer.rules)
2851377 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-04 4) (coinminer.rules)
2851378 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-04 5) (coinminer.rules)
2851379 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-04 6) (coinminer.rules)
2851380 - ETPRO MALWARE Win32/Remcos RAT Checkin 787 (malware.rules)
2851381 - ETPRO MALWARE Win32/Remcos RAT Checkin 788 (malware.rules)
[///] Modified active rules: [///]
2014286 - ET ADWARE_PUP Carder Card Checking Tool try2check.me SSL
Certificate (adware_pup.rules)
2015717 - ET EXPLOIT_KIT SSL Cert Used In Unknown Exploit Kit (ashburn)
(exploit_kit.rules)
2035653 - ET MALWARE Cobalt Strike Related Activity (GET) (malware.rules)
---------------------------------------
James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team