[***] Summary: [***]
16 new OPEN, 27 new PRO (16 + 11). Kaspov, Various Android, Spring4Shell
modifications, Others.
Thanks @mandiant, @0xrb, @LAB52io, @twinwavesec, @citizenlab
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2035767 - ET PHISHING Suspicious Form with Action Value Equal to bit .ly
(phishing.rules)
2035768 - ET HUNTING Kaspov Related Hex In HTTP Accept Header
(hunting.rules)
2035769 - ET HUNTING [TW] Likely Hex Executable String (hunting.rules)
2035770 - ET MALWARE Android Infostealer CnC Check-In (malware.rules)
2035771 - ET MALWARE Spytector Domain DNS Lookup (mail .spytector .com)
(malware.rules)
2035772 - ET MALWARE Spytector Domain (mail .spytector .com) in TLS SNI
(malware.rules)
2035773 - ET MALWARE Pegasus Domain in DNS Lookup (akhbar-almasdar .com)
(malware.rules)
2035774 - ET MALWARE Pegasus Domain in DNS Lookup (akhbar-islamyah .com)
(malware.rules)
2035775 - ET MALWARE Pegasus Domain in DNS Lookup (akhbarnew .com)
(malware.rules)
2035776 - ET MALWARE Pegasus Domain in DNS Lookup (al-nusr .net)
(malware.rules)
2035777 - ET MALWARE Pegasus Domain in DNS Lookup (al-taleanews .net)
(malware.rules)
2035778 - ET MALWARE Pegasus Domain in DNS Lookup (al-taleanewsonline
.net) (malware.rules)
2035779 - ET MALWARE Pegasus Domain in DNS Lookup (al7erak247 .com)
(malware.rules)
2035780 - ET MALWARE Pegasus Domain in DNS Lookup (alrai .com)
(malware.rules)
2035781 - ET MALWARE Pegasus Domain in DNS Lookup (alrainew .com)
(malware.rules)
2035782 - ET MALWARE Pegasus Domain in DNS Lookup (arabia-islamion .com)
(malware.rules)
Pro:
2851389 - ETPRO MOBILE_MALWARE Android.Trojan.Banker.XJ Activity
(mobile_malware.rules)
2851390 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-05 1) (coinminer.rules)
2851391 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-05 2) (coinminer.rules)
2851396 - ETPRO MALWARE Suspicious Domain (records .hibiscus .live) in
TLS SNI (malware.rules)
2851397 - ETPRO MALWARE Suspicious Domain (backup .latestsyn .xyz) in TLS
SNI (malware.rules)
2851398 - ETPRO MALWARE Observed DNS Query to Likely Kaspov Domain
(malware.rules)
2851399 - ETPRO MALWARE Observed DNS Query to Likely Kaspov Domain
(malware.rules)
[///] Modified active rules: [///]
2018396 - ET INFO BrowseTor .onion Proxy Service SSL Cert (info.rules)
2023423 - ET MALWARE APT28/Sednit SSL Cert (malware.rules)
2035674 - ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 1 Pattern
Set Inbound (CVE-2022-22965) (exploit.rules)
2035675 - ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 2 Suffix
Set Inbound (CVE-2022-22965) (exploit.rules)
2035676 - ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 3
Directory Set Inbound (CVE-2022-22965) (exploit.rules)
2035677 - ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 4 Prefix
Set Inbound (CVE-2022-22965) (exploit.rules)
2035678 - ET EXPLOIT Possible SpringCore RCE/Spring4Shell Inbound
(CVE-2022-22965) (exploit.rules)
---------------------------------------
James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team