Daily Ruleset Update Summary 2022/04/13

[***] Summary: [***]

45 new OPEN, 49 new PRO (45 + 4) MSIL/Crimson, Android
ExobotCompact.D/Octo, Scarab APT - HeaderTip, Cobalt Strike,
DeathStalker/EvilNum, Sparkasse, and Fodcha

Thanks @Trustwave, @threatfabric, @ESET, @500mk500, @500mk500, @TalosSecurity

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2035903 - ET MALWARE MSIL/Crimson CnC Server Command (info) M1 (malware.rules)
2035904 - ET MALWARE MSIL/Crimson Receiving Command (ping) M1 (malware.rules)
2035905 - ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo
Domain (ifn1h8ag1g .com in TLS SNI) (mobile_malware.rules)
2035906 - ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo
Domain (s22231232fdnsjds .top in TLS SNI) (mobile_malware.rules)
2035907 - ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo
Domain (equisdeperson .space in TLS SNI) (mobile_malware.rules)
2035908 - ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo
Domain (xipxesip .design in TLS SNI) (mobile_malware.rules)
2035909 - ET MOBILE_MALWARE Observed Android/SpyLoan.9ef8bf95 Domain
(api .dreamloan .cc in TLS SNI) (mobile_malware.rules)
2035910 - ET MOBILE_MALWARE Observed Trojan-Spy.AndroidOS.Agent.abe
Domain in TLS SNI (mobile_malware.rules)
2035911 - ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
(malware.rules)
2035912 - ET MALWARE Scarab APT - HeaderTip CnC Domain in DNS Lookup
(ebook .port25 .biz) (malware.rules)
2035913 - ET MALWARE Scarab APT - HeaderTip CnC Domain in DNS Lookup
(mert .my03 .com) (malware.rules)
2035914 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup
(mail .igov-service .net) (malware.rules)
2035915 - ET MALWARE Cobalt Strike Related Activity (GET) (malware.rules)
2035916 - ET MALWARE Observed Cobalt Strike Related Domain (mail
.igov-service .net in TLS SNI) (malware.rules)
2035917 - ET MALWARE TransparentTribe APT Related Activity (POST)
(malware.rules)
2035918 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (showsvc .com) (malware.rules)
2035919 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (wicommerece .com) (malware.rules)
2035920 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (upservicemc .com) (malware.rules)
2035921 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (netpixelds .com) (malware.rules)
2035922 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (allmyad .com) (malware.rules)
2035923 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (ananoka .com) (malware.rules)
2035924 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (gvgnci .com) (malware.rules)
2035925 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (msfbckupsc .com) (malware.rules)
2035926 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (polanicia .com) (malware.rules)
2035927 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (informaxima .org) (malware.rules)
2035928 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (worldchangeos .com) (malware.rules)
2035929 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (liongracem .com) (malware.rules)
2035930 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (jmarrycs .com) (malware.rules)
2035931 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS
Lookup (am-reader .com) (malware.rules)
2035932 - ET USER_AGENTS Observed Malicious User-Agent (FastInvoice)
(user_agents.rules)
2035933 - ET PHISHING Successful Sparkasse Credential Phish M1
2022-04-13 (phishing.rules)
2035934 - ET PHISHING Successful Sparkasse Credential Phish M2
2022-04-13 (phishing.rules)
2035935 - ET PHISHING Sparkasse Credential Phish Landing Page M1
2022-04-13 (phishing.rules)
2035936 - ET PHISHING Sparkasse Credential Phish Landing Page M2
2022-04-13 (phishing.rules)
2035937 - ET PHISHING Sparkasse Credential Phish Landing Page M3
2022-04-13 (phishing.rules)
2035938 - ET PHISHING Sparkasse Credential Phish Landing Page M4
2022-04-13 (phishing.rules)
2035939 - ET MALWARE Fodcha Bot CnC Checkin (malware.rules)
2035940 - ET MALWARE Fodcha Bot CnC Client Heartbeat (malware.rules)
2035941 - ET MALWARE Fodcha Bot CnC Heartbeat Response (malware.rules)
2035942 - ET MALWARE Observed DNS Query to Fodcha Bot Domain (malware.rules)
2035943 - ET MALWARE Observed DNS Query to Fodcha Bot Domain (malware.rules)
2035944 - ET MALWARE Observed DNS Query to VBS/Agent.PUK Domain
(malware.rules)
2035945 - ET MALWARE Observed DNS Query to VBS/Agent.PUK Domain
(malware.rules)
2035946 - ET MALWARE VBS/Agent.PUK Data Exfiltration Request M1
(malware.rules)
2035947 - ET MALWARE VBS/Agent.PUK Data Exfiltration Request M2
(malware.rules)

Pro:

2851431 - ETPRO MALWARE Scarab APT - HeaderTip CnC Activity (malware.rules)
2851432 - ETPRO MALWARE Scarab APT - HeaderTip CnC Domain in DNS
Lookup (malware.rules)
2851433 - ETPRO MALWARE Scarab APT - HeaderTip CnC Domain in DNS
Lookup (malware.rules)
2851434 - ETPRO MALWARE Scarab APT - HeaderTip CnC Domain in DNS
Lookup (malware.rules)

[///] Modified active rules: [///]

2008556 - ET HUNTING FTP CWD to windows system32 - Suspicious (hunting.rules)
2025702 - ET POLICY SMB NT Create AndX Request For an Executable
File In a Temp Directory (policy.rules)
2035557 - ET MALWARE Scarab APT - HeaderTip CnC Domain in DNS Lookup
(product2020 .mrbasic .com) (malware.rules)
2035881 - ET MALWARE Base64 Encoded Stealer Config from Server -
%APPDATA% M1 (malware.rules)
2035882 - ET MALWARE Base64 Encoded Stealer Config from Server -
%APPDATA% M2 (malware.rules)
2035883 - ET MALWARE Base64 Encoded Stealer Config from Server -
%APPDATA% M3 (malware.rules)
2035884 - ET MALWARE Base64 Encoded Stealer Config from Server -
%APPDATA% M4 (malware.rules)
2035901 - ET MALWARE Win32/TrojanDownloader.Agent.GEM Maldoc Remote
Template Request M1 (malware.rules)
2804353 - ETPRO INFO DYNAMIC_DNS HTTP Request to a *.ProxyDNS.com
Domain (info.rules)
2804355 - ETPRO INFO DYNAMIC_DNS HTTP Request to a *.gr8name.biz
Domain (info.rules)
2845231 - ETPRO MALWARE Win32/GoDeep6 CnC Host Checkin (malware.rules)

[///] Modified inactive rules: [///]

2804173 - ETPRO INFO DYNAMIC_DNS HTTP Request to a *.myDDNS.com
Domain (info.rules)

[---] Removed rules: [---]

2814263 - ETPRO MALWARE MSIL/Crimson CnC Server Command (info) M1
(malware.rules)
2816280 - ETPRO MALWARE MSIL/Crimson Receiving Command (ping) M1
(malware.rules)
2837473 - ETPRO MALWARE Vidar/Arkei/Megumin Stealer Keywords
Retrieved (malware.rules)

Date:

Wednesday, April 13, 2022

Summary title:

45 new OPEN, 49 new PRO (45 + 4) MSIL/Crimson, Android ExobotCompact.D/Octo, Scarab APT - HeaderTip, Cobalt Strike, DeathStalker/EvilNum, Sparkasse, and Fodcha