Daily Ruleset Update Summary
Daily Ruleset Update Summary 2022/04/18

[***] Summary: [***]

12 new OPEN, 22 new PRO (12 + 10). Bumblebee, Cobalt Strike,
CrimsonRAT, Blackguard and various Phishing.

Thanks @James_inthe_box, @Cynet360, @0xrb, @TalosSecurity,
@3xp0rtblog and @Thingzeye

Multiple rules were modified in today's release to standardize
spacing and other minor style items.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2036237 - ET USER_AGENTS Observed Bumblebee Loader User-Agent
(bumblebee) (user_agents.rules)
2036238 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup
(hojimizeg .com) (malware.rules)
2036239 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup
(notixow .com) (malware.rules)
2036240 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup
(rewujisaf .com) (malware.rules)
2036241 - ET MALWARE MSIL/Crimson Rat CnC Exfil (malware.rules)
2036242 - ET MALWARE MSIL/Crimson Rat CnC Server Response (malware.rules)
2036243 - ET MALWARE MSIL/Crimson CnC Server Command (info) M3 (malware.rules)
2036244 - ET MALWARE MSIL/Crimson Client Command Response (info)
(malware.rules)
2036245 - ET MALWARE Matrix Max Stealer Exfiltration Observed (malware.rules)
2036246 - ET MALWARE Ginzo Stealer Exfiltration Observed (malware.rules)
2036247 - ET MALWARE Observed Blackguard_v3.5 Domain (ritmflow
.online) in TLS SNI (malware.rules)
2036248 - ET MALWARE Blackguard_v3.5 Domain in DNS Lookup (ritmflow
.online) (malware.rules)

Pro:

2851456 - ETPRO PHISHING Twitter Credential Phish Landing Page
2022-04-18 (phishing.rules)
2851457 - ETPRO PHISHING Twitter Credential Phish Landing Page
2022-04-18 (phishing.rules)
2851458 - ETPRO PHISHING Twitter Credential Phish Landing Page
2022-04-18 (phishing.rules)
2851459 - ETPRO PHISHING Twitter Credential Phish Landing Page
2022-04-18 (phishing.rules)
2851460 - ETPRO PHISHING Successful Twitter Credential Phish
2022-04-18 (phishing.rules)
2851461 - ETPRO PHISHING Successful Twitter Credential Phish
2022-04-18 (phishing.rules)
2851462 - ETPRO PHISHING Successful Twitter Credential Phish
2022-04-18 (phishing.rules)
2851463 - ETPRO PHISHING Twitter Credential Phish Landing 2022-04-18
(phishing.rules)
2851464 - ETPRO PHISHING Successful Twitter Credential Phish
2022-04-18 (phishing.rules)
2851465 - ETPRO PHISHING Twitter Credential Phish Landing Page
2022-04-18 (phishing.rules)

[///] Modified active rules: [///]

2004894 - ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL
Injection Attempt -- rss.asp kid UNION SELECT
(web_specific_apps.rules)
2005063 - ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection
Attempt -- oku.asp id SELECT (web_specific_apps.rules)
2005425 - ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt --
content.php where UPDATE (web_specific_apps.rules)
2005478 - ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL
Injection Attempt -- index.php clickurl ASCII
(web_specific_apps.rules)
2006088 - ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL
Injection Attempt -- send_password_preferences.asp UNION SELECT
(web_specific_apps.rules)

Date:
Summary title:
12 new OPEN, 22 new PRO (12 + 10). Bumblebee, Cobalt Strike, CrimsonRAT, Blackguard and various Phishing.