Daily Ruleset Update Summary
Daily Ruleset Update Summary 2022/04/19

[***] Summary: [***]

23 new OPEN, 27 new PRO (23 + 4). ZingoStealer, Various Exploit,
Various DPRK APT Related, Cobalt Strike, TA404 and Various Phishing.

Thanks @Thingzeye, @Max_Mal_, @USCERT_gov and Symantec

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2036249 - ET MALWARE Observed ZingoStealer CnC Domain (nominally .ru
in TLS SNI) (malware.rules)
2036250 - ET MALWARE ZingoStealer Data Exfilration M2 (malware.rules)
2036251 - ET MALWARE ZingoStealer Downloading Additional Payloads
(malware.rules)
2036252 - ET SCAN RDP Connection Attempt from Nmap (scan.rules)
2036253 - ET EXPLOIT Shenzhen TVT DVR/NVR/IPC WebUI RCE ADD Attempt
(exploit.rules)
2036254 - ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded WebUI Login
Attempt M1 (exploit.rules)
2036255 - ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Stack Overflow in
Base64 Authorization Mechanism M1 (exploit.rules)
2036256 - ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Stack Overflow in
Base64 Authorization Mechanism M2 (exploit.rules)
2036257 - ET MALWARE Suspected TA404 APT Related Activity M1 (malware.rules)
2036258 - ET MALWARE Suspected TA404 APT Related Activity M2 (malware.rules)
2036259 - ET MALWARE DPRK APT Related Domain in DNS Lookup (dafom
.dev) (malware.rules)
2036260 - ET USER_AGENTS Observed DPRK Related APT User-Agent
(dafom) (user_agents.rules)
2036261 - ET MALWARE DPRK APT Related Domain in DNS Lookup (tokenais
.com) (malware.rules)
2036262 - ET MALWARE DPRK APT Related Domain in DNS Lookup (cryptais
.com) (malware.rules)
2036263 - ET MALWARE DPRK APT Related Domain in DNS Lookup (alticgo
.com) (malware.rules)
2036264 - ET MALWARE DPRK APT Related Domain in DNS Lookup (esilet
.com) (malware.rules)
2036265 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup
(vasepinay .com) (malware.rules)
2036266 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup
(dixavokij .com) (malware.rules)
2036267 - ET HUNTING Request To Suspicious Filename via Powershell
(key) (hunting.rules)
2036268 - ET HUNTING Request To Suspicious Filename via Powershell
(payload) (hunting.rules)
2036269 - ET ADWARE_PUP Win/Malware.Filetour Variant Checkin
(adware_pup.rules)
2036270 - ET ADWARE_PUP Win/Malware.FileTour Variant Checkin
(adware_pup.rules)
2036271 - ET ADWARE_PUP Win/Malware.FileTour Variant Checkin
(adware_pup.rules)

Pro:

2851466 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-15 1) (coinminer.rules)
2851467 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-15 2) (coinminer.rules)
2851476 - ETPRO PHISHING Twitter Credential Phish Landing Page
2022-04-19 (phishing.rules)
2851477 - ETPRO PHISHING Twitter Credential Phish Landing Page
2022-04-19 (phishing.rules)

[///] Modified active rules: [///]

2036246 - ET MALWARE Zingo Stealer Exfiltration Observed (malware.rules)
2851362 - ETPRO MALWARE Win32/TinyFluff Related Activity (GET) (malware.rules)
2851363 - ETPRO MALWARE Win32/TinyFluff Related Activity (POST)
(malware.rules)

[///] Modified inactive rules: [///]

2036222 - ET HUNTING Potential Forced OGNL Evaluation - HTTP URI
(hunting.rules)
2036223 - ET HUNTING Potential Forced OGNL Evaluation - HTTP Header
(hunting.rules)
2036224 - ET HUNTING Potential Forced OGNL Evaluation - HTTP Body
(hunting.rules)

Date:
Summary title:
23 new OPEN, 27 new PRO (23 + 4). ZingoStealer, Various Exploit, Various DPRK APT Related, Cobalt Strike, TA404 and Various Phishing.