Daily Ruleset Update Summary
Daily Ruleset Update Summary 2022/04/21

[***] Summary: [***]

20 new OPEN, 24 new PRO (20 + 4). CrimsonRAT, Shuckworm, Chromeback
and Win32/nstart.

Thanks @threatintel, @0xrb, @twinwave and @GoSecure_Inc

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2036283 - ET MALWARE MSIL/Crimson Receiving Command (dirs list)
(malware.rules)
2036284 - ET MALWARE MSIL/Crimson Receiving Command (folders list)
(malware.rules)
2036285 - ET MALWARE MSIL/Crimson Receiving Command (files list)
(malware.rules)
2036286 - ET MALWARE MSIL/Crimson Recieving Command (getavs) (malware.rules)
2036287 - ET INFO Pastebin Style Domain in DNS Lookup (pastetext
.net) (info.rules)
2036288 - ET INFO Observed Pastebin Style Domain (pastetext .net in
TLS SNI) (info.rules)
2036289 - ET COINMINER CoinMiner Domain in DNS Lookup (pool
.hashvault .pro) (coinminer.rules)
2036290 - ET MALWARE MSIL/CrimsonRAT Activity (POST) (malware.rules)
2036291 - ET MALWARE Win32/Shuckworm CnC Exfil M1 (malware.rules)
2036292 - ET MALWARE Win32/Shuckworm CnC Exfil M2 (malware.rules)
2036293 - ET MALWARE Win32/Pterodo CnC VNC Connect Request (malware.rules)
2036294 - ET MALWARE Win32/ChromeBack Extention Payload Fetch (malware.rules)
2036295 - ET MALWARE Win32/ChromeBack CnC Checkin (malware.rules)
2036296 - ET MALWARE Win32/ChromeBack Browser Hijacker Query
Redirection (malware.rules)
2036297 - ET MALWARE Win32/ChromeBack Browser Hijacker Sync (malware.rules)
2036298 - ET MALWARE Win32/ChromeBack Browser Hijacker Home Beacon
(malware.rules)
2036299 - ET MALWARE Win32/ChromeBack Browser Hijacker (getAd) (malware.rules)
2036300 - ET HUNTING [TW] Likely Javascript-Obfuscator Usage
Observed M1 (hunting.rules)
2036301 - ET HUNTING [TW] Likely Javascript-Obfuscator Usage
Observed M2 (hunting.rules)
2036302 - ET HUNTING [TW] Likely Javascript-Obfuscator Usage
Observed M3 (hunting.rules)

Pro:

2851510 - ETPRO MALWARE Win32/nstart Checkin Activity (malware.rules)
2851511 - ETPRO MALWARE Win32/Packed.Autoit.Y Variant CnC Response
(malware.rules)
2851512 - ETPRO MALWARE Win32/TrojanClicker.Delf.NIG CnC Traffic
(malware.rules)
2851513 - ETPRO MALWARE Malicious Script Retrieved via SQL (malware.rules)

[///] Modified active rules: [///]

2035881 - ET MALWARE Base64 Encoded Stealer Config from Server -
APPDATA or USERPROFILE Environment Variable M1 (malware.rules)
2035882 - ET MALWARE Base64 Encoded Stealer Config from Server -
APPDATA or USERPROFILE Environment Variable M2 (malware.rules)
2035883 - ET MALWARE Base64 Encoded Stealer Config from Server -
APPDATA or USERPROFILE Environment Variable M3 (malware.rules)
2035884 - ET MALWARE Base64 Encoded Stealer Config from Server -
APPDATA or USERPROFILE Environment Variable M4 (malware.rules)
2824155 - ETPRO PHISHING Successful Generic Phish Dec 30 2016 (phishing.rules)

[---] Disabled and modified rules: [---]

2837560 - ETPRO PHISHING Successful DHL Phish 2019-07-17 (phishing.rules)

[---] Removed rules: [---]

2816277 - ETPRO MALWARE MSIL/Crimson Receiving Command (dirs list)
(malware.rules)
2816278 - ETPRO MALWARE MSIL/Crimson Receiving Command (folders
list) (malware.rules)
2816279 - ETPRO MALWARE MSIL/Crimson Receiving Command (files list)
(malware.rules)
2832107 - ETPRO MALWARE MSIL/Crimson Recieving Command (getavs)
(malware.rules)

Date:
Summary title:
20 new OPEN, 24 new PRO (20 + 4). CrimsonRAT, Shuckworm, Chromeback and Win32/nstart.