Daily Ruleset Update Summary 2022/04/22

[***] Summary: [***]

30 new OPEN, 39 new PRO (30 + 9). Various Stealer, BlackCat
Ransomware, Various Certishell, Trojan-Banker.AndroidOS.Basbanke.l,
Miners and Various Phishing.

Thanks @3xp0rtblog, @struppigel, @Avast

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2036303 - ET HUNTING Terse Unencrypted Request for Google - Likely
Connectivity Check (hunting.rules)
2036304 - ET INFO Observed External IP Lookup Domain (icanhazip .com
in TLS SNI) (info.rules)
2036305 - ET MALWARE Kratos Silent Miner Checkin via Discord (malware.rules)
2036306 - ET MALWARE 000Stealer CnC Checkin (malware.rules)
2036307 - ET MALWARE 000Stealer Data Exfiltration M1 (malware.rules)
2036308 - ET MALWARE Win32/Blacktech Plead CnC Activity (GET) (malware.rules)
2036309 - ET MALWARE BlackTech FlagPro Dropper Activity (GET) (malware.rules)
2036310 - ET INFO Commonly Abused File Sharing Domain in DNS Lookup
(filetransfer .io) (info.rules)
2036311 - ET INFO Commonly Abused File Sharing Domain (filetransfer
.io in TLS SNI) (info.rules)
2036312 - ET MALWARE BlackCat Ransomware Related Domain in TLS SNI
(updatedaemon .com) (malware.rules)
2036313 - ET MALWARE BlackCat Ransomware Related Domain in DNS
Lookup (updatedaemon .com) (malware.rules)
2036314 - ET MALWARE Observed BlackCat Ransomware Related SSL Cert
(updatedaemon .com) (malware.rules)
2036315 - ET MALWARE Win32/Blacktech Plead CnC Activity (POST) (malware.rules)
2036316 - ET MALWARE W32/Agent.OGR!tr.pws Stealer (malware.rules)
2036317 - ET MALWARE Zingo/GinzoStealer Data Command List Fetch
(malware.rules)
2036318 - ET MALWARE Win32/TrojanDownloader.Agent.APBB Checkin (malware.rules)
2036319 - ET PHISHING Successful Banca Monte dei Paschi di Siena
Credential Phish 2022-04-22 (phishing.rules)
2036320 - ET PHISHING Banca Monte dei Paschi di Siena Credential
Phish Landing Page 2022-04-22 (phishing.rules)
2036321 - ET MALWARE 000Stealer Data Exfiltration M2 (malware.rules)
2036322 - ET MALWARE Observed DNS Query to Certishell Domain
(forummanazera .sk) (malware.rules)
2036323 - ET MALWARE Observed DNS Query to Certishell Domain
(reality .skarabeus .sk) (malware.rules)
2036324 - ET MALWARE Observed DNS Query to Certishell Domain
(msrousinov .cz) (malware.rules)
2036325 - ET MALWARE Observed DNS Query to Certishell Domain
(googleprovider .ru) (malware.rules)
2036326 - ET MALWARE Observed DNS Query to Certishell Domain
(profiit .fiit .stuba .sk) (malware.rules)
2036327 - ET MALWARE Observed DNS Query to Certishell Domain
(freetips .php5 .sk) (malware.rules)
2036328 - ET MALWARE Observed DNS Query to Certishell Domain
(sivpici .php5 .sk) (malware.rules)
2036329 - ET MALWARE Observed DNS Query to Certishell Domain
(hotel-boss .eu) (malware.rules)
2036330 - ET MALWARE Observed DNS Query to Certishell Domain
(limousine-service .cz) (malware.rules)
2036331 - ET MALWARE Observed DNS Query to Certishell Domain (ms
.rousinov .cz) (malware.rules)
2036332 - ET MALWARE Observed DNS Query to Certishell Domain (vavave
.xf .cz) (malware.rules)

Pro:

2808901 - ETPRO INFO Observed External IP Lookup SSL Cert
(icanhazip.com) (info.rules)
2851514 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.zg Checkin
(mobile_malware.rules)
2851515 - ETPRO MOBILE_MALWARE Observed
Trojan-Spy.AndroidOS.Agent.abe Domain in TLS SNI
(mobile_malware.rules)
2851516 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.abe
Checkin (mobile_malware.rules)
2851517 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Basbanke.l
Checkin (mobile_malware.rules)
2851518 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Basbanke.l
Checkin 2 (mobile_malware.rules)
2851519 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-21 1) (coinminer.rules)
2851520 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-21 2) (coinminer.rules)
2851521 - ETPRO COINMINER MoneroOcean Miner Setup Script Download
(.bat) (coinminer.rules)

[///] Modified active rules: [///]

2031747 - ET HUNTING Observed Interesting Content-Type Inbound
(application/x-sh) (hunting.rules)
2036246 - ET MALWARE Zingo/GinzoStealer Stealer Exfiltration
Observed (malware.rules)
2036249 - ET MALWARE Observed Zingo/GinzoStealer CnC Domain
(nominally .ru in TLS SNI) (malware.rules)
2036250 - ET MALWARE Zingo/GinzoStealer Data Exfiltration M2 (malware.rules)
2036251 - ET MALWARE Zingo/GinzoStealer Downloading Additional
Payloads (malware.rules)
2036286 - ET MALWARE MSIL/Crimson Receiving Command (getavs) (malware.rules)

[---] Removed rules: [---]

2019680 - ET MALWARE Possible Archie EK Payload Checkin GET (malware.rules)
2808901 - ETPRO POLICY Likely icanhazip.com IP lookup over SSL (policy.rules)
2845814 - ETPRO MALWARE Win32/Blacktech Plead CnC Activity (malware.rules)
2849310 - ETPRO MALWARE BlackTech FlagPro Dropper Activity (GET)
(malware.rules)

Date:

Friday, April 22, 2022

Summary title:

30 new OPEN, 39 new PRO (30 + 9). Various Stealer, BlackCat Ransomware, Various Certishell, Trojan-Banker.AndroidOS.Basbanke.l, Miners and Various Phishing.