[***] Summary: [***]

44 new OPEN, 44 new PRO (44 + 0). Win32/Vodkagats, Win32/Agent.VAZ,
GOLDBACKDOOR, Various Others.

Thanks @3xp0rtblog, @Insidestairwell, @JAMESWT_MHT, @BleepinComputer,
@cloudsek,
@RESecurity

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2036333 - ET MALWARE Win32/Vodkagats Loader Requesting Payload
(malware.rules)
2036334 - ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
(malware.rules)
2036335 - ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
(malware.rules)
2036336 - ET HUNTING Observed Suspicious Reversed String Inbound
(StrReverse) (hunting.rules)
2036337 - ET PHISHING Tech Support/Refund Scam Landing Inbound 2022/04/25
(phishing.rules)
2036338 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3
Alts (Tech Support/Refund Scam Landing) (phishing.rules)
2036339 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3
Alts (Tech Support/Refund Scam Landing) (phishing.rules)
2036340 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3
Alts (Tech Support/Refund Scam Landing) (phishing.rules)
2036341 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3
Alts (Tech Support/Refund Scam Landing) (phishing.rules)
2036342 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3
Alts (Tech Support/Refund Scam Landing) (phishing.rules)
2036343 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3
Alts (Tech Support/Refund Scam Landing) (phishing.rules)
2036344 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3
Alts (Tech Support/Refund Scam Landing) (phishing.rules)
2036345 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3
Alts (Tech Support/Refund Scam Landing) (phishing.rules)
2036346 - ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3
Alts (Tech Support/Refund Scam Landing) (phishing.rules)
2036347 - ET INFO Observed Remote Management Software Domain (syncromsp
.com in TLS SNI) (info.rules)
2036348 - ET INFO Observed Remote Management Software Domain in DNS
Lookup (syncromsp .com) (info.rules)
2036349 - ET INFO Terse Request For Bitbucket Snippet (info.rules)
2036350 - ET HUNTING Observed Suspicious Reversed String Inbound
(Powershell) (hunting.rules)
2036351 - ET HUNTING Observed Suspicious Reversed String Inbound
(Winmgmts) (hunting.rules)
2036352 - ET INFO Observed File Sharing Domain (drive .protonmail .com in
TLS SNI) (info.rules)
2036353 - ET INFO File Sharing Domain in DNS Lookup (info.rules)
2036354 - ET MALWARE Win32/Agent.VAZ Bot CnC Checkin (StatusTime)
(malware.rules)
2036355 - ET MALWARE Win32/Agent.VAZ Bot CnC Checkin (Comands)
(malware.rules)
2036356 - ET MALWARE Win32/Agent.VAZ Bot CnC Checkin (Checkupdate)
(malware.rules)
2036357 - ET MALWARE Win32/Agent.VAZ Bot CnC Checkin M1 (malware.rules)
2036358 - ET PHISHING IRS Credential Phish Domain in DNS Lookup
(supportmicrohere .com) (phishing.rules)
2036359 - ET PHISHING IRS Credential Phish Domain in DNS Lookup
(jbdelmarket .com) (phishing.rules)
2036360 - ET PHISHING Observed Malicious SSL Cert for IRS Credential
Phish Domain (supportmicrohere .com) (phishing.rules)
2036361 - ET PHISHING Observed Malicious SSL Cert IRS Credential Phish
Domain (jbdelmarket .com) (phishing.rules)
2036362 - ET PHISHING Successful IRS Credential Phish 2022-04-25
(phishing.rules)
2036363 - ET MALWARE Innostealer Domain in DNS Lookup (windows11-upgrade
.com) (malware.rules)
2036364 - ET MALWARE Innostealer Domain in DNS Lookup (windows-11info
.com) (malware.rules)
2036365 - ET MALWARE Innostealer Domain in DNS Lookup
(windows11-infoserver .com) (malware.rules)
2036366 - ET MALWARE Innostealer Domain (windows11-upgrade .com) in TLS
SNI (malware.rules)
2036367 - ET MALWARE Innostealer Domain (windows-11info .com) in TLS SNI
(malware.rules)
2036368 - ET MALWARE Innostealer Domain (windows11-infoserver .com) in
TLS SNI (malware.rules)
2036369 - ET MALWARE GOLDBACKDOOR Domain in DNS Lookup (main .dailynk
.us) (malware.rules)
2036370 - ET MALWARE GOLDBACKDOOR Domain in DNS Lookup (lit-peak-25706
.herokuapp .com) (malware.rules)
2036371 - ET MALWARE GOLDBACKDOOR Domain (main .dailynk .us) in TLS SNI
(malware.rules)
2036372 - ET MALWARE GOLDBACKDOOR Domain (lit-peak-25706 .herokuapp .com)
in TLS SNI (malware.rules)
2036373 - ET MALWARE Innostealer Domain in DNS Lookup (seventyfor .site)
(malware.rules)
2036374 - ET MALWARE Innostealer Domain in DNS Lookup windows-server031
.com) (malware.rules)
2036375 - ET MALWARE Innostealer Domain (windows-server031 .com) in TLS
SNI (malware.rules)
2036376 - ET MALWARE Innostealer Domain (seventyfor .site) in TLS SNI
(malware.rules)

[///] Modified active rules: [///]

2026921 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded
New-Object (ctT2J) in DNS TXT Response (attack_response.rules)
2031747 - ET HUNTING Observed Interesting Content-Type Inbound
(application/x-sh) (hunting.rules)
2851483 - ETPRO INFO SMB/DCERPC Bind with Little-Endian (flowbit set)
(info.rules)
2851484 - ETPRO INFO SMB/DCERPC Bind_ack with Endian Flipped (info.rules)
2851485 - ETPRO INFO SMB/DCERPC Bind_ack with Big-Endian Assoc Group
(info.rules)

[///] Modified inactive rules: [///]

2034670 - ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228
Callback Domain (bingsearchlib .com) (attack_response.rules)

[---] Removed rules: [---]

2838442 - ETPRO MALWARE Win32/Filecoder.STOP Variant Request for Public
Key (malware.rules)
2838443 - ETPRO MALWARE Win32/Filecoder.STOP Variant Public Key Download
(malware.rules)
2841570 - ETPRO HUNTING Observed Suspicious Reversed String Inbound
(StrReverse) (hunting.rules)
2849610 - ETPRO MALWARE Win32/Vodkagats Loader Requesting Payload
(malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
44 new OPEN, 44 new PRO (44 + 0). Win32/Vodkagats, Win32/Agent.VAZ, GOLDBACKDOOR, Various Others.