Daily Ruleset Update Summary 2022/04/26

Daily Ruleset Update Summary

[***] Summary: [***]

6 new OPEN, 16 new PRO (6 + 10). CVE-2022-21449, CoinMiners, Various
Android, Others.

Thanks @orange_8361, @hakivvi, @StuDontPlay

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2036377 - ET EXPLOIT [ConnectWise CRU] Java ECDSA (Psychic) TLS Signature
(CVE-2022-21449) (exploit.rules)
2036378 - ET EXPLOIT WSO2 Server RCE (CVE-2022-29464) (exploit.rules)
2036379 - ET PHISHING Successful Microsoft Account Credential Phish
2022-04-26 (phishing.rules)
2036380 - ET PHISHING Microsoft Account Credential Phish Landing Page
2022-04-26 (phishing.rules)
2036381 - ET HUNTING Possible Bot CnC Checkin (GET) (hunting.rules)
2036382 - ET HUNTING Possible Bot CnC Beacon (GET) (hunting.rules)

Pro:

2851522 - ETPRO MOBILE_MALWARE Observed Android/Spy.SmsSpy.TN Domain in
TLS SNI (mobile_malware.rules)
2851523 - ETPRO MOBILE_MALWARE Observed Backdoor.AndroidOS.Basdoor.c
Domain in TLS SNI (mobile_malware.rules)
2851524 - ETPRO MOBILE_MALWARE Observed Android/TrojanDropper.Agent.JMW
Domain in TLS SNI (mobile_malware.rules)
2851525 - ETPRO MOBILE_MALWARE Observed Trojan-Dropper.AndroidOS.Hqwar.gx
Domain in TLS SNI (mobile_malware.rules)
2851526 - ETPRO MOBILE_MALWARE Observed Android/Spy.Agent.BWC Domain in
TLS SNI (mobile_malware.rules)
2851527 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-26 1) (coinminer.rules)
2851528 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-26 2) (coinminer.rules)
2851529 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-26 3) (coinminer.rules)
2851530 - ETPRO MALWARE Maldoc Sending System Information (GET)
(malware.rules)
2851531 - ETPRO MALWARE MS Office Macro Qbot Download URI Apr 26 2022
(malware.rules)

[///] Modified active rules: [///]

2036300 - ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1
(hunting.rules)
2036301 - ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M2
(hunting.rules)
2036302 - ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3
(hunting.rules)
2036353 - ET INFO File Sharing Domain in DNS Lookup (drive .protonmail
.com) (info.rules)
2838131 - ETPRO INFO HTTP Request with Lowercase connection Header
Observed (info.rules)
2838132 - ETPRO INFO HTTP Request with Lowercase accept Header Observed
(info.rules)
2845390 - ETPRO INFO HTTP Request with Lowercase host Header Observed
(info.rules)
2845391 - ETPRO INFO HTTP Request with Lowercase user-agent Header
Observed (info.rules)
2851376 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-04 3) (coinminer.rules)
2851437 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-14 3) (coinminer.rules)

[---] Disabled and modified rules: [---]

2002192 - ET CHAT MSN status change (chat.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Tuesday, April 26, 2022

Summary title:

6 new OPEN, 16 new PRO (6 + 10). CVE-2022-21449, CoinMiners, Various Android, Others.