Daily Ruleset Update Summary 2022/04/29

Daily Ruleset Update Summary

[***] Summary: [***]

14 new OPEN, 20 new PRO (14 + 6). Nerbian RAT, Win32/AveMaria, CYY,
Others.

Thanks @InQuest

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2036414 - ET MALWARE DDoS Win32/Nitol.A Checkin (malware.rules)
2036415 - ET MALWARE Win32.ServStart.D Checkin (malware.rules)
2036416 - ET EXPLOIT Possible VMware Workspace ONE Access RCE via
Server-Side Template Injection Inbound (CVE-2022-22954) (exploit.rules)
2036417 - ET MALWARE Nobelium APT Related Activity (GET) (malware.rules)
2036418 - ET MALWARE China Based APT Related Domain in DNS Lookup (p1
.offline-microsoft .com) (malware.rules)
2036419 - ET MALWARE China Based APT Related Domain in DNS Lookup (portal
.super-encrypt .com) (malware.rules)
2036420 - ET INFO URL Shortening Service Domain in DNS Lookup (gg-l .xyz)
(info.rules)
2036421 - ET INFO Observed URL Shortening Service Domain (gg-l .xyz in
TLS SNI) (info.rules)
2036422 - ET INFO Observed Abused Redirect Service SSL Cert (svc
.dynamics .com) (info.rules)
2036423 - ET INFO Observed File Sharing Domain (www .cloudme .com in TLS
SNI) (info.rules)
2036424 - ET INFO File Retrieved from File Sharing Site (cloudme .com)
(info.rules)
2036425 - ET MOBILE_MALWARE Android/FakeWallet.D Activity (GET)
(mobile_malware.rules)
2036426 - ET MALWARE Nerbian RAT CnC Checkin (malware.rules)
2036427 - ET MALWARE Nerbian RAT Data Exfiltration (malware.rules)

Pro:

2851545 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-29 1) (coinminer.rules)
2851546 - ETPRO MALWARE Win32/TrojanDownloader.Agent.PXV Checkin
(malware.rules)
2851547 - ETPRO ADWARE_PUP CYY iMsg+ Checkin (adware_pup.rules)
2851548 - ETPRO MALWARE Win32/AveMaria CnC Exfil M1 (malware.rules)
2851549 - ETPRO MALWARE Win32/AveMaria CnC Exfil M2 (malware.rules)
2851550 - ETPRO MALWARE Win32/MetaStealer/TinyFluff Fake Avast AV Update
(GET) (malware.rules)

[///] Modified active rules: [///]

2035696 - ET MALWARE Win32/WindowsDefender Bypass Download Request
(malware.rules)
2036269 - ET ADWARE_PUP Win/Malware.Filetour Variant Checkin
(adware_pup.rules)
2036303 - ET HUNTING Terse Unencrypted Request for Google - Likely
Connectivity Check (hunting.rules)
2036362 - ET PHISHING Successful IRS Credential Phish 2022-04-25
(phishing.rules)
2036379 - ET PHISHING Successful Microsoft Account Credential Phish
2022-04-26 (phishing.rules)
2036392 - ET EXPLOIT [ConnectWise CRU] Java ECDSA (Psychic) Signed JWT
Bypass (CVE-2022-21449) (exploit.rules)
2851362 - ETPRO MALWARE Win32/MetaStealer/TinyFluff Related Activity
(GET) (malware.rules)
2851363 - ETPRO MALWARE Win32/MetaStealer/TinyFluff Related Activity
(POST) (malware.rules)
2851539 - ETPRO PHISHING Landbank Credential Phish Landing Page M2
2022-04-28 (phishing.rules)
2851540 - ETPRO PHISHING Landbank Credential Phish Landing Page M4
2022-04-28 (phishing.rules)
2851541 - ETPRO PHISHING Landbank Credential Phish Landing Page M6
2022-04-28 (phishing.rules)
2851543 - ETPRO PHISHING Successful Landbank Credential Phish M2
2022-04-28 (phishing.rules)
2851544 - ETPRO PHISHING Successful Landbank Credential Phish M3
2022-04-28 (phishing.rules)

[---] Removed rules: [---]

2023317 - ET EXPLOIT BIND9 msg->reserved Assertion DoS Packet Inbound
(CVE-2016-2776) (exploit.rules)
2816642 - ETPRO MALWARE Win32.ServStart.D Checkin (malware.rules)
2829522 - ETPRO MALWARE DDoS Win32/Nitol.A Checkin (malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Friday, April 29, 2022

Summary title:

14 new OPEN, 20 new PRO (14 + 6). Nerbian RAT, Win32/AveMaria, CYY, Others.