Daily Ruleset Update Summary 2022/05/18

Daily Ruleset Update Summary

[***] Summary: [***]

20 new OPEN, 28 new PRO (20 + 8). Win32/NetDooka, Various PowerShell,
Various Phish, Others.

Thanks @TrendMicro and @malwarebytes

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2034226 - ET MALWARE Observed Malicious SSL/TLS Certificate (MagnitudeEK
Associated) (malware.rules)
2034227 - ET MALWARE Observed Malicious SSL/TLS Certificate (MagnitudeEK
Associated) (malware.rules)
2036360 - ET MALWARE Observed Malicious SSL Cert for IRS Credential Phish
Domain (supportmicrohere .com) (malware.rules)
2036361 - ET MALWARE Observed Malicious SSL Cert IRS Credential Phish
Domain (jbdelmarket .com) (malware.rules)
2036611 - ET MALWARE MSIL/SysNt Corp DotNetRAT CnC Activity
(malware.rules)
2036612 - ET MALWARE Win32/NetDooka Framework Related Activity (POST)
(malware.rules)
2036613 - ET MALWARE Win32/NetDooka Framework RAT Sending Session ID
(malware.rules)
2036614 - ET MALWARE Win32/NetDooka Framework RAT Sending System
Information M1 (malware.rules)
2036615 - ET MALWARE Win32/NetDooka Framework RAT Sending File
(malware.rules)
2036616 - ET MALWARE Win32/NetDooka Framework RAT Sending System
Information M2 (malware.rules)
2036617 - ET PHISHING Axie Infinity Credential Phish Landing Page M1
2022-05-18 (phishing.rules)
2036618 - ET PHISHING Successful Axie Infinity Credential Phish M1
2022-05-18 (phishing.rules)
2036619 - ET PHISHING Successful Axie Infinity Credential Phish M2
2022-05-18 (phishing.rules)
2036620 - ET PHISHING Axie Infinity Credential Phish Landing Page M2
2022-05-18 (phishing.rules)
2036621 - ET PHISHING Axie Infinity Credential Phish Landing Page M3
2022-05-18 (phishing.rules)
2036622 - ET MALWARE Powershell/CustomRAT CnC Domain in DNS Lookup
(kleinm .de) (malware.rules)
2036623 - ET MALWARE Observed PowerShell/CustomRAT Domain (kleinm .de) in
TLS SNI (malware.rules)
2036624 - ET MALWARE PowerShell/CustomRAT CnC Traffic (malware.rules)
2036625 - ET MALWARE Credit Card Scraper Domain in DNS Lookup (authorizen
.net) (malware.rules)
2036626 - ET HUNTING Possible PHP Backdoor Command Execution
(hunting.rules)

Pro:

2851666 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-05-17 1) (coinminer.rules)
2851667 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-05-17 2) (coinminer.rules)
2851668 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-05-17 3) (coinminer.rules)
2851670 - ETPRO PHISHING Lastpass Credential Phishing Attempt
(phishing.rules)
2851671 - ETPRO PHISHING DNS Query to Lastpass Phishing domain (lastpass
.colleqeinvest .org) (phishing.rules)
2851672 - ETPRO PHISHING Observed Lastpass Phishing Domain (lastpass
.colleqeinvest .org) in TLS SNI (phishing.rules)

[///] Modified active rules: [///]

2034429 - ET MALWARE Observed Malicious SSL/TLS Certificate (Jasper CnC)
(malware.rules)
2036593 - ET PHISHING Successful Generic Cryptowallet Credential Phish
2022-05-12 (phishing.rules)
2848964 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2021-06-14 3) (coinminer.rules)
2849222 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2021-07-06 3) (coinminer.rules)
2849256 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2021-07-10 2) (coinminer.rules)
2849281 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2021-07-14 6) (coinminer.rules)
2849296 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2021-07-14 1) (coinminer.rules)
2849297 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2021-07-14 2) (coinminer.rules)
2849298 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2021-07-14 3) (coinminer.rules)
2849327 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2021-07-15 3) (coinminer.rules)
2849362 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2021-07-21 3) (coinminer.rules)
2850429 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2021-11-11 3) (coinminer.rules)
2851216 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT)
(malware.rules)
2851253 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2851411 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)

[///] Modified inactive rules: [///]

2824636 - ETPRO MALWARE Possible Malicious SSL - Default Values and
Serial 0 (Ursnif CnC) (malware.rules)

[---] Removed rules: [---]

2034226 - ET EXPLOIT_KIT Observed Malicious SSL/TLS Certificate
(MagnitudeEK Associated) (exploit_kit.rules)
2034227 - ET EXPLOIT_KIT Observed Malicious SSL/TLS Certificate
(MagnitudeEK Associated) (exploit_kit.rules)
2036360 - ET PHISHING Observed Malicious SSL Cert for IRS Credential
Phish Domain (supportmicrohere .com) (phishing.rules)
2036361 - ET PHISHING Observed Malicious SSL Cert IRS Credential Phish
Domain (jbdelmarket .com) (phishing.rules)
2849774 - ETPRO MALWARE MSIL/SysNt Corp DotNetRAT CnC Activity
(malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Wednesday, May 18, 2022

Summary title:

20 new OPEN, 28 new PRO (20 + 8). Win32/NetDooka, Various PowerShell, Various Phish, Others.