Daily Ruleset Update Summary 2022/05/25

Daily Ruleset Update Summary

[***] Summary: [***]

7 new OPEN, 23 new PRO (7 + 16) Cobalt Strike, Patchwork, Various
Android Malware, and EvilNum DNS sigs.

Thanks @TheDFIRReport, @katechondic, and @RedDrip7

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2036675 - ET MALWARE Cobalt Strike Related Activity (GET) (malware.rules)
2036676 - ET MALWARE Cobalt Strike Related Activity (GET) (malware.rules)
2036677 - ET MALWARE Cobalt Strike Related Activity (GET) (malware.rules)
2036678 - ET MALWARE Cobalt Strike Related Activity (GET) (malware.rules)
2036679 - ET MALWARE Win32/SiMay RAT Activity M2 (GET) (malware.rules)
2036680 - ET MALWARE Patchwork APT Related Domain in DNS Lookup
(dayspringdesk .xyz) (malware.rules)
2036681 - ET MALWARE Downloader/Win.MalXll.R466354 Payload Request
(malware.rules)

Pro:

2851684 - ETPRO MOBILE_MALWARE Android ValadSpy-A CnC Domain in DNS
Lookup (mobile_malware.rules)
2851685 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.abh CnC
Domain in DNS Lookup (mobile_malware.rules)
2851686 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CBO CnC Domain in
DNS Lookup (mobile_malware.rules)
2851687 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.abh CnC
Domain in DNS Lookup 2 (mobile_malware.rules)
2851688 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.aat CnC
Domain in DNS Lookup (mobile_malware.rules)
2851689 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.aat CnC
Domain in DNS Lookup 2 (mobile_malware.rules)
2851690 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.abh CnC
Domain in DNS Lookup 3 (mobile_malware.rules)
2851691 - ETPRO MOBILE_MALWARE Android/Spy.Agent.BWB CnC Domain in
DNS Lookup (mobile_malware.rules)
2851692 - ETPRO MALWARE Filez Downloader Checkin (malware.rules)
2851693 - ETPRO MALWARE EvilNum Related Domain in DNS Lookup (malware.rules)
2851694 - ETPRO MALWARE EvilNum Related Domain in DNS Lookup (malware.rules)
2851695 - ETPRO MALWARE EvilNum Related Domain in DNS Lookup (malware.rules)
2851696 - ETPRO MALWARE EvilNum Related Domain in DNS Lookup (malware.rules)
2851697 - ETPRO MALWARE EvilNum Related Domain in DNS Lookup (malware.rules)
2851698 - ETPRO MALWARE Suspected Maldoc Sending Base64 Encoded URI
(GET) (malware.rules)
2851699 - ETPRO PHISHING Successful Generic Phish 2022-05-25 (phishing.rules)

[///] Modified active rules: [///]

2023472 - ET POLICY External IP Lookup Domain (myip .opendns .com in
DNS lookup) (policy.rules)
2850296 - ETPRO MALWARE Observed Win32/SVCReady Loader User-Agent
(malware.rules)
2850297 - ETPRO MALWARE Win32/SVCReady Loader CnC Activity (malware.rules)
2850298 - ETPRO MALWARE Win32/SVCReady Loader Requesting Payload
(malware.rules)
2851650 - ETPRO MALWARE Win32/SVCReady Loader CnC Activity M2 (malware.rules)
2851651 - ETPRO MALWARE Win32/SVCReady Loader - Logs (malware.rules)
2851652 - ETPRO MALWARE Win32/SVCReady Loader - SysInfo M1 (malware.rules)
2851653 - ETPRO MALWARE Win32/SVCReady Loader - SysInfo M2 (malware.rules)
2851654 - ETPRO MALWARE Win32/SVCReady Loader - Screenshot (malware.rules)

[///] Modified inactive rules: [///]

2011819 - ET POLICY Zero Content-Length HTTP POST with data
(outbound) (policy.rules)

Date:

Wednesday, May 25, 2022

Summary title:

7 new OPEN, 23 new PRO (7 + 16) Cobalt Strike, Patchwork, Various Android Malware, and EvilNum DNS sigs.