Daily Ruleset Update Summary
Daily Ruleset Update Summary 2022/06/03

[***] Summary: [***]

40 new OPEN, 40 new PRO (40 + 0). Various CVE, Cobalt Strike, TA401,
Win32/Darkme and Deathstalker/Evilnum.

Thanks @Tarlogic, @RhinoSecurity, @k3dg3, @CadoSecurity,
@NSFOCUS_Intl, @MsftSecIntel and @h2jazi

Today is Free Sig Friday, so all signatures went into the OPEN set.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2036815 - ET WEB_SPECIFIC_APPS Bonitasoft Default User Login Attempt
M1 (Possible Staging for CVE-2022-25237) (web_specific_apps.rules)
2036816 - ET WEB_SPECIFIC_APPS Bonitasoft Default User Login Attempt
M2 (Possible Staging for CVE-2022-25237) (web_specific_apps.rules)
2036817 - ET EXPLOIT Bonitasoft Successful Default User Login
Attempt (Possible Staging for CVE-2022-25237) (exploit.rules)
2036818 - ET EXPLOIT Bonitasoft Authorization Bypass M1
(CVE-2022-25237) (exploit.rules)
2036819 - ET EXPLOIT Bonitasoft Authorization Bypass M2
(CVE-2022-25237) (exploit.rules)
2036820 - ET EXPLOIT Bonitasoft Authorization Bypass and RCE Upload
M2 (CVE-2022-25237) (exploit.rules)
2036821 - ET EXPLOIT Bonitasoft Authorization Bypass and RCE Upload
M1 (CVE-2022-25237) (exploit.rules)
2036822 - ET MALWARE Observed DOUBLEBACK CnC Domain (bestcake .ca in
TLS SNI) (malware.rules)
2036823 - ET MALWARE DOUBLEBACK CnC Activity (malware.rules)
2036824 - ET MALWARE Cobalt Strike Activity (GET) (malware.rules)
2036825 - ET MALWARE Cobalt Strike Activity (GET) (malware.rules)
2036826 - ET MALWARE Polonium CreepyDrive Implant Request (malware.rules)
2036827 - ET MALWARE Polonium CreepyDrive Upload Request (malware.rules)
2036828 - ET MALWARE Polonium CreepyDrive Download Request (malware.rules)
2036829 - ET MALWARE Polonium CreepyDrive Client CnC Response (malware.rules)
2036830 - ET PHISHING Generic Cryptowallet Credential Phish Landing
Page 2022-06-03 (phishing.rules)
2036831 - ET MALWARE TA401 Arid Viper CnC Domain in DNS Lookup
(sknzy-mysl .vip) (malware.rules)
2036832 - ET MALWARE Observed Malicious SSL Cert (Darkme CnC) (malware.rules)
2036833 - ET MALWARE Observed Malicious SSL Cert (Darkme CnC) (malware.rules)
2036834 - ET MALWARE Observed Malicious SSL Cert (Darkme CnC) (malware.rules)
2036835 - ET MALWARE Win32/Darkme Trojan Checkin M1 (malware.rules)
2036836 - ET MALWARE Win32/Darkme Trojan Checkin M2 (malware.rules)
2036837 - ET MALWARE Win32/Darkme CnC Domain in DNS Lookup
(muasaashshaj .com) (malware.rules)
2036838 - ET MALWARE Win32/Darkme CnC Domain in DNS Lookup
(pallomnareraebrazo .com) (malware.rules)
2036839 - ET MALWARE Win32/Darkme CnC Domain in DNS Lookup
(aka7newmalp23 .com) (malware.rules)
2036840 - ET MALWARE Win32/Darkme CnC Domain in DNS Lookup (8as1s2
.com) (malware.rules)
2036841 - ET MALWARE Win32/Darkme CnC Domain in DNS Lookup (938jss
.com) (malware.rules)
2036842 - ET MALWARE Win32/Darkme CnC Domain in DNS Lookup
(kalpoipolpmi .net) (malware.rules)
2036843 - ET MALWARE Win32/Darkme CnC Domain in DNS Lookup
(cspapop110 .com) (malware.rules)
2036844 - ET MALWARE Win32/Darkme CnC Domain in DNS Lookup
(csmmmsp099q .com) (malware.rules)
2036845 - ET MALWARE Deathstalker/Evilnum Delivery Domain in DNS
Lookup (bukjut11 .com) (malware.rules)
2036846 - ET MALWARE Deathstalker/Evilnum Delivery Domain in DNS
Lookup (puccino .altervista .org) (malware.rules)
2036847 - ET MALWARE Deathstalker/Evilnum Delivery Domain in DNS
Lookup (1b) (malware.rules)
2036848 - ET MALWARE Deathstalker/Evilnum Delivery Domain in DNS
Lookup (storangefilecloud .vip) (malware.rules)
2036849 - ET MALWARE Deathstalker/Evilnum Delivery Domain (bukjut11
.com) in TLS SNI (malware.rules)
2036850 - ET MALWARE Deathstalker/Evilnum Delivery Domain (puccino
.altervista .org) in TLS SNI (malware.rules)
2036851 - ET MALWARE Deathstalker/Evilnum Delivery Domain
(storangefilecloud .vip) in TLS SNI (malware.rules)
2036852 - ET HUNTING DNS Lookup to (laurentprotector .com) (hunting.rules)
2036853 - ET HUNTING Suspicious Domain (laurentprotector .com) in
TLS SNI (hunting.rules)
2036854 - ET MALWARE WatchDog Coinminer Payload Delivery Domain in
DNS Lookup (oracle .zzhreceive .top) (malware.rules)

[///] Modified active rules: [///]

2036593 - ET PHISHING Successful Generic Cryptowallet Credential
Phish 2022-05-12 (phishing.rules)
2036741 - ET MALWARE Pandorahvnc/Pikolo RAT Checkin Activity (malware.rules)

Date:
Summary title:
40 new OPEN, 40 new PRO (40 + 0). Various CVE, Cobalt Strike, TA401, Win32/Darkme and Deathstalker/Evilnum.