Daily Ruleset Update Summary 2022/06/06

Daily Ruleset Update Summary

[***] Summary: [***]

30 new OPEN, 39 new PRO (30 + 9). Win32/SVCReady, Cobalt Strike, Generic
Stealer, Various Phish, Others.

Thanks @RedDrip7, @0xrb, @TrendMicro, @StopMalvertisin, @twinwavesec

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2036855 - ET MALWARE Observed Win32/SVCReady Loader User-Agent
(malware.rules)
2036856 - ET MALWARE Win32/SVCReady Loader CnC Activity (malware.rules)
2036857 - ET MALWARE Win32/SVCReady Loader Requesting Payload
(malware.rules)
2036858 - ET MALWARE PlugX CnC Beacon (malware.rules)
2036859 - ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 2
(malware.rules)
2036860 - ET INFO External IP Lookup Domain (freegeiop .net in DNS
lookup) (info.rules)
2036861 - ET MALWARE Gh0st RAT Backdoor Checkin (malware.rules)
2036863 - ET MALWARE Win32/SVCReady Loader CnC Activity M2 (malware.rules)
2036864 - ET MALWARE Win32/SVCReady Loader - Logs (malware.rules)
2036865 - ET MALWARE Win32/SVCReady Loader - SysInfo M1 (malware.rules)
2036866 - ET MALWARE Win32/SVCReady Loader - SysInfo M2 (malware.rules)
2036867 - ET MALWARE Win32/SVCReady Loader - Screenshot (malware.rules)
2036868 - ET MALWARE Transparent Tribe APT Related Backdoor Receiving
Command (Inbound) (malware.rules)
2036869 - ET MALWARE Transparent Tribe APT Related Backdoor Sending
System Information (malware.rules)
2036870 - ET INFO Anonymous File Sharing Domain in DNS Lookup (fromsmash
.co) (info.rules)
2036871 - ET INFO Observed Anonymous File Sharing Service in SSL Cert
(fromsmash .co) (info.rules)
2036872 - ET MALWARE Earth Berberoka Domain in DNS Lookup (malware.rules)
2036873 - ET INFO Peer-to-Peer File Sharing Service Domain in DNS Lookup
(ipfs .io) (info.rules)
2036874 - ET INFO Observed Peer-to-Peer File Sharing Service Domain (ipfs
.io in TLS SNI) (info.rules)
2036875 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup
(nod-update .it) (malware.rules)
2036876 - ET MALWARE Cobalt Strike Activity (GET) (malware.rules)
2036877 - ET WEB_CLIENT [TW] WEBDAV UA (web_client.rules)
2036878 - ET WEB_CLIENT [TW] CAB From Possible WebDAV Share Possible
DiagCab Abuse Attempt (web_client.rules)
2036879 - ET WEB_CLIENT [TW] CAB From Possible WebDAV Share Possible
DiagCab Abuse Attempt (web_client.rules)
2036880 - ET WEB_CLIENT [TW] WEBDAV Requesting Startup Dir
(web_client.rules)
2036881 - ET MALWARE Cobalt Strike Activity (GET) (malware.rules)
2036882 - ET MALWARE Generic Stealer Config Download Request
(malware.rules)
2036883 - ET MALWARE Generic Stealer Config from Server (malware.rules)
2036884 - ET MALWARE Generic Stealer Sending System Information M1
(malware.rules)
2036885 - ET MALWARE Generic Stealer Sending System Information M2
(malware.rules)

Pro:

2851744 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-06-05 1) (coinminer.rules)
2851745 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-06-05 2) (coinminer.rules)
2851746 - ETPRO MALWARE MSIL/TrojanDownloader.Small.CUV Variant Checkin
(malware.rules)
2851747 - ETPRO MALWARE EvilNum Related Domain in DNS Lookup
(malware.rules)
2851748 - ETPRO PHISHING Request for Generic Phishing Landing Page
2022-06-06 (phishing.rules)
2851749 - ETPRO PHISHING Successful Generic Credential Phish 2022-06-06
(phishing.rules)
2851750 - ETPRO PHISHING Request for Chase Phishing Landing Page
2022-06-06 (phishing.rules)
2851751 - ETPRO PHISHING Successful Chase Credential Phishing 2022-06-06
M1 (phishing.rules)
2851752 - ETPRO PHISHING Successful Chase Credential Phishing 2022-06-06
M2 (phishing.rules)

[///] Modified active rules: [///]

2035939 - ET MALWARE Fodcha Bot CnC Checkin (malware.rules)
2036826 - ET MALWARE Polonium CreepyDrive Implant Request (malware.rules)
2036827 - ET MALWARE Polonium CreepyDrive Upload Request (malware.rules)
2036829 - ET MALWARE Polonium CreepyDrive Client CnC Response
(malware.rules)
2808175 - ETPRO MALWARE Backdoor.DarkMoon C2 Activity (malware.rules)
2851741 - ETPRO MALWARE Request for ghjkl.exe observed commonly leading
to stealers (malware.rules)

[---] Removed rules: [---]

2812526 - ETPRO MALWARE PlugX CnC Beacon (malware.rules)
2823675 - ETPRO MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 2
(malware.rules)
2825352 - ETPRO POLICY External IP Lookup Domain (freegeiop .net in DNS
lookup) (policy.rules)
2826082 - ETPRO MALWARE Gh0st RAT Backdoor Checkin (malware.rules)
2850296 - ETPRO MALWARE Observed Win32/SVCReady Loader User-Agent
(malware.rules)
2850297 - ETPRO MALWARE Win32/SVCReady Loader CnC Activity (malware.rules)
2850298 - ETPRO MALWARE Win32/SVCReady Loader Requesting Payload
(malware.rules)
2851650 - ETPRO MALWARE Win32/SVCReady Loader CnC Activity M2
(malware.rules)
2851651 - ETPRO MALWARE Win32/SVCReady Loader - Logs (malware.rules)
2851652 - ETPRO MALWARE Win32/SVCReady Loader - SysInfo M1 (malware.rules)
2851653 - ETPRO MALWARE Win32/SVCReady Loader - SysInfo M2 (malware.rules)
2851654 - ETPRO MALWARE Win32/SVCReady Loader - Screenshot (malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Monday, June 6, 2022

Summary title:

30 new OPEN, 39 new PRO (30 + 9). Win32/SVCReady, Cobalt Strike, Generic Stealer, Various Phish, Others.