[***] Summary: [***]

14 new OPEN, 19 new PRO (14 + 5). Loxes/Mongall, Sidewinder APT,
Various Maldoc, Agent Tesla and Miners.

Thanks @h2jazi and @malware_traffic

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2036979 - ET MALWARE Loxes/Mongall Related CnC Beacon (GET) (malware.rules)
2036980 - ET MALWARE Loxes/Mongall Related CnC Beacon M2 (GET) (malware.rules)
2036981 - ET MALWARE Sidewinder APT Related Domain in DNS Lookup
(navy-mil-bd .jmicc .xyz) (malware.rules)
2036982 - ET MALWARE Loxes/Mongall Related CnC Beacon M3 (GET) (malware.rules)
2036983 - ET MALWARE MalDoc Retrieving Qbot Payload 2022-06-14 (malware.rules)
2036984 - ET PHISHING Successful Generic Credential Phish 2022-06-14
(phishing.rules)
2036985 - ET MALWARE Observed DNS Query to Maldoc Domain (webnar
.info) (malware.rules)
2036986 - ET MALWARE Observed DNS Query to Maldoc Domain (sportpony
.ch) (malware.rules)
2036987 - ET MALWARE Observed DNS Query to Maldoc Domain (spprospekt
.com .br) (malware.rules)
2036988 - ET MALWARE Observed DNS Query to Maldoc Domain (procoach
.jp) (malware.rules)
2036989 - ET MALWARE Observed DNS Query to Maldoc Domain (suidi
.com) (malware.rules)
2036990 - ET MALWARE Observed DNS Query to Maldoc Domain
(regenerationcongo .com) (malware.rules)
2036991 - ET PHISHING Generic Phishing DNS Lookup (aberto .click2eat
.co .il) (phishing.rules)
2036992 - ET PHISHING Generic Phishing DNS Lookup
(xn--sapeaunoticias-kjb .com .br) (phishing.rules)

Pro:

2851772 - ETPRO ATTACK_RESPONSE Inbound PowerShell Script
Fingerprinting Host System (attack_response.rules)
2851776 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-06-14 1) (coinminer.rules)
2851777 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-06-14 2) (coinminer.rules)
2851778 - ETPRO PHISHING Suspected NFT/Cryptocurrency Relating Phish
Landing Page 2022-06-14 (phishing.rules)
2851779 - ETPRO MALWARE Agent Tesla Telegram Exfil (malware.rules)

[///] Modified active rules: [///]

2006380 - ET POLICY Outgoing Basic Auth Base64 HTTP Password
detected unencrypted (policy.rules)
2035284 - ET INFO Observed TA453 Related URL Shortening Service TLS
SNI (litby .us) (info.rules)

[---] Disabled and modified rules: [---]

2016227 - ET EXPLOIT Metasploit Landing Page (CVE-2013-0422) (exploit.rules)
2016323 - ET DOS LibuPnP ST UDN Buffer Overflow (CVE-2012-5963) (dos.rules)
2016363 - ET DOS Miniupnpd M-SEARCH Buffer Overflow (CVE-2013-0229)
(dos.rules)
2016364 - ET DOS Miniupnpd SoapAction MethodName Buffer Overflow
(CVE-2013-0230) (dos.rules)
2016396 - ET WEB_CLIENT Exploit Specific Uncompressed Flash
(CVE-2013-0634) (web_client.rules)
2016397 - ET WEB_CLIENT Exploit Specific Uncompressed Flash Inside
of OLE (CVE-2013-0634) (web_client.rules)
2016400 - ET WEB_CLIENT Flash Action Script Invalid Regex
(CVE-2013-0634) (web_client.rules)
2016401 - ET WEB_CLIENT Flash Action Script Invalid Regex
(CVE-2013-0634) (web_client.rules)
2036966 - ET MALWARE Aoqin Dragon APT Related Activity (GET) (malware.rules)
2036973 - ET MALWARE Aoqin Dragon APT Related Activity (GET) (malware.rules)
2806006 - ETPRO WEB_CLIENT Internet Explorer CMarkUP Use After Free
(CVE-2013-0020) (web_client.rules)
2806020 - ETPRO WEB_CLIENT Internet Explorer CMarkUP Use After Free
(CVE-2013-0030) (web_client.rules)

[---] Removed rules: [---]

2016276 - ET EXPLOIT_KIT MetaSploit CVE-2012-1723 Class File (seen
in live EKs) (exploit_kit.rules)
2016277 - ET EXPLOIT_KIT MetaSploit CVE-2012-1723 Class File (seen
in live EKs) (exploit_kit.rules)
2807021 - ETPRO MALWARE CVE-2012-0158 related C&C beacon (malware.rules)
2816217 - ETPRO MALWARE Loxes CnC Beacon (malware.rules)
2816218 - ETPRO MALWARE Loxes CnC Beacon (malware.rules)
2851772 - ETPRO MALWARE Downloaded Powershell Fingerprinting Host
(malware.rules)