[***] Summary: [***]

10 new OPEN, 16 new PRO (10 + 6). DonotGroup, DarkCrystal RAT, Various
Phish, Others.

Thanks @ShadowChasing1, @_CERT_UA, @SethKingHi, @petrovic082

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2016897 - ET HUNTING Invalid User-Agent - MSIE 9 on Windows NT 5
(hunting.rules)
2037126 - ET MALWARE DonotGroup Maldoc Activity (GET) (malware.rules)
2037127 - ET MALWARE DonotGroup APT Related Domain in DNS Lookup (who
.worksolution .buzz) (malware.rules)
2037128 - ET MALWARE DonotGroup APT Related Domain in DNS Lookup (rus
.feedpolicy .xyz) (malware.rules)
2037129 - ET MALWARE Win32/Wacatac Ransomware Variant Retrieving File
(GET) (malware.rules)
2037130 - ET MALWARE Observed DNS Query to DarkCrystal Rat Domain
(datagroup .ddns .net) (2022-06-27) (malware.rules)
2037132 - ET MALWARE DarkCrystal Rat Stealer Data Exfiltration Activity
(malware.rules)
2037133 - ET MALWARE Observed DNS Query to Win32/TrojanDropper.Agent.SLC
Domain (malware.rules)
2037134 - ET PHISHING Observed DNS Query to American Express Phishing
Domain (phishing.rules)
2037135 - ET MALWARE Win32/Ymacco.AA60 Checkin (malware.rules)

Pro:

2851829 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-06-24 1) (coinminer.rules)
2851830 - ETPRO MALWARE Win32/Remcos RAT Checkin 804 (malware.rules)
2851831 - ETPRO PHISHING Successful Generic Phish - Email Credentials
2022-06-27 (phishing.rules)
2851832 - ETPRO PHISHING Successful Generic Phish - Address Info
2022-06-27 (phishing.rules)
2851833 - ETPRO PHISHING Successful Generic Phish - Credit Card Data
2022-06-27 (phishing.rules)
2851834 - ETPRO PHISHING Successful Rackspace Credential Phish 2022-06-27
(phishing.rules)

[///] Modified active rules: [///]

2012619 - ET USER_AGENTS Suspicious User-Agent Mozilla/3.0
(user_agents.rules)
2013967 - ET USER_AGENTS Suspicious User-Agent (adlib) (user_agents.rules)
2016950 - ET MALWARE Possible Win32/Hupigon ip.txt with a Non-Mozilla UA
(malware.rules)
2019833 - ET MALWARE Possible Dyre SSL Cert (fake state) (malware.rules)
2034545 - ET MALWARE DonotGroup Maldoc Activity (GET) (malware.rules)
2035942 - ET MALWARE Observed DNS Query to Fodcha Bot Domain
(malware.rules)
2037103 - ET MALWARE Win32/Matanbuchus Loader Related Domain in DNS
Lookup (collectiontelemetrysystem .com) (malware.rules)
2037104 - ET MALWARE Win32/Matanbuchus Loader Related Domain in DNS
Lookup (telemetrysystemcollection .com) (malware.rules)
2037124 - ET PHISHING Successful ING Group Phish 2022-06-24
(phishing.rules)
2808202 - ETPRO USER_AGENTS Suspicious User-Agent (None)
(user_agents.rules)
2835780 - ETPRO MALWARE Win32/Dexple.A Checkin (malware.rules)

[---] Disabled and modified rules: [---]

2017478 - ET WEB_CLIENT Microsoft IE Memory Corruption Inbound
(CVE-2013-3893) (web_client.rules)
2017480 - ET WEB_CLIENT Microsoft IE Memory Corruption Inbound
(CVE-2013-3893) (web_client.rules)
2018342 - ET EXPLOIT_KIT DRIVEBY Goon/Infinity EK Landing Mar 31 2014
(exploit_kit.rules)
2806358 - ETPRO WEB_CLIENT Possible Microsoft Internet Explorer VML Use
After Free 2 (CVE-2013-2551) (web_client.rules)
2806359 - ETPRO WEB_CLIENT Possible Microsoft Internet Explorer VML Use
After Free 1 (CVE-2013-2551) (web_client.rules)
2816506 - ETPRO MALWARE Possible Cerber Ransomware IP Check
(malware.rules)

[---] Removed rules: [---]

2016897 - ET MALWARE Possible Win32/Gapz MSIE 9 on Windows NT 5
(malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
10 new OPEN, 16 new PRO (10 + 6). DonotGroup, DarkCrystal RAT, Various Phish, Others.