Daily Ruleset Update Summary 2022/06/28

Daily Ruleset Update Summary

[***] Summary: [***]

14 new OPEN, 23 new PRO (14 + 9). ZuoRAT, Remcos, Various SSL/TLS,
Others.

Thanks @InQuest, @reecdeep, @BlackLotusLabs

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2018284 - ET HUNTING Self-Signed Cert O=XX Observed (hunting.rules)
2037017 - ET MALWARE Lyceum Backdoor CnC Response (malware.rules)
2037136 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
(malware.rules)
2037137 - ET USER_AGENTS Suspicious User-Agent (Windows Explorer)
(user_agents.rules)
2037138 - ET PHISHING Sendinblue Credential Theft Landing Page 2022-06-28
(phishing.rules)
2037139 - ET MALWARE ZuoRAT send_http_msg_php Call to ssid.php
(malware.rules)
2037140 - ET MALWARE ZuoRAT send_http_msg_php Call to dns.php
(malware.rules)
2037141 - ET MALWARE ZuoRAT send_http_msg_php Call to arp.php
(malware.rules)
2037142 - ET MALWARE ZuoRAT Windows Loader Shellcode Retrieval
(malware.rules)
2037143 - ET MALWARE ZuoRAT CBeacon CnC (malware.rules)
2037144 - ET MALWARE ZuoRAT GoBeacon CnC (malware.rules)
2037145 - ET MALWARE Win32/Khaosz.A!MTB Checkin (malware.rules)
2037146 - ET MALWARE Win32/Wacapew.C!ml Checkin (malware.rules)
2037147 - ET PHISHING Successful ANZ Internet Banking Phish 2022-06-23
(phishing.rules)

Pro:

2851835 - ETPRO MOBILE_MALWARE Android/Jocker.13375079 Checkin
(mobile_malware.rules)
2851836 - ETPRO MALWARE Win32/Remcos RAT Checkin 805 (malware.rules)
2851837 - ETPRO MALWARE Win32/Remcos RAT Checkin 806 (malware.rules)
2851838 - ETPRO MALWARE Win32/Remcos RAT Checkin 807 (malware.rules)
2851839 - ETPRO MALWARE Possible MalDoc Retrieving Payload (2022-06-28)
(malware.rules)
2851840 - ETPRO PHISHING Observed DNS Query to O365 QR Phishing Domain
(phishing.rules)
2851841 - ETPRO PHISHING Malicious SSL Certificate detected
(office365enroll .com) (phishing.rules)
2851842 - ETPRO PHISHING Observed DNS Query to O365 QR Phishing Domain
(phishing.rules)
2851843 - ETPRO PHISHING Malicious SSL Certificate detected
(office365webmail .com) (phishing.rules)

[///] Modified active rules: [///]

2851738 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Ermak.a Checkin
(mobile_malware.rules)

[---] Disabled and modified rules: [---]

2807100 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(CVE-2013-3873) (web_client.rules)
2807101 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(CVE-2013-3874) (web_client.rules)
2807201 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(CVE-2013-3871) 1 (web_client.rules)

[---] Removed rules: [---]

2017563 - ET EXPLOIT_KIT Possible Java CVE-2013-2465 Based on PoC
(exploit_kit.rules)
2017704 - ET WEB_CLIENT Possible IE 0day CVE-2013-3918 1
(web_client.rules)
2017705 - ET WEB_CLIENT Possible IE 0day CVE-2013-3918 2
(web_client.rules)
2018284 - ET MALWARE Self-Signed Cert Observed in Various Zbot Strains
(malware.rules)
2037017 - ET ATTACK_RESPONSE Lyceum Backdoor CnC Response
(attack_response.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Tuesday, June 28, 2022

Summary title:

14 new OPEN, 23 new PRO (14 + 9). ZuoRAT, Remcos, Various SSL/TLS, Others.