Daily Ruleset Update Summary 2022/06/29

Daily Ruleset Update Summary

[***] Summary: [***]

65 new OPEN, 70 new PRO (65 + 5). EvilNum, Cobalt Strike, Various Phish,
Others.

Thanks @zscaler, @KasperskyICS

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2037148 - ET MALWARE EvilNum APT Related Domain in DNS Lookup
(bookaustriavisit .com) (malware.rules)
2037149 - ET MALWARE EvilNum APT Related Domain in DNS Lookup (msdllopt
.com) (malware.rules)
2037150 - ET MALWARE EvilNum APT Related Domain in DNS Lookup
(pcamanalytics .com) (malware.rules)
2037151 - ET MALWARE EvilNum APT Related Domain in DNS Lookup (estimefm
.org) (malware.rules)
2037152 - ET MALWARE EvilNum APT Related Domain in DNS Lookup (imageztun
.com) (malware.rules)
2037153 - ET MALWARE ShadowPad Backdoor Related Domain in DNS Lookup
(grandfoodtony .com) (malware.rules)
2037154 - ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M6
(malware.rules)
2037155 - ET HUNTING Microsoft Office User-Agent Requesting A Doc File
(hunting.rules)
2037156 - ET HUNTING Microsoft Office User-Agent Requesting An Excel File
(hunting.rules)
2037157 - ET PHISHING Generic Credential Phish Landing Page 2022-06-29
(phishing.rules)
2037158 - ET PHISHING Successful Caixa Credential Phish 2022-06-29
(phishing.rules)
2037159 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (sharepointin .com) (info.rules)
2037160 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (templatern .com) (info.rules)
2037161 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (prizegives .com) (info.rules)
2037162 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (shareholds .com) (info.rules)
2037163 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (mesharepoint .com) (info.rules)
2037164 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (prizewings .com) (info.rules)
2037165 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (doctricant .com) (info.rules)
2037166 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (sharession .com) (info.rules)
2037167 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (sharepointle .com) (info.rules)
2037168 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (mcsharepoint .com) (info.rules)
2037169 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (officenced .com) (info.rules)
2037170 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (templatent .com) (info.rules)
2037171 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (sharepointen .com) (info.rules)
2037172 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (officence .com) (info.rules)
2037173 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (templateau .com) (info.rules)
2037174 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (sharesbyte .com) (info.rules)
2037175 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (officences .com) (info.rules)
2037176 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (officentry .com) (info.rules)
2037177 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (officested .com) (info.rules)
2037178 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (prizemons .com) (info.rules)
2037179 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (prizewel .com) (info.rules)
2037180 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (sharestion .com) (info.rules)
2037181 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (attemplate .com) (info.rules)
2037182 - ET INFO Microsoft Attack Simulation Training Domain in DNS
Lookup (windocyte .com) (info.rules)
2037183 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(sharepointin .com) (info.rules)
2037184 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(templatern .com) (info.rules)
2037185 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(prizegives .com) (info.rules)
2037186 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(shareholds .com) (info.rules)
2037187 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(mesharepoint .com) (info.rules)
2037188 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(prizewings .com) (info.rules)
2037189 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(doctricant .com) (info.rules)
2037190 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(sharession .com) (info.rules)
2037191 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(sharepointle .com) (info.rules)
2037192 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(mcsharepoint .com) (info.rules)
2037193 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(officenced .com) (info.rules)
2037194 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(templatent .com) (info.rules)
2037195 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(sharepointen .com) (info.rules)
2037196 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(officence .com) (info.rules)
2037197 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(templateau .com) (info.rules)
2037198 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(sharesbyte .com) (info.rules)
2037199 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(officences .com) (info.rules)
2037200 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(officentry .com) (info.rules)
2037201 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(officested .com) (info.rules)
2037202 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(prizemons .com) (info.rules)
2037203 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(prizewel .com) (info.rules)
2037204 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(sharestion .com) (info.rules)
2037205 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(attemplate .com) (info.rules)
2037206 - ET INFO Observed Microsoft Attack Simulation Training SSL Cert
(windocyte .com) (info.rules)
2037207 - ET MALWARE Win32/a310Logger Variant Data Exfil via SMTP
(malware.rules)
2037209 - ET PHISHING Successful Onedrive Credential Phish 2022-06-22
(phishing.rules)
2037210 - ET PHISHING Observed DNS Query to Alibaba Phishing Domain
(krikam .net) (phishing.rules)
2037211 - ET PHISHING Malicious SSL Certificate detected (Alibaba
Phishing) (phishing.rules)
2037212 - ET PHISHING Observed DNS Query to ING Bank Phishing Domain
(servesrs -kontendiba .cyou) (phishing.rules)
2037213 - ET PHISHING Successful Microsoft Credential Phish 2022-06-28
(phishing.rules)

Pro:

2851844 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-06-28 1) (coinminer.rules)
2851845 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-06-28 2) (coinminer.rules)
2851846 - ETPRO MALWARE Win32/Remcos RAT Checkin 808 (malware.rules)
2851847 - ETPRO MALWARE Unknown MalDoc CnC Activity (2022-06-29)
(malware.rules)
2851848 - ETPRO ADWARE_PUP Win32/InstallCore.Gen.A CnC CheckIn
(adware_pup.rules)

[///] Modified active rules: [///]

2033245 - ET MALWARE xCaon Embedded Encrypted Command in Webpage
(malware.rules)
2037139 - ET MALWARE ZuoRAT send_http_msg_php Call to ssid.php
(malware.rules)
2037140 - ET MALWARE ZuoRAT send_http_msg_php Call to dns.php
(malware.rules)
2037141 - ET MALWARE ZuoRAT send_http_msg_php Call to arp.php
(malware.rules)
2823606 - ETPRO EXPLOIT_KIT Possible Evil Redirect Leading to EK Dec 04
2016 (exploit_kit.rules)
2827278 - ETPRO MALWARE Imminent Monitor MainInformation Command
(malware.rules)

[---] Disabled and modified rules: [---]

2807202 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(CVE-2013-3871) 2 (web_client.rules)
2807204 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(CVE-2013-3871) 4 (web_client.rules)
2807205 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(CVE-2013-3910) (web_client.rules)
2807207 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(CVE-2013-3911) 2 (web_client.rules)
2807210 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(CVE-2013-3915) (web_client.rules)
2807231 - ETPRO WEB_CLIENT Adobe Acrobat Reader Font Memory Corruption
Vulnerability (CVE-2013-3353) (web_client.rules)

[---] Removed rules: [---]

2017708 - ET WEB_CLIENT Possible IE 0day CVE-2013-3918 3
(web_client.rules)
2017709 - ET WEB_CLIENT Possible IE 0day CVE-2013-3918 4
(web_client.rules)
2851695 - ETPRO MALWARE EvilNum Related Domain in DNS Lookup
(malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Wednesday, June 29, 2022

Summary title:

65 new OPEN, 70 new PRO (65 + 5). EvilNum, Cobalt Strike, Various Phish, Others.