[***] Summary: [***]
11 new OPEN, 19 new PRO (11 + 8). Silent Librarian, Cobalt Strike,
NoMercy and Miners.
Thanks @h2jazi, @_CERT_UA, @abuse_ch and @TeamDreier
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2037732 - ET MALWARE Observed Malicious SSL/TLS Certificate
(SilentLibrarian) (malware.rules)
2037733 - ET MALWARE Observed Malicious SSL/TLS Certificate
(SilentLibrarian) (malware.rules)
2037734 - ET MALWARE HiveRAT CnC Activity M2 (malware.rules)
2037735 - ET MALWARE Cobalt Strike Activity (GET) (malware.rules)
2037736 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup
(syriahr .eu) (malware.rules)
2037737 - ET USER_AGENTS DanaBot Specific UA Observed (user_agents.rules)
2037738 - ET MALWARE NoMercy Stealer CnC Checkin (malware.rules)
2037739 - ET MALWARE NoMercy Data Exfiltration M1 (malware.rules)
2037740 - ET MALWARE NoMercy Data Exfiltration M2 (malware.rules)
2037741 - ET ADWARE_PUP AlphabetSoup Adware Extension CnC Checkin
(adware_pup.rules)
2037742 - ET PHISHING Successful OWA Phish 2022-07-11 (phishing.rules)
Pro:
2851874 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-07-09 1) (coinminer.rules)
2851875 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-07-09 2) (coinminer.rules)
2851876 - ETPRO MALWARE HavanaCrypt CnC Checkin (malware.rules)
2851877 - ETPRO MALWARE HavanaCrypt Encryption Config from CnC
Inbound (malware.rules)
2851878 - ETPRO MALWARE Cobalt Strike Stager Payload (malware.rules)
2851879 - ETPRO MALWARE LNK/TrojanDownloader.Agent.AS CnC Activity
M1 (malware.rules)
2851880 - ETPRO MALWARE LNK/TrojanDownloader.Agent.AS CnC Activity
M2 (malware.rules)
2851881 - ETPRO MALWARE LNK/TrojanDownloader.Agent.ASS CnC Activity
M3 (malware.rules)
[///] Modified active rules: [///]
2030383 - ET MALWARE HiveRAT CnC Activity M1 (malware.rules)
2036934 - ET MALWARE Win32/RecordBreaker CnC Checkin (malware.rules)
[---] Disabled and modified rules: [---]
2017882 - ET WEB_SERVER Apache Solr Arbitrary XSLT inclusion attack
(CVE-2013-6397) (web_server.rules)
2807299 - ETPRO WEB_CLIENT Internet Explorer
CViewportChangeInvalidation User-After-Free (CVE-2013-5051)
(web_client.rules)