[***] Summary: [***]

9 new OPEN, 13 new PRO (9 + 4). X-Files Stealer, Cobalt Strike,
Miners and various Phishing.

Thanks @cloudsek

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2037743 - ET MALWARE X-Files Stealer CnC Exfil Activity M2 (malware.rules)
2037744 - ET ADWARE_PUP Win32/Mando Activity (GET) (adware_pup.rules)
2037745 - ET MALWARE Cobalt Strike Related Activity (GET) (malware.rules)
2037746 - ET MALWARE MSIL/PSW.Discord.AIY CnC Exfil (malware.rules)
2037747 - ET USER_AGENTS Suspicious User-Agent (kath) (user_agents.rules)
2037748 - ET PHISHING Midea Credential Phish Landing Page 2022-07-12
(phishing.rules)
2037749 - ET PHISHING Successful Midea Credential Phish 2022-07-12
(phishing.rules)
2037750 - ET MALWARE MSIL/Agent.CTK Checkin (malware.rules)
2037751 - ET PHISHING Successful Microsoft Phish 2022-07-10 (phishing.rules)

Pro:

2851882 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-07-12 1) (coinminer.rules)
2851883 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-07-12 2) (coinminer.rules)
2851884 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-07-12 3) (coinminer.rules)
2851885 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-07-12 4) (coinminer.rules)

[///] Modified active rules: [///]

2015813 - ET MALWARE DNS Query Sinkhole Domain Various Families
(Possible Infected Host) (malware.rules)
2032333 - ET MALWARE X-Files Stealer CnC Exfil Activity M1 (malware.rules)

[---] Disabled and modified rules: [---]

2016138 - ET EXPLOIT Possible Internet Explorer Use-After-Free
Inbound (CVE-2012-4792) (exploit.rules)
2016420 - ET DNS Reply Sinkhole - German Company (dns.rules)
2016421 - ET DNS Reply Sinkhole - 1and1 Internet AG (dns.rules)
2016792 - ET WEB_SERVER Plesk Panel Possible HTTP_AUTH_LOGIN SQLi
(CVE-2012-1557) (web_server.rules)
2017155 - ET WEB_SERVER Possible Apache Struts OGNL Command
Execution CVE-2013-2251 redirect (web_server.rules)
2017156 - ET WEB_SERVER Possible Apache Struts OGNL Command
Execution CVE-2013-2251 redirectAction (web_server.rules)
2017157 - ET WEB_SERVER Possible Apache Struts OGNL Command
Execution CVE-2013-2251 action (web_server.rules)
2017838 - ET MALWARE HTTP Connection To Known Sinkhole Domain
sinkdns.org (malware.rules)
2018117 - ET MALWARE Possible Sinkhole banner (malware.rules)
2019630 - ET MALWARE AnubisNetworks Sinkhole HTTP Response -
195.22.26.192/26 (malware.rules)
2806112 - ETPRO WEB_CLIENT Internet Explorer GetMarkUpPtr Use After
free 1 (CVE-2013-0092) (web_client.rules)
2806114 - ETPRO WEB_CLIENT Internet Explorer GetMarkUpPtr Use After
free 3 (CVE-2013-0092 ) (web_client.rules)

[---] Disabled rules: [---]

2036986 - ET MALWARE Observed DNS Query to Maldoc Domain (sportpony
.ch) (malware.rules)
2036987 - ET MALWARE Observed DNS Query to Maldoc Domain (spprospekt
.com .br) (malware.rules)
2036988 - ET MALWARE Observed DNS Query to Maldoc Domain (procoach
.jp) (malware.rules)
2036989 - ET MALWARE Observed DNS Query to Maldoc Domain (suidi
.com) (malware.rules)
2036990 - ET MALWARE Observed DNS Query to Maldoc Domain
(regenerationcongo .com) (malware.rules)

[---] Removed rules: [---]

2806151 - ETPRO EXPLOIT Microsoft RTF Download (CVE-2012-0158) (exploit.rules)