Daily Ruleset Update Summary
Daily Ruleset Update Summary 2022/07/14

[***] Summary: [***]

10 new OPEN, 15 new PRO (10 + 5). Win32/H0lyGh0st Ransomware,
JS/TrojanDropper.Agent.OHE, Various RAT and Phishing.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2037761 - ET MALWARE Possible Raspberry Robin Activity (GET) (malware.rules)
2037762 - ET MALWARE Unknown APT Related Domain in DNS Lookup (malware.rules)
2037763 - ET INFO Observed File Sharing Domain (roamresearch .com in
TLS SNI) (info.rules)
2037764 - ET INFO File Sharing Domain in DNS Lookup (roamresearch
.com) (info.rules)
2037765 - ET INFO Shared File Retrieved (roamresearch .com) (info.rules)
2037766 - ET MALWARE Win32/H0lyGh0st Ransomware CnC Activity (GET
Public Key) (malware.rules)
2037767 - ET MALWARE Win32/H0lyGh0st Ransomware Exfil Activity
(POST) (malware.rules)
2037768 - ET MALWARE Win32/H0lyGh0st Ransomware CnC Response (malware.rules)
2037769 - ET MALWARE JS/TrojanDropper.Agent.OHE CnC Checkin (malware.rules)
2037770 - ET PHISHING Successful OWA Credential Phish 2022-07-13
(phishing.rules)

Pro:

2851894 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.abq
Checkin (mobile_malware.rules)
2851895 - ETPRO MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
(Inbound) (malware.rules)
2851896 - ETPRO MALWARE Win32/Remcos RAT Checkin 814 (malware.rules)
2851897 - ETPRO INFO Observed Observed Abused File Sharing Domain in
TLS SNI (info.rules)
2851898 - ETPRO INFO Observed Abused File Sharing Domain in DNS
Lookup (info.rules)

[+++] Enabled and modified rules: [+++]

2811838 - ETPRO HUNTING Suspicious Terse HTTP Request to Pastebin
(hunting.rules)

[///] Modified active rules: [///]

2031388 - ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to
webcodez .com (malware.rules)
2036735 - ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
(Inbound) (malware.rules)
2803758 - ETPRO MALWARE Covert DNS Channel Query in ipcheker .com
(malware.rules)
2813075 - ETPRO MALWARE Likely Malicious Base64 PE via Terse HTTP
Request to Pastebin (malware.rules)

[---] Disabled and modified rules: [---]

2016175 - ET EXPLOIT Possible CVE-2013-0156 Ruby On Rails XML POST
to Disallowed Type YAML (exploit.rules)
2016176 - ET EXPLOIT Possible CVE-2013-0156 Ruby On Rails XML POST
to Disallowed Type SYMBOL (exploit.rules)
2017037 - ET EXPLOIT Javadoc API Redirect CVE-2013-1571 (exploit.rules)
2017557 - ET EXPLOIT Possible Java CVE-2013-1488 java.sql.Drivers
Service Object in JAR (exploit.rules)
2017980 - ET INFO InformationCardSigninHelper ClassID (Vulnerable
ActiveX Control in CVE-2013-3918) (info.rules)
2806822 - ETPRO WEB_SERVER ADFS Service Account Leak CVE-2013-3185
(web_server.rules)
2806972 - ETPRO WEB_SERVER Microsoft SharePoint XSS attempt
(CVE-2013-3180) (web_server.rules)
2807208 - ETPRO WEB_CLIENT Microsoft Internet Explorer
Use-After-Free (CVE-2013-3912) (web_client.rules)
2807213 - ETPRO WEB_CLIENT Possible Internet Explorer Information
Disclosure Attempt (CVE-2013-3908) (web_client.rules)
2807609 - ETPRO WEB_CLIENT Possible PDF Malformed Pattern Entry
(CVE-2014-0495) (web_client.rules)

[---] Removed rules: [---]

2017012 - ET EXPLOIT Possible CVE-2012-1533 altjvm (jvm.dll)
Requested Over WebDAV (exploit.rules)
2822817 - ETPRO MALWARE Terse HTTP Request to Pastebin Likely
Malicious (malware.rules)
2850889 - ETPRO MALWARE Possible Win32/Yax.Mole Variant Activity
(GET) (malware.rules)
2851518 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Basbanke.l
Checkin 2 (mobile_malware.rules)

Date:
Summary title:
10 new OPEN, 15 new PRO (10 + 5). Win32/H0lyGh0st Ransomware, JS/TrojanDropper.Agent.OHE, Various RAT and Phishing.