Daily Ruleset Update Summary 2022/07/15

Daily Ruleset Update Summary

[***] Summary: [***]

7 new OPEN, 8 new PRO (7 + 1). Various Sliver, Win32/Wacapew,
Win32/H0lyGh0st and Ave Maria/Warzone RAT.

Thanks @ESETresearch

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2037771 - ET MALWARE Possible Compromised Host AnubisNetworks
Sinkhole Cookie Value btst (malware.rules)
2037772 - ET CURRENT_EVENTS Sliver Related Domain in DNS Lookup
(saleforces-it .com) (current_events.rules)
2037773 - ET CURRENT_EVENTS Sliver Related Domain in DNS Lookup
(current_events.rules)
2037774 - ET MALWARE Win32/H0lyGh0st CnC Activity (malware.rules)
2037775 - ET PHISHING Successful OWA Phish 2022-07-15 (phishing.rules)
2037776 - ET MALWARE Win32/Wacapew CnC Checkin (malware.rules)
2037777 - ET MALWARE Win32/Wacapew.C!ml CnC Checkin (malware.rules)

Pro:

2851925 - ETPRO MALWARE Ave Maria/Warzone RAT CnC Beacon (malware.rules)

[///] Modified active rules: [///]

2012781 - ET MALWARE Possible Hiloti DNS Checkin Message
explorer_exe (malware.rules)
2014363 - ET MALWARE Lookup of Algorithm Generated Zeus CnC Domain
(DGA) (malware.rules)
2014702 - ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port
Opcode 8 through 15 set (dns.rules)
2014703 - ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port
Reserved Bit Set (dns.rules)
2803758 - ETPRO MALWARE Covert DNS Channel Query (ipcheker .com)
(malware.rules)
2828623 - ETPRO MALWARE ALMA Communicator DNS Tunnel C2 Activity
(malware.rules)

[///] Modified inactive rules: [///]

2011407 - ET INFO DNS Query for Suspicious .com.ru Domain (info.rules)
2011408 - ET INFO DNS Query for Suspicious .com.cn Domain (info.rules)
2011411 - ET INFO DNS Query for Suspicious .co.kr Domain (info.rules)
2012786 - ET MALWARE DNS Query for Possible FakeAV Domain (malware.rules)
2013038 - ET MOBILE_MALWARE DNS Query For Known Mobile Malware
Control Server (waplove .cn) (mobile_malware.rules)
2013041 - ET MOBILE_MALWARE DNS Query For Known Mobile Malware
Control Server (searchwebmobile .com) (mobile_malware.rules)
2013187 - ET MALWARE Backdoor Win32/IRCbot.FJ Cnc connection dns
lookup (malware.rules)
2013328 - ET CURRENT_EVENTS DNS Query for Known Hostile Domain
(gooqlepics .com) (current_events.rules)
2013514 - ET MALWARE Potential DNS Command and Control via TXT
queries (malware.rules)
2015741 - ET MALWARE DNS Query to Unknown CnC DGA Domain (adbullion
.com) 09/26/12 (malware.rules)
2018164 - ET MALWARE Ebury SSH Rootkit data exfiltration (malware.rules)
2019940 - ET CURRENT_EVENTS DNS Query SoakSoak Malware (soaksoak
.ru) (current_events.rules)
2020846 - ET MALWARE Possible Upatre DNS Query (jamco .com .pk)
(malware.rules)
2803759 - ETPRO MALWARE Covert DNS Channel Query (ipgreat .com)
(malware.rules)

[---] Disabled and modified rules: [---]

2033198 - ET MALWARE APT-C-23 Activity (GET) (malware.rules)

[---] Disabled rules: [---]

2036991 - ET PHISHING Generic Phishing DNS Lookup (aberto .click2eat
.co .il) (phishing.rules)

[---] Removed rules: [---]

2018091 - ET EXPLOIT_KIT Possible Flash Exploit CVE-2014-0497
(exploit_kit.rules)

Date:

Friday, July 15, 2022

Summary title:

7 new OPEN, 8 new PRO (7 + 1). Various Sliver, Win32/Wacapew, Win32/H0lyGh0st and Ave Maria/Warzone RAT.