Daily Ruleset Update Summary
Daily Ruleset Update Summary 2022/07/19

[***] Summary: [***]

7 new OPEN, 14 new PRO (7 + 7). JS.SocGholish, Remcos, Warzone RAT,
Others.

Thanks @1ZRR4H, @PhishStats, @mossdinger

2022-07-19 DNS Rule Update Event - In an effort to modernize legacy dns
rules in the emerging threats ruleset to conform with our rule style
guidance, enhance performance, and utilize Suricata’s enhanced protocol
support, a rule update was published on 2022/07/15 with updates to rules
2014702 and 2014703. The modifications resulted in several customers
experiencing false positives. Full details included a detailed walkthrough
of the issue can be found here -
https://github.com/EmergingThreats/threatresearch/blob/master/announcem…

We apologize for any inconvenience caused.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2037786 - ET INFO Pastebin-style Service (textbin .net in TLS SNI)
(info.rules)
2037787 - ET INFO DNS Redirection Service Domain in DNS Lookup (con-ip
.com) (info.rules)
2037788 - ET PHISHING Successful Office 365 Phish 2022-07-19
(phishing.rules)
2037789 - ET MALWARE JS.SocGholish CnC Activity (POST) (malware.rules)
2037790 - ET PHISHING Successful Coinbase Phish 2022-07-18
(phishing.rules)
2037791 - ET PHISHING Successful RoundCube Phish 2022-07-18
(phishing.rules)
2037792 - ET PHISHING Successful Facebook Phish 2022-07-18
(phishing.rules)

Pro:

2851940 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-07-19 1) (coinminer.rules)
2851941 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-07-19 2) (coinminer.rules)
2851942 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-07-19 3) (coinminer.rules)
2851943 - ETPRO MALWARE Win32/Remcos RAT Checkin 816 (malware.rules)
2851944 - ETPRO MALWARE BitRAT CnC Domain in DNS Lookup (malware.rules)
2851945 - ETPRO MALWARE Ave Maria/Warzone RAT PingCommand (malware.rules)
2851946 - ETPRO MALWARE Ave Maria/Warzone RAT PingResponse (malware.rules)

[///] Modified active rules: [///]

2036316 - ET MALWARE Arkei/Vidar/Mars Stealer Variant (malware.rules)
2803766 - ETPRO MALWARE Possible Hiloti DNS Checkin Message cmd_exe
(malware.rules)

[///] Modified inactive rules: [///]

2015736 - ET MALWARE DNS Query to Unknown CnC DGA Domain (defmaybe .com)
09/25/12 (malware.rules)
2804176 - ETPRO INFO DYNAMIC_DNS Query to a *.ddns .mobi Domain
(info.rules)
2804637 - ETPRO INFO DNS Query to a *.coom .in Abused DNS Domain
(info.rules)
2805187 - ETPRO MALWARE Rovnix bootkit DNS Query CnC Domain
(rtttt-windows .com) (malware.rules)
2805236 - ETPRO MALWARE DNS Query to FinFisher Spy Kit Domain (tiger
.gamma-international .de) (malware.rules)
2805238 - ETPRO MALWARE DNS Query to FinFisher Spy Kit Domain (ff-demo
.blogdns .org) (malware.rules)
2805488 - ETPRO MALWARE Ysreef DNS query to CnC Domain (atmportal .net
.ru) (malware.rules)
2805489 - ETPRO MALWARE Ysreef DNS query to CnC Domain (my-files-download
.ru) (malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
7 new OPEN, 14 new PRO (7 + 7). JS.SocGholish, Remcos, Warzone RAT, Others.