Daily Ruleset Update Summary 2022/07/22

Daily Ruleset Update Summary

[***] Summary: [***]

6 new OPEN, 13 new PRO (6 + 7). SilentLibrarian, Bitter APT, Sidewinder
APT, Others.

Thanks @h2jazi

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2037807 - ET MALWARE Observed Malicious SSL/TLS Certificate
(SilentLibrarian) (malware.rules)
2037808 - ET MALWARE Observed Malicious SSL/TLS Certificate
(SilentLibrarian) (malware.rules)
2037809 - ET MALWARE Bitter APT Payload Request (malware.rules)
2037810 - ET MALWARE Sidewinder APT Related Domain in DNS Lookup (paf-gov
.org) (malware.rules)
2037811 - ET MALWARE Downloaded .PNG With Embedded File (.sh)
(malware.rules)
2037812 - ET MALWARE MSIL/Spy.Agent.CSS Exfil (malware.rules)

Pro:

2851953 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-07-22 1) (coinminer.rules)
2851954 - ETPRO MALWARE AutoHotKey Logger - Attempted Login to Gmail
(malware.rules)
2851959 - ETPRO MALWARE MSIL/Spy.Agent.AES Telegram Exfil (malware.rules)

[///] Modified active rules: [///]

2024830 - ET POLICY Observed IP Lookup Domain (formyip .com in DNS
Lookup) (policy.rules)
2024888 - ET MALWARE OSX/Proton.C/D Domain (eltima .in) in DNS Lookup
(malware.rules)
2024890 - ET MALWARE OSX/Proton.C/D Domain (handbrakestore .com) in DNS
Lookup (malware.rules)
2024892 - ET MALWARE OSX/Proton.C/D Domain (handbrake .cc) in DNS Lookup
(malware.rules)
2024893 - ET MALWARE OSX/Proton.C/D Domain (handbrake .cc) in TLS SNI
(malware.rules)
2024910 - ET MALWARE BadRabbit Ransomware Payment Onion Domain
(malware.rules)
2024921 - ET MALWARE IoT_reaper DNS Lookup M1 (hl852 .com) (malware.rules)
2024922 - ET MALWARE IoT_reaper DNS Lookup M2 (hl859 .com) (malware.rules)
2024923 - ET MALWARE IoT_reaper DNS Lookup M3 (hi8529 .com)
(malware.rules)
2024933 - ET MALWARE IoT_reaper DNS Lookup M4 (cbk99 .com) (malware.rules)
2024934 - ET MALWARE IoT_reaper DNS Lookup M5 (bbk80 .com) (malware.rules)
2024935 - ET MALWARE IoT_reaper DNS Lookup M6 (bbk86 .com) (malware.rules)
2024936 - ET MALWARE IoT_reaper DNS Lookup M7 (ha859 .com) (malware.rules)
2024937 - ET MALWARE Downeks/Quasar DNS Lookup (download .data-server
.cloudns .club) (malware.rules)
2024938 - ET MALWARE Downeks/Quasar DNS Lookup (ping .topsite .life)
(malware.rules)
2024939 - ET MALWARE Downeks/Quasar DNS Lookup (signup .updatesforme
.club) (malware.rules)
2024940 - ET MALWARE Downeks/Quasar DNS Lookup (moreoffer .life)
(malware.rules)
2024956 - ET MALWARE RouteX CnC Domain (cba4a6e5d3c956548a337c52388473f1
.com) in DNS Lookup (malware.rules)
2024957 - ET MALWARE RouteX CnC Domain (0a0074066c49886a39b5a3072582f5d6
.net) in DNS Lookup (malware.rules)
2024958 - ET MALWARE RouteX CnC Domain (73780fbd309561e201a4aee9914d882d
.org) in DNS Lookup (malware.rules)
2024959 - ET MALWARE RouteX CnC Domain (dcb5684707f6c66492aaa9f7d9bfb5a6
.biz) in DNS Lookup (malware.rules)
2024960 - ET MALWARE RouteX CnC Domain (322ffbbc7c1b312c2f9d942f20422f8d
.com) in DNS Lookup (malware.rules)
2024961 - ET MALWARE RouteX CnC Domain (18bca7c5fd709ac468ba148c590ef6bf
.net) in DNS Lookup (malware.rules)
2024962 - ET MALWARE RouteX CnC Domain (aaafc94b3a37b75ae9cb60afc42e86fe
.org) in DNS Lookup (malware.rules)
2024963 - ET MALWARE RouteX CnC Domain (c13a856f4a879a89e9a638207efd6c94
.biz) in DNS Lookup (malware.rules)
2024964 - ET MALWARE RouteX CnC Domain (2fa3c2fa16c47d9b9bff8986a42b048f
.com) in DNS Lookup (malware.rules)
2024965 - ET MALWARE RouteX CnC Domain (3ec9b600789b3bacf2c72ebae142a9c3
.net) in DNS Lookup (malware.rules)
2024986 - ET MALWARE SunOrcal Reaver Domain Observed (tashdqdxp .com) in
DNS Lookup (malware.rules)
2024987 - ET MALWARE SunOrcal Reaver Domain Observed (weryhstui .com) in
DNS Lookup (malware.rules)
2024988 - ET MALWARE SunOrcal Reaver Domain Observed (fyoutside .com) in
DNS Lookup (malware.rules)
2024989 - ET MALWARE SunOrcal Reaver Domain Observed (olinaodi .com) in
DNS Lookup (malware.rules)
2025639 - ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup
1 (goldncup .com) (mobile_malware.rules)
2025640 - ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup
2 (glancelove .com) (mobile_malware.rules)
2025641 - ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup
3 (autoandroidup .website) (mobile_malware.rules)
2025642 - ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup
4 (mobilestoreupdate .website) (mobile_malware.rules)
2025643 - ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup
5 (updatemobapp .website) (mobile_malware.rules)
2850868 - ETPRO MALWARE Win32/Vulturi CnC Activity (GET) (malware.rules)
2850869 - ETPRO MALWARE Win32/Vulturi CnC Activity (POST) (malware.rules)

[---] Disabled rules: [---]

2838466 - ETPRO WEB_CLIENT Evil Keitaro Set-Cookie Inbound (d1a5f)
(web_client.rules)
2838527 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound (9d2da)
(exploit_kit.rules)
2839549 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound (aef4f)
(exploit_kit.rules)
2840741 - ETPRO WEB_CLIENT Evil Keitaro Set-Cookie Inbound (0df9c)
(web_client.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Friday, July 22, 2022

Summary title:

6 new OPEN, 13 new PRO (6 + 7). SilentLibrarian, Bitter APT, Sidewinder APT, Others.