Daily Ruleset Update Summary
Daily Ruleset Update Summary 2022/07/26

[***] Summary: [***]

13 new OPEN, 15 new PRO (13 + 2) SilentLibrarian, Gamaredon, Cobalt
Strike, Win32/VB.QPK and CoinMiner Sigs.

Thanks @souiten, @TeamDreier, @James_inthe_box, @Unit42_Intel, and
@malware_traffic

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2037823 - ET MALWARE Observed Malicious SSL/TLS Certificate
(SilentLibrarian) (malware.rules)
2037824 - ET MALWARE Observed Malicious SSL/TLS Certificate
(SilentLibrarian) (malware.rules)
2037825 - ET MALWARE Observed Malicious SSL/TLS Certificate
(SilentLibrarian) (malware.rules)
2037826 - ET MALWARE Gamaredon APT Related Activity (GET) (malware.rules)
2037827 - ET MALWARE Gamaredon APT Related Activity (GET) (malware.rules)
2037828 - ET USER_AGENTS Suspicious User-Agent (56) (user_agents.rules)
2037829 - ET MALWARE Cobalt Strike Activity (GET) (malware.rules)
2037830 - ET MALWARE Cobalt Strike Activity (GET) (malware.rules)
2037831 - ET MALWARE Cobalt Strike Activity (GET) (malware.rules)
2037832 - ET PHISHING Generic Credential Theft Landing Page
2022-07-26 (phishing.rules)
2037833 - ET PHISHING Successful Generic Credential Theft Landing
Page 2022-07-26 (phishing.rules)
2037834 - ET MALWARE Win32/VB.QPK CnC Checkin (malware.rules)
2037835 - ET MALWARE Win32/VB.NBI CnC Checkin (malware.rules)

Pro:

2851966 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-07-26 1) (coinminer.rules)
2851967 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-07-26 2) (coinminer.rules)

[///] Modified active rules: [///]

2025429 - ET MALWARE Arkei Stealer IP Lookup (malware.rules)
2025430 - ET MALWARE Arkei Stealer Config Download Request (malware.rules)
2025431 - ET MALWARE Vidar/Arkei Stealer Client Data Upload (malware.rules)
2029236 - ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
(malware.rules)
2029927 - ET MALWARE AgentTesla Exfil via FTP (malware.rules)
2035392 - ET MALWARE Win32/Arkei Stealer CnC Checkin (POST) (malware.rules)
2035393 - ET MALWARE Win32/Arkei Stealer CnC Checkin (GET) (malware.rules)
2035911 - ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
(malware.rules)
2036316 - ET MALWARE Arkei/Vidar/Mars Stealer Variant (malware.rules)
2827127 - ETPRO MALWARE vjw0rm Exfiltration via User-Agent Header
(malware.rules)
2828283 - ETPRO MALWARE vjw0rm Checkin (malware.rules)
2837546 - ETPRO MALWARE Netwire RAT Check-in (malware.rules)
2841237 - ETPRO MALWARE Win32/Vidar/Arkei/Oski Variant Stealer
Uploading System Information (malware.rules)
2841406 - ETPRO MALWARE Win32/Vidar/Arkei/Oski Variant Stealer
Uploading System Information M2 (malware.rules)
2841407 - ETPRO MALWARE Win32/Vidar/Arkei/Oski Variant Retrieving
Payload (malware.rules)
2842708 - ETPRO MALWARE Vidar/Arkei/Oski Variant Stealer POSTing
Data to CnC (malware.rules)
2848214 - ETPRO MALWARE vjw0rm Checkin M2 (malware.rules)
2849556 - ETPRO MALWARE Powershell vjw0rm Variant Checkin (malware.rules)

[///] Modified inactive rules: [///]

2001742 - ET EXPLOIT Arkeia full remote access without password or
authentication (exploit.rules)
2103453 - GPL EXPLOIT Arkeia client backup system info probe (exploit.rules)

Date:
Summary title:
13 new OPEN, 15 new PRO (13 + 2) SilentLibrarian, Gamaredon, Cobalt Strike, Win32/VB.QPK and CoinMiner Sigs.