Daily Ruleset Update Summary
Daily Ruleset Update Summary 2022/07/29

[***] Summary: [***]

24 new OPEN, 26 new PRO (24 + 2) EvilProxy AiTM, Robin Banks, RKO Remote
File Upload, Danabot and LimeRAT.

Thanks @twinwavesec, @phage_nz, and @James_inthe_box

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2037848 - ET PHISHING [TW] EvilProxy AiTM Set-Cookie (phishing.rules)
2037849 - ET PHISHING [TW] EvilProxy AiTM Username Checkin
(phishing.rules)
2037850 - ET PHISHING [TW] EvilProxy AiTM Cookie Value (phishing.rules)
2037851 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M1
(phishing.rules)
2037852 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M2
(phishing.rules)
2037853 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M3
(phishing.rules)
2037854 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M4
(phishing.rules)
2037855 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M5
(phishing.rules)
2037856 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M6
(phishing.rules)
2037857 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M7
(phishing.rules)
2037858 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M8
(phishing.rules)
2037859 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M9
(phishing.rules)
2037860 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M10
(phishing.rules)
2037861 - ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M11
(phishing.rules)
2037862 - ET PHISHING [TW] EvilProxy AiTM Network Reporting
(phishing.rules)
2037863 - ET ATTACK_RESPONSE Trojan.Dropper.HTML.Agent Payload
(attack_response.rules)
2037864 - ET PHISHING [TW] Robin Banks HTTP HOST M1 (phishing.rules)
2037865 - ET PHISHING [TW] Robin Banks HTTP HOST M2 (phishing.rules)
2037866 - ET PHISHING [TW] Robin Banks HTTP GET Struct (phishing.rules)
2037867 - ET PHISHING [TW] Robin Banks Redirect M1 (phishing.rules)
2037868 - ET PHISHING [TW] Robin Banks Redirect M2 (phishing.rules)
2037869 - ET PHISHING Facebook Credential Theft Landing Page 2022-07-29
(phishing.rules)
2037870 - ET MALWARE RKO Remote File Upload Attempt (malware.rules)
2037871 - ET PHISHING Successful Generic Phish 2022-07-29 (phishing.rules)

Pro:

2851981 - ETPRO MALWARE Danabot - Server Response (malware.rules)
2851982 - ETPRO MALWARE LimeRat Domain in DNS Lookup (one-drive .sly .io)
(malware.rules)

[///] Modified active rules: [///]

2035595 - ET MALWARE Generic AsyncRAT Style SSL Cert (malware.rules)

[---] Disabled rules: [---]

2037210 - ET PHISHING Observed DNS Query to Alibaba Phishing Domain
(krikam .net) (phishing.rules)
2037212 - ET PHISHING Observed DNS Query to ING Bank Phishing Domain
(servesrs -kontendiba .cyou) (phishing.rules)
2851840 - ETPRO PHISHING Observed DNS Query to O365 QR Phishing Domain
(phishing.rules)
2851842 - ETPRO PHISHING Observed DNS Query to O365 QR Phishing Domain
(phishing.rules)

Date:
Summary title:
24 new OPEN, 26 new PRO (24 + 2) EvilProxy AiTM, Robin Banks, RKO Remote File Upload, Danabot and LimeRAT.