Daily Ruleset Update Summary
Daily Ruleset Update Summary 2022/08/04

[***] Summary: [***]

44 new OPEN, 79 new PRO (44 + 35). Various Android Banker Octo,
Woody RAT, CHIMNEYSWEEP and Remcos.

Thanks @MalwarebytesLab, @Mandiant and @h2jazi

Due to the observation of an internal holiday, there will be no
release on Friday Aug 5th 2022.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2037911 - ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup (mobile_malware.rules)
2037912 - ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup (mobile_malware.rules)
2037913 - ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup (mobile_malware.rules)
2037914 - ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup (mobile_malware.rules)
2037915 - ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup (mobile_malware.rules)
2037916 - ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup (mobile_malware.rules)
2037917 - ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup (mobile_malware.rules)
2037918 - ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup (mobile_malware.rules)
2037919 - ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup (mobile_malware.rules)
2037920 - ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup (mobile_malware.rules)
2037921 - ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup (mobile_malware.rules)
2037922 - ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup (mobile_malware.rules)
2037923 - ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup (mobile_malware.rules)
2037924 - ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup (mobile_malware.rules)
2037925 - ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup (mobile_malware.rules)
2037926 - ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup (mobile_malware.rules)
2037927 - ET MALWARE RedGuard Framework Related Request Activity
(malware.rules)
2037928 - ET MALWARE Observed Malicious SSL Cert (RedGuard
Framework) (malware.rules)
2037929 - ET MALWARE SSL/TLS Certificate Observed (Link Implant
Default) (malware.rules)
2037930 - ET MALWARE Link Implant CnC Activity (POST) (malware.rules)
2037931 - ET MALWARE Lazarus APT Related Domain in DNS Lookup
(mktrending .com) (malware.rules)
2037932 - ET ADWARE_PUP Observed DNS Query to Restoro PUP Domain
(restoro .com) (adware_pup.rules)
2037933 - ET ADWARE_PUP Win32/ReImageRepair.T CnC Checkin (adware_pup.rules)
2037934 - ET MALWARE Woody RAT CnC Domain (microsoft-telemetry .ru)
in DNS Lookup (malware.rules)
2037935 - ET MALWARE Woody RAT CnC Domain (oakrussia .ru) in DNS
Lookup (malware.rules)
2037936 - ET MALWARE Woody RAT CnC Domain (kurmakata .duckdns .org)
in DNS Lookup (malware.rules)
2037937 - ET MALWARE Woody RAT CnC Domain (microsoft-ru-data .ru) in
DNS Lookup (malware.rules)
2037938 - ET MALWARE Woody RAT CnC Domain (fns77 .ru) in DNS Lookup
(malware.rules)
2037939 - ET MALWARE Woody RAT Payload Delivery Domain (garmandesar
.duckdns .org) in DNS Lookup (malware.rules)
2037940 - ET MALWARE Woody RAT Payload Delivery Domain (fcloud
.nciinform .ru) in DNS Lookup (malware.rules)
2037941 - ET MALWARE Woody RAT CnC Checkin (malware.rules)
2037942 - ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (pgp .eu .com)
in DNS Lookup (malware.rules)
2037943 - ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain
(windowsupadates .com) in DNS Lookup (malware.rules)
2037944 - ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (skype .se
.net) in DNS Lookup (malware.rules)
2037945 - ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain
(telegram-update .com) in DNS Lookup (malware.rules)
2037946 - ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (update-pgp
.com) in DNS Lookup (malware.rules)
2037947 - ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (server-avira
.com) in DNS Lookup (malware.rules)
2037948 - ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (avira .ltd)
in DNS Lookup (malware.rules)
2037949 - ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (uk2privat
.com) in DNS Lookup (malware.rules)
2037950 - ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (cloud-avira
.com) in DNS Lookup (malware.rules)
2037951 - ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (update-real
.com) in DNS Lookup (malware.rules)
2037952 - ET MALWARE Win32/Agent.UOI CnC Checkin (malware.rules)
2037953 - ET MALWARE Win64/Spy.Agent.EU CnC Checkin (malware.rules)
2037954 - ET MALWARE Win32.ClipBanker.uhn Exfil (malware.rules)

Pro:

2852006 - ETPRO MOBILE_MALWARE Android/TrojanDownloader.Agent.WR CnC
Domain in DNS Lookup (mobile_malware.rules)
2852007 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.EVT CnC
Domain in DNS Lookup (mobile_malware.rules)
2852008 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.JDU CnC
Domain in DNS Lookup (mobile_malware.rules)
2852009 - ETPRO MOBILE_MALWARE Trojan-Clicker.AndroidOS.Simpo.c CnC
Domain in DNS Lookup (mobile_malware.rules)
2852010 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.st CnC
Domain in DNS Lookup (mobile_malware.rules)
2852011 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.st CnC
Domain in DNS Lookup (mobile_malware.rules)
2852012 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.st CnC
Domain in DNS Lookup (mobile_malware.rules)
2852013 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.st CnC
Domain in DNS Lookup (mobile_malware.rules)
2852014 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.st CnC
Domain in DNS Lookup (mobile_malware.rules)
2852015 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.st CnC
Domain in DNS Lookup (mobile_malware.rules)
2852016 - ETPRO MALWARE NewConsole Checkin via SMTP (malware.rules)
2852017 - ETPRO MALWARE Win32/Remcos RAT Checkin 821 (malware.rules)
2852018 - ETPRO MALWARE Win32/Remcos RAT Checkin 822 (malware.rules)
2852026 - ETPRO MALWARE Observed DNS Query to Win32/Agent_AGen.BV
Domain (malware.rules)
2852027 - ETPRO ATTACK_RESPONSE Win32/Agent_AGen.BV CnC Response
(attack_response.rules)

[///] Modified active rules: [///]

2842883 - ETPRO MALWARE Win32/2345 Helper Downloader Activity (malware.rules)
2848901 - ETPRO MALWARE Observed Reversed EXE String Inbound (This
Program...) (malware.rules)

Date:
Summary title:
44 new OPEN, 79 new PRO (44 + 35). Various Android Banker Octo, Woody RAT, CHIMNEYSWEEP and Remcos.