[***] Summary: [***]
17 new OPEN, 25 new PRO (17 + 8). Win32/RecordBreaker, Win32/Lilith
Stealer, Others.
Thanks @Unit42_Intel, @kienbigmummy, @evilcel3ri
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2038485 - ET MALWARE Win32/RecordBreaker - Observed UA M1 (malware.rules)
2038486 - ET MALWARE Win32/RecordBreaker - Observed UA M2 (malware.rules)
2038487 - ET MALWARE Win32/RecordBreaker - Library Request (malware.rules)
2038488 - ET INFO URL Shortening/Redirect Service Domain (clik .rip in
TLS SNI) (info.rules)
2038489 - ET INFO URL Shortening/Redirect Service Domain in DNS Lookup
(clik .rip) (info.rules)
2038490 - ET WEB_SERVER Suspected China Chopper Variant Webshell Command
(inbound) (web_server.rules)
2038491 - ET MALWARE Observed DNS Query to ROMCOM RAT Domain
(combinedresidency .org) (malware.rules)
2038492 - ET MALWARE Observed DNS Query to ROMCOM RAT Domain (optasko
.com) (malware.rules)
2038493 - ET MALWARE Win32/Korplug.HQ CnC Activity (malware.rules)
2038494 - ET HUNTING Possible Fake 404 Credential Phish Landing Page
(hunting.rules)
2038495 - ET HUNTING Possible Phish with cazanova= Cookie (hunting.rules)
2038496 - ET MALWARE Win32/Lilith Stealer getFile Command (malware.rules)
2038497 - ET MALWARE Win32/Lilith Stealer registerBot CnC Checkin
(malware.rules)
2038498 - ET MALWARE Win32/Lilith Stealer getCommands Command
(malware.rules)
2038499 - ET MALWARE Win32/Lilith Stealer uploadFile Data Exfiltration
Attempt (malware.rules)
2038500 - ET MALWARE Win32/Packed.BlackMoon.A CnC Checkin (malware.rules)
2038501 - ET HUNTING Possible Obfuscator io JavaScript Obfuscation
(hunting.rules)
Pro:
2852072 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-08-11 1) (coinminer.rules)
2852073 - ETPRO PHISHING Successful Generic Credential Phish M1
2022-08-11 (phishing.rules)
2852074 - ETPRO PHISHING Successful Generic Credential Phish M2
2022-08-11 (phishing.rules)
2852075 - ETPRO PHISHING Generic Credential Phish Landing Page 2022-08-11
(phishing.rules)
[///] Modified active rules: [///]
2018141 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole
Cookie Value Snkz (malware.rules)
2030231 - ET MALWARE OSX/SHLAYER CnC Checkin (malware.rules)
2036934 - ET MALWARE Win32/RecordBreaker CnC Checkin M1 (malware.rules)
2037274 - ET MALWARE Win32/RecordBreaker Checkin M2 (malware.rules)
2037771 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole
Cookie Value btst (malware.rules)
2038478 - ET INFO URL Shortening/Redirect Service Domain in DNS Lookup
(cutit .org) (info.rules)
---------------------------------------
James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team