Daily Ruleset Update Summary 2022/08/24

Daily Ruleset Update Summary

[***] Summary: [***]

10 new OPEN, 30 new PRO (10 + 20). Confucius APT, RecordBreaker,
Various Android and Miners.

Thanks @Threatlabz and @h2jazi

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2038602 - ET ADWARE_PUP Observed PUA SSL/TLS Certificate (HoneyGain)
(adware_pup.rules)
2038603 - ET INFO DYNAMIC_DNS HTTP Request to a *.anondns .net
Domain (info.rules)
2038604 - ET ATTACK_RESPONSE net user Command Output via HTTP POST
(attack_response.rules)
2038605 - ET ATTACK_RESPONSE Nishang Invoke-PowerShellTcp Shell
Prompt Outbound (attack_response.rules)
2038606 - ET INFO URL Shortening Service Domain in DNS Lookup (n9
.cl) (info.rules)
2038607 - ET INFO Observed URL Shortening Service Domain (n9 .cl in
TLS SNI) (info.rules)
2038608 - ET MALWARE Confucious APT Related Domain in DNS Lookup
(bonimoni .xyz) (malware.rules)
2038609 - ET MALWARE Confucious APT Related Domain in DNS Lookup
(viterwin .club) (malware.rules)
2038610 - ET MALWARE Win32/RecordBreaker CnC Exfil (Cookies) (malware.rules)
2038611 - ET MALWARE HTTPRevShell Initial CnC Checkin (malware.rules)

Pro:

2852176 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Bray.i CnC
Domain in DNS Lookup (mobile_malware.rules)
2852178 - ETPRO MOBILE_MALWARE Android/Monitor.TrackPlus.AJ CnC
Domain in DNS Lookup (mobile_malware.rules)
2852179 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Harly.f CnC Domain
in DNS Lookup (mobile_malware.rules)
2852180 - ETPRO MOBILE_MALWARE Observed Android.Backdoor.596.origin
Domain in TLS SNI (mobile_malware.rules)
2852181 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-08-24 1) (coinminer.rules)
2852182 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-08-24 2) (coinminer.rules)
2852183 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-08-24 3) (coinminer.rules)
2852184 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-08-24 4) (coinminer.rules)
2852185 - ETPRO MALWARE UNK Python Post Compromise Framework -
Registration Activity (malware.rules)
2852186 - ETPRO MALWARE UNK Python Post Compromise Framework - Tasks
Request (malware.rules)
2852187 - ETPRO MALWARE UNK Python Post Compromise Framework - Tasks
Results (malware.rules)
2852188 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bh
Checkin (mobile_malware.rules)
2852189 - ETPRO MALWARE VBA/TrojanDropper.Agent.BWY System Profile
Exfil (malware.rules)
2852190 - ETPRO ATTACK_RESPONSE VBA/TrojanDropper.Agent.BWY Payload
Delivery (attack_response.rules)

[///] Modified active rules: [///]

2038594 - ET MALWARE TA453/CharmingKitten HYPERSCRAPE Tool Check-in
Activity (GET) (malware.rules)
2038595 - ET MALWARE TA453/CharmingKitten HYPERSCRAPE Tool Identity
Check Activity (GET) (malware.rules)
2038596 - ET MALWARE TA453/CharmingKitten HYPERSCRAPE Tool Sending
System Information (POST) (malware.rules)

[///] Modified inactive rules: [///]

2852169 - ETPRO EXPLOIT Possible Microsoft Windows Server HTTP.sys
DOS Inbound (CVE-2022-35748) (exploit.rules)

Date:

Wednesday, August 24, 2022

Summary title:

10 new OPEN, 30 new PRO (10 + 20). Confucius APT, RecordBreaker, Various Android and Miners.