[***] Summary: [***]

20 new OPEN, 47 new PRO (20 + 27). Win32/Nitrokod, CVE-2022-26352,
CVE-2022-27255, CVE-2021-26086, Others.

Thanks @SecureList, @CheckPointSW, @MalGamy12

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2038668 - ET EXPLOIT dotCMS Unrestricted Upload of File Attempt Inbound
(CVE-2022-26352) (exploit.rules)
2038669 - ET EXPLOIT Realtek eCos RSDK/MSDK Stack-based Buffer Overflow
Attempt Inbound (CVE-2022-27255) (exploit.rules)
2038670 - ET INFO HTTP Reuest to Free Hosting Domain (*.ct8 .pl)
(info.rules)
2038671 - ET INFO DNS Query to a Free Hosting Domain Domain (*.ct8 pl)
(info.rules)
2038672 - ET EXPLOIT Jira Server/Data Center 8.4.0 Remote File Read
Attempt (CVE-2021-26086) M1 (exploit.rules)
2038673 - ET EXPLOIT Jira Server/Data Center 8.4.0 Remote File Read
Attempt (CVE-2021-26086) M2 (exploit.rules)
2038674 - ET MALWARE VBS/Kimsuky.O Host Fingerprint Exfil (malware.rules)
2038675 - ET USER_AGENTS VBS/Kimsuky UA Observed (user_agents.rules)
2038676 - ET MALWARE Win32/Nitrokod CnC Domain (nitrokod .com) in DNS
Lookup (malware.rules)
2038677 - ET MALWARE Win32/Nitrokod CnC Domain (Intelserviceupdate .com)
in DNS Lookup (malware.rules)
2038678 - ET MALWARE Win32/Nitrokod CnC Domain (nvidiacenter .com) in DNS
Lookup (malware.rules)
2038679 - ET MALWARE Win32/Nitrokod Domain (intelserviceupdate .com) in
TLS SNI (malware.rules)
2038680 - ET MALWARE Win32/Nitrokod Domain (nitrokod .com) in TLS SNI
(malware.rules)
2038681 - ET MALWARE Win32/Nitrokod Domain (nvidiacenter .com) in TLS SNI
(malware.rules)
2038682 - ET MOBILE_MALWARE Android/IRATA CnC Domain (rimotgozaran .tk)
in DNS Lookup (mobile_malware.rules)
2038683 - ET MOBILE_MALWARE Android/IRATA CnC Domain (rimot-anitain .tk)
in DNS Lookup (mobile_malware.rules)
2038684 - ET MOBILE_MALWARE Observed Android/IRATA Domain (rimotgozaran
.tk) in TLS SNI (mobile_malware.rules)
2038685 - ET MOBILE_MALWARE Observed Android/IRATA Domain (rimot-anitain
.tk) in TLS SNI (mobile_malware.rules)
2038686 - ET MOBILE_MALWARE Android/IRATA Data Exfiltration Attempt
(mobile_malware.rules)
2038687 - ET MALWARE Win32/Sabsik.FL.B!ml Exfil (malware.rules)

Pro:

2852238 - ETPRO MOBILE_MALWARE Android/Spy.Agent.BTS Checkin
(mobile_malware.rules)
2852239 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Climap.f Activity
(mobile_malware.rules)
2852240 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.KDB CnC Domain
in DNS Lookup (mobile_malware.rules)
2852241 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.KDB CnC Domain
in DNS Lookup (mobile_malware.rules)
2852242 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.GQH CnC Domain
in DNS Lookup (mobile_malware.rules)
2852243 - ETPRO MOBILE_MALWARE Trojan-Ransom.AndroidOS.Svpeng.aj CnC
Domain in DNS Lookup (mobile_malware.rules)
2852244 - ETPRO MOBILE_MALWARE Trojan-Ransom.AndroidOS.Svpeng.aj Checkin
(mobile_malware.rules)
2852245 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CIQ CnC Domain in DNS
Lookup (mobile_malware.rules)
2852246 - ETPRO MOBILE_MALWARE Observed Android/Spy.Agent.CIQ Domain in
TLS SNI (mobile_malware.rules)
2852247 - ETPRO MOBILE_MALWARE Android/Spy.Banker.BNG CnC Domain in DNS
Lookup (mobile_malware.rules)
2852248 - ETPRO MOBILE_MALWARE Android/Spy.Banker.BEL CnC Domain in DNS
Lookup (mobile_malware.rules)
2852249 - ETPRO MOBILE_MALWARE Trojan-Ransom.AndroidOS.Rkor.au CnC Domain
in DNS Lookup (mobile_malware.rules)
2852250 - ETPRO MOBILE_MALWARE Trojan-Ransom.AndroidOS.Rkor.au CnC Domain
in DNS Lookup (mobile_malware.rules)
2852251 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.UL CnC Domain in DNS
Lookup (mobile_malware.rules)
2852252 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.VO CnC Domain in DNS
Lookup (mobile_malware.rules)
2852253 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.VO CnC Domain in DNS
Lookup (mobile_malware.rules)
2852254 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Piom.aqms CnC Domain in
DNS Lookup (mobile_malware.rules)
2852255 - ETPRO MOBILE_MALWARE Android.Banker.5061 CnC Domain in DNS
Lookup (mobile_malware.rules)
2852256 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.cs CnC
Domain in DNS Lookup (mobile_malware.rules)
2852257 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Agent.jp CnC
Domain in DNS Lookup (mobile_malware.rules)
2852258 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CGM CnC Domain in DNS
Lookup (mobile_malware.rules)
2852259 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.SG CnC Domain in DNS
Lookup (mobile_malware.rules)
2852260 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Basdoor.c CnC Domain in
DNS Lookup (mobile_malware.rules)
2852261 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Basdoor.c CnC Domain in
DNS Lookup (mobile_malware.rules)
2852262 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c CnC Domain
in DNS Lookup (mobile_malware.rules)
2852263 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-08-27 1) (coinminer.rules)
2852264 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-08-27 2) (coinminer.rules)

[///] Modified active rules: [///]

2029401 - ET MALWARE Win32/AZORult V3.2 Client Checkin M1 (malware.rules)
2029402 - ET MALWARE Win32/AZORult V3.2 Client Checkin M2 (malware.rules)
2029403 - ET MALWARE Win32/AZORult V3.2 Client Checkin M3 (malware.rules)
2029404 - ET MALWARE Win32/AZORult V3.3 Client Checkin M1 (malware.rules)
2029405 - ET MALWARE Win32/AZORult V3.3 Client Checkin M2 (malware.rules)
2029406 - ET MALWARE Win32/AZORult V3.3 Client Checkin M3 (malware.rules)
2029436 - ET MALWARE Win32/AZORult V3.2 Client Checkin M4 (malware.rules)
2029437 - ET MALWARE Win32/AZORult V3.2 Client Checkin M5 (malware.rules)
2029438 - ET MALWARE Win32/AZORult V3.2 Client Checkin M6 (malware.rules)
2029439 - ET MALWARE Win32/AZORult V3.3 Client Checkin M4 (malware.rules)
2029440 - ET MALWARE Win32/AZORult V3.3 Client Checkin M5 (malware.rules)
2029441 - ET MALWARE Win32/AZORult V3.3 Client Checkin M6 (malware.rules)
2029442 - ET MALWARE Win32/AZORult V3.2 Client Checkin M7 (malware.rules)
2029443 - ET MALWARE Win32/AZORult V3.2 Client Checkin M8 (malware.rules)
2029444 - ET MALWARE Win32/AZORult V3.2 Client Checkin M9 (malware.rules)
2029445 - ET MALWARE Win32/AZORult V3.3 Client Checkin M7 (malware.rules)
2029446 - ET MALWARE Win32/AZORult V3.3 Client Checkin M8 (malware.rules)
2029447 - ET MALWARE Win32/AZORult V3.3 Client Checkin M9 (malware.rules)
2029457 - ET MALWARE Win32/AZORult V3.2 Client Checkin M10 (malware.rules)
2029458 - ET MALWARE Win32/AZORult V3.2 Client Checkin M11 (malware.rules)
2029459 - ET MALWARE Win32/AZORult V3.2 Client Checkin M12 (malware.rules)
2029460 - ET MALWARE Win32/AZORult V3.3 Client Checkin M10 (malware.rules)
2029461 - ET MALWARE Win32/AZORult V3.3 Client Checkin M11 (malware.rules)
2029462 - ET MALWARE Win32/AZORult V3.3 Client Checkin M12 (malware.rules)
2029463 - ET MALWARE Win32/AZORult V3.2 Client Checkin M13 (malware.rules)
2029464 - ET MALWARE Win32/AZORult V3.2 Client Checkin M14 (malware.rules)
2029465 - ET MALWARE Win32/AZORult V3.2 Client Checkin M15 (malware.rules)
2029466 - ET MALWARE Win32/AZORult V3.3 Client Checkin M13 (malware.rules)
2029467 - ET MALWARE Win32/AZORult V3.3 Client Checkin M14 (malware.rules)
2029468 - ET MALWARE Win32/AZORult V3.3 Client Checkin M15 (malware.rules)
2029479 - ET MALWARE Win32/AZORult V3.2 Client Checkin M16 (malware.rules)
2029480 - ET MALWARE Win32/AZORult V3.2 Client Checkin M17 (malware.rules)
2029481 - ET MALWARE Win32/AZORult V3.2 Client Checkin M18 (malware.rules)
2029482 - ET MALWARE Win32/AZORult V3.3 Client Checkin M16 (malware.rules)
2029483 - ET MALWARE Win32/AZORult V3.3 Client Checkin M17 (malware.rules)
2029484 - ET MALWARE Win32/AZORult V3.3 Client Checkin M18 (malware.rules)
2029485 - ET MALWARE Win32/AZORult V3.2 Client Checkin M19 (malware.rules)
2029486 - ET MALWARE Win32/AZORult V3.2 Client Checkin M20 (malware.rules)
2029487 - ET MALWARE Win32/AZORult V3.2 Client Checkin M21 (malware.rules)
2029488 - ET MALWARE Win32/AZORult V3.3 Client Checkin M19 (malware.rules)
2029489 - ET MALWARE Win32/AZORult V3.3 Client Checkin M20 (malware.rules)
2029490 - ET MALWARE Win32/AZORult V3.3 Client Checkin M21 (malware.rules)
2034050 - ET MALWARE Win32/AZORult V3.2 Client Checkin M22 (malware.rules)
2034051 - ET MALWARE Win32/AZORult V3.2 Client Checkin M23 (malware.rules)
2034052 - ET MALWARE Win32/AZORult V3.2 Client Checkin M24 (malware.rules)
2034053 - ET MALWARE Win32/AZORult V3.3 Client Checkin M22 (malware.rules)
2034054 - ET MALWARE Win32/AZORult V3.3 Client Checkin M23 (malware.rules)
2034055 - ET MALWARE Win32/AZORult V3.3 Client Checkin M24 (malware.rules)
2038663 - ET MALWARE Win32/Caypnamer.A RAT CnC Keepalive (malware.rules)
2038664 - ET MALWARE Win32/Caypnamer.A RAT CnC Initial Checkin
(malware.rules)
2836359 - ETPRO POLICY Win32/ShowMyPC RDP Session Init (policy.rules)

[---] Removed rules: [---]

2016690 - ET MALWARE Kovter Ransomware Check-in (malware.rules)
2020181 - ET MALWARE WIN32/KOVTER.B Checkin (malware.rules)
2022861 - ET MALWARE Win32.Kovter Client CnC Traffic (malware.rules)
2028400 - ET JA3 Hash - Possible Malware - Various RigEK/Dridex/Kovter
(ja3.rules)
2028401 - ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
(ja3.rules)
2810582 - ETPRO MALWARE WIN32/KOVTER.B Checkin 2 M1 (malware.rules)
2814589 - ETPRO MALWARE WIN32/KOVTER CnC Beacon (malware.rules)
2814590 - ETPRO MALWARE WIN32/KOVTER Checkin (malware.rules)
2815176 - ETPRO MALWARE Likely Kovter Retrieving Additional Payload
(malware.rules)
2816294 - ETPRO MALWARE Evil HTA (Kovter) (malware.rules)
2816295 - ETPRO EXPLOIT_KIT Fake Flash Player Update (Kovter)
(exploit_kit.rules)
2816296 - ETPRO MALWARE Evil HTA (Kovter) M2 (malware.rules)
2816844 - ETPRO MALWARE W32/Kovter Checkin 3 (malware.rules)
2824917 - ETPRO MALWARE Win32/Kovter.A Connectivity Check (malware.rules)
2825073 - ETPRO WEB_CLIENT Evil Redirector Leading to Kovter Soceng Feb
21 2017 (web_client.rules)
2825074 - ETPRO MALWARE Kovter Soceng SSL Certificate Detected
(malware.rules)
2828189 - ETPRO MALWARE WIN32/KOVTER.B Checkin 2 M2 (malware.rules)
2828913 - ETPRO MALWARE WIN32/KOVTER.B Checkin 2 M3 (malware.rules)
2829688 - ETPRO MALWARE Kovter Malicious SSL Certificate Detected
(malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
20 new OPEN, 47 new PRO (20 + 27). Win32/Nitrokod, CVE-2022-26352, CVE-2022-27255, CVE-2021-26086, Others.