Daily Ruleset Update Summary 2022/09/07

Daily Ruleset Update Summary

[***] Summary: [***]

22 new OPEN, 32 new PRO (22 + 10). Win32/MagicRAT, TA444, Win32/Remcos,
Various Others.

Thanks @RESecurity

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2038751 - ET MALWARE Suspected Chinese Based APT Malware Retrieving File
(GET) (malware.rules)
2038752 - ET MALWARE Chinese Based APT Related Domain in DNS Lookup
(ramblercloud .com) (malware.rules)
2038753 - ET MALWARE Observed Chinese APT Related Domain (ramblercloud
.com in TLS SNI) (malware.rules)
2038754 - ET HUNTING Downloaded Powershell Script Detects AV Product
(hunting.rules)
2038755 - ET MALWARE Observed DNS Query to Temporary File Hosting Domain
(temp .sh) (malware.rules)
2038756 - ET MALWARE Temporary File Hosting Domain in TLS SNI (temp .sh)
(malware.rules)
2038757 - ET MALWARE Observed DNS Query to EvilProxy Domain (msdnmail
.net) (malware.rules)
2038758 - ET MALWARE Observed DNS Query to EvilProxy Domain (evilproxy
.pro) (malware.rules)
2038759 - ET MALWARE Observed DNS Query to EvilProxy Domain (rproxy .io)
(malware.rules)
2038760 - ET MALWARE Observed DNS Query to EvilProxy Domain
(pua75npooc4ekrkkppdglaleftn5mi2hxsunz5uuup6uxqmen4deepyd .onion)
(malware.rules)
2038761 - ET MALWARE Observed DNS Query to EvilProxy Domain (top-cyber
.club) (malware.rules)
2038762 - ET MALWARE Observed DNS Query to TA444 Domain
(careersbankofamerica .us) (malware.rules)
2038763 - ET MALWARE Observed DNS Query to TA444 Domain (mufg .tokyo)
(malware.rules)
2038764 - ET MALWARE Observed DNS Query to TA444 Domain (azure-protect
.online) (malware.rules)
2038765 - ET MALWARE Win32/MagicRAT CnC Checkin M1 (malware.rules)
2038766 - ET MALWARE Win32/MagicRAT CnC Checkin M2 (malware.rules)
2038767 - ET MALWARE Win32/MagicRAT Additional Payload URI M1
(malware.rules)
2038768 - ET MALWARE Win32/MagicRAT Additional Payload URI M2
(malware.rules)
2038769 - ET MALWARE Win32/MagicRAT Additional Payload URI M3
(malware.rules)
2038770 - ET MALWARE Win32/MagicRAT Additional Payload URI M4
(malware.rules)
2038771 - ET MALWARE MagicRAT CnC Domain (gendoraduragonkgp126 .com) in
DNS Lookup (malware.rules)
2038772 - ET MALWARE Chinese Based APT Related Malware Sending System
Information (POST) (malware.rules)

Pro:

2852300 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-09-07 1) (coinminer.rules)
2852301 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-09-07 2) (coinminer.rules)
2852302 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-09-07 3) (coinminer.rules)
2852303 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-09-07 4) (coinminer.rules)
2852304 - ETPRO MALWARE MSIL/Bossko Downloader Checkin (malware.rules)
2852305 - ETPRO MALWARE Win32/Remcos RAT Checkin 831 (malware.rules)
2852306 - ETPRO MALWARE Win32/Remcos RAT Checkin 832 (malware.rules)

[///] Modified active rules: [///]

2038744 - ET PHISHING Successful Generic Credential Phish (.ngrok .io)
(phishing.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Wednesday, September 7, 2022

Summary title:

22 new OPEN, 32 new PRO (22 + 10). Win32/MagicRAT, TA444, Win32/Remcos, Various Others.