Daily Ruleset Update Summary 2022/09/09

Daily Ruleset Update Summary

[***] Summary: [***]

17 new OPEN, 63 new PRO (17 + 45) D-Link RCE, TA444 Domains, Ave
Maria/Warzone RAT.

Thanks @unit42_Intel and @safebreach

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2038780 - ET MALWARE Win32/MagicRAT CnC Activity M1 (malware.rules)
2038797 - ET MALWARE Win32/MagicRAT CnC Activity M2 (malware.rules)
2038781 - ET EXPLOIT D-Link Remote Code Execution Attempt
(CVE-2022-26258) (exploit.rules)
2038782 - ET EXPLOIT D-Link Remote Code Execution Attempt
(CVE-2022-28958) (exploit.rules)
2038783 - ET INFO HTTP Sniffer Domain in TLS SNI (httpdebugger .com)
(info.rules)
2038784 - ET INFO Observed DNS Query to HTTP Sniffer Domain
(httpdebugger .com) (info.rules)
2038785 - ET MALWARE Observed DNS Query to TA444 Domain
(azure-protection .cloud) (malware.rules)
2038786 - ET MALWARE Observed DNS Query to TA444 Domain
(bankofamerica .nyc) (malware.rules)
2038787 - ET MALWARE Observed TA444 Domain (bankofamerica .nyc in
TLS SNI) (malware.rules)
2038788 - ET MALWARE Observed TA444 Domain (azure-protection .cloud
in TLS SNI) (malware.rules)
2038789 - ET MALWARE Observed TA444 Domain (careersbankofamerica .us
in TLS SNI) (malware.rules)
2038790 - ET MALWARE Observed TA444 Domain (azure-protect .online in
TLS SNI) (malware.rules)
2038791 - ET MALWARE Observed TA444 Domain (mufg .tokyo in TLS SNI)
(malware.rules)
2038792 - ET HUNTING Go-http-client POSTing IP Address and Username
(hunting.rules)
2038793 - ET MALWARE Win32/Wacapew.C!ml (malware.rules)
2038794 - ET ADWARE_PUP Win32/Adware.InstallCommerce.A CnC Checkin
(adware_pup.rules)
2038795 - ET ADWARE_PUP MSIL/TrojanDownloader.Agent.ITY Screenshot
Upload Attempt (adware_pup.rules)
2038796 - ET MALWARE Win64/Spy.Agent.EU CnC Checkin (malware.rules)

Pro:

2852313 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bj CnC
Domain in DNS Lookup (mobile_malware.rules)
2852314 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bj CnC
Domain in DNS Lookup (mobile_malware.rules)
2852315 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bj CnC
Domain in DNS Lookup (mobile_malware.rules)
2852316 - ETPRO MOBILE_MALWARE Android/Spy.Agent.BZC CnC Domain in
DNS Lookup (mobile_malware.rules)
2852317 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Agent.kf CnC
Domain in DNS Lookup (mobile_malware.rules)
2852318 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.JNA
Checkin (mobile_malware.rules)
2852319 - ETPRO MOBILE_MALWARE Android.SmsSpy.11312 Checkin
(mobile_malware.rules)
2852320 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Knobot.a
Checkin (mobile_malware.rules)
2852322 - ETPRO HUNTING QWILR Trial Page - Possible Phishing (hunting.rules)
2852323 - ETPRO INFO Observed File Sharing Service Domain (web
.opendrive .com in TLS SNI) (info.rules)
2852324 - ETPRO HUNTING OpenDrive File Download Request (hunting.rules)
2852325 - ETPRO MALWARE MSIL/eXclusive Checkin via Telegram (malware.rules)
2852326 - ETPRO MALWARE Ave Maria/Warzone RAT InitializePacket (malware.rules)
2852327 - ETPRO MALWARE Ave Maria/Warzone RAT BeaconResponse (malware.rules)
2852328 - ETPRO MALWARE Ave Maria/Warzone RAT PingResponse (malware.rules)
2852329 - ETPRO MALWARE Ave Maria/Warzone RAT PingCommand (malware.rules)
2852330 - ETPRO MALWARE Ave Maria/Warzone RAT ListPasswordsCommand
(malware.rules)
2852331 - ETPRO MALWARE Ave Maria/Warzone RAT ListPasswordsResponse
(malware.rules)
2852332 - ETPRO MALWARE Ave Maria/Warzone RAT
DownloadAndExecuteCommand (malware.rules)
2852333 - ETPRO MALWARE Ave Maria/Warzone RAT
DownloadAndExecuteResponse (malware.rules)
2852334 - ETPRO MALWARE Ave Maria/Warzone RAT VNCGetModule (malware.rules)
2852335 - ETPRO MALWARE Ave Maria/Warzone RAT
RemoteModuleLoadResponse (malware.rules)
2852336 - ETPRO MALWARE Ave Maria/Warzone RAT InitializePacket (malware.rules)
2852337 - ETPRO MALWARE Ave Maria/Warzone RAT BeaconResponse (malware.rules)
2852338 - ETPRO MALWARE Ave Maria/Warzone RAT PingCommand (malware.rules)
2852339 - ETPRO MALWARE Ave Maria/Warzone RAT PingResponse (malware.rules)
2852340 - ETPRO MALWARE Ave Maria/Warzone RAT ListPasswordsCommand
(malware.rules)
2852341 - ETPRO MALWARE Ave Maria/Warzone RAT ListPasswordsResponse
(malware.rules)
2852342 - ETPRO MALWARE Ave Maria/Warzone RAT
DownloadAndExecuteCommand (malware.rules)
2852343 - ETPRO MALWARE Ave Maria/Warzone RAT
DownloadAndExecuteResponse (malware.rules)
2852344 - ETPRO MALWARE Ave Maria/Warzone RAT VNCGetModule (malware.rules)
2852345 - ETPRO MALWARE Ave Maria/Warzone RAT
RemoteModuleLoadResponse (malware.rules)
2852346 - ETPRO MALWARE Ave Maria/Warzone RAT InitializePacket (malware.rules)
2852347 - ETPRO MALWARE Ave Maria/Warzone RAT BeaconResponse (malware.rules)
2852348 - ETPRO MALWARE Ave Maria/Warzone RAT PingCommand (malware.rules)
2852349 - ETPRO MALWARE Ave Maria/Warzone RAT PingResponse (malware.rules)
2852350 - ETPRO MALWARE Ave Maria/Warzone RAT ListPasswordsCommand
(malware.rules)
2852351 - ETPRO MALWARE Ave Maria/Warzone RAT ListPasswordsResponse
(malware.rules)
2852352 - ETPRO MALWARE Ave Maria/Warzone RAT
DownloadAndExecuteCommand (malware.rules)
2852353 - ETPRO MALWARE Ave Maria/Warzone RAT
DownloadAndExecuteResponse (malware.rules)
2852354 - ETPRO MALWARE Ave Maria/Warzone RAT
RemoteModuleLoadResponse (malware.rules)
2852355 - ETPRO MALWARE Ave Maria/Warzone RAT VNCGetModule (malware.rules)
2852356 - ETPRO MALWARE Ave Maria/Warzone RAT InitializePacket (malware.rules)
2852357 - ETPRO MALWARE Ave Maria/Warzone RAT BeaconResponse (malware.rules)

[///] Modified active rules: [///]

2021129 - ET MALWARE Blue Bot DDoS Blog Request (malware.rules)
2038734 - ET INFO External IP Address Lookup Domain (ifconfig .pro)
in DNS Lookup (info.rules)
2851550 - ETPRO MALWARE Win32/MetaStealer Fake Avast AV Update (GET)
(malware.rules)
2851933 - ETPRO MALWARE Ave Maria/Warzone RAT ListPasswordsCommand
(malware.rules)
2851934 - ETPRO MALWARE Ave Maria/Warzone RAT
DownloadAndExecuteCommand (malware.rules)
2851945 - ETPRO MALWARE Ave Maria/Warzone RAT PingCommand (malware.rules)
2851946 - ETPRO MALWARE Ave Maria/Warzone RAT PingResponse (malware.rules)
2851948 - ETPRO MALWARE Ave Maria/Warzone RAT VNC GetModule (malware.rules)
2851949 - ETPRO MALWARE Ave Maria/Warzone RAT
RemoteModuleLoadResponse (malware.rules)
2851950 - ETPRO MALWARE Ave Maria/Warzone RAT
DownloadandExecuteResponse (malware.rules)
2851951 - ETPRO MALWARE Ave Maria/Warzone RAT ListPasswordsResponse
(malware.rules)

[---] Removed rules: [---]

Date:

Friday, September 9, 2022

Summary title:

17 new OPEN, 63 new PRO (17 + 45) D-Link RCE, TA444 Domains, Ave Maria/Warzone RAT.