Daily Ruleset Update Summary 2022/09/28

[***] Summary: [***]

26 new OPEN, 27 new PRO (26 + 1) LazyScripter, Win32/Sephus,
SocGholish, and TA569

Thanks @malware_traffic @malwrhunterteam

We are beginning to stand up our public discourse here
https://community.emergingthreats.net/! We will be posting signature
guidance, writeups and tutorials here.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2039011 - ET MALWARE LazyScripter APT Related Domain in DNS Lookup
(hpsj .firewall-gateway .net) (malware.rules)
2039012 - ET MALWARE LazyScripter APT Related Activity (GET) (malware.rules)
2039013 - ET MALWARE Lazyscripter APT Related Activity (Inbound)
(malware.rules)
2039014 - ET MALWARE Win32/Sephus Related Domain in DNS Lookup
(sephus .me) (malware.rules)
2039015 - ET MALWARE Win32/Sephus Related Activity (GET) (malware.rules)
2039016 - ET MALWARE Win32/Sephus Related Activity (POST) (malware.rules)
2039017 - ET PHISHING Successful TA398/Sidewinder APT Related Phish
2022-09-28 (phishing.rules)
2039018 - ET MALWARE DNSBin Demo (requestbin .net) - Data Exfil M2
(malware.rules)
2039019 - ET MALWARE Win32/Variant.Babar.74963 CnC Exfil (malware.rules)
2039020 - ET PHISHING Generic Credential Theft Landing Page M1
2022-09-28 (phishing.rules)
2039021 - ET PHISHING Generic Credential Theft Landing Page M2
2022-09-28 (phishing.rules)
2039022 - ET MALWARE Win32/SaintStealer Data Exfiltration Attempt M2
(malware.rules)
2039023 - ET MALWARE Maldoc Domain (word2022 .c1 .biz) in DNS Lookup
(malware.rules)
2039024 - ET MALWARE TigerHunter DOTM CnC Checkin (malware.rules)
2039025 - ET PHISHING Successful Generic Credential Phish (phishing.rules)
2039026 - ET MALWARE SocGholish Domain in DNS Lookup (soendorg .top)
(malware.rules)
2039027 - ET MALWARE TA569 Domain in DNS Lookup (luxury-limousine
.com) (malware.rules)
2039028 - ET MALWARE TA569 sczriptzzbn JavaScript Inject (malware.rules)
2039029 - ET MALWARE TA569 Fake Captcha Download (malware.rules)
2039030 - ET MALWARE TA569 Domain in DNS Lookup (skambio-porte .com)
(malware.rules)
2039031 - ET MALWARE TA569 Fake Browser Update (malware.rules)
2039032 - ET MALWARE SocGholish Domain in DNS Lookup (training
.c1ypsilanti .org) (malware.rules)
2039033 - ET MALWARE SocGholish Domain in DNS Lookup (engine
.discoveryhypnosis .com) (malware.rules)
2039034 - ET MALWARE SocGholish Domain in DNS Lookup (fundraising
.mystylingmylife .xyz) (malware.rules)
2039035 - ET MALWARE SocGholish Domain in DNS Lookup (resale
.adkelly .com) (malware.rules)
2039036 - ET MALWARE SocGholish Domain in DNS Lookup (auction
.wonderwomanquilts .com) (malware.rules)

Pro:

2852451 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-09-28 1) (coinminer.rules)

[///] Modified active rules: [///]

2034940 - ET MALWARE Powershell Octopus Backdoor Activity (GET)
(malware.rules)
2036590 - ET MALWARE Win32/Throwback CnC Activity (POST) (malware.rules)
2840017 - ETPRO MALWARE Powershell.WC/Octopus Backdoor CnC Initial
Checkin (malware.rules)
2840018 - ETPRO MALWARE Powershell.WC/Octopus Backdoor CnC -
Heartbeat (malware.rules)
2850024 - ETPRO MALWARE Powershell.WC Octopus Backdoor Sending
Windows Information M2 (POST) (malware.rules)

[///] Modified inactive rules: [///]

2850333 - ETPRO MALWARE Powershell.WC Octopus Backdoor Activity
(View) (malware.rules)

[---] Removed rules: [---]

2852450 - ETPRO MALWARE Fake Browser Update (malware.rules)

Date:

Wednesday, September 28, 2022

Summary title:

26 new OPEN, 27 new PRO (26 + 1) LazyScripter, Win32/Sephus, SocGholish, and TA569