Daily Ruleset Update Summary 2022/09/30

[***] Summary: [***]

15 new OPEN, 27 new PRO (15 + 12) Various Android Mobile Malware,
Lazarus, TA404/Zinc, Havoc Framework, and ProxyNotShell
(CVE-2022-41040, CVE-2022-41082)

Thanks @moodYmOnster8, @SentinelOne, @LukasStefanko, @GossiTheDog,
Microsoft MSRC, and Microsoft MSTIC

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2039064 - ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.aam CnC
Domain in DNS Lookup (mobile_malware.rules)
2039065 - ET EXPLOIT Microsoft Exchange Remote Code Execution
Attempt (CVE-2022-41040, CVE-2022-41082) (exploit.rules)
2039066 - ET WEB_SERVER Antsword Related Webshell Activity (Inbound)
(web_server.rules)
2039067 - ET INFO Anonymous File Sharing Service Domain in DNS
Lookup (send .vis .ee) (info.rules)
2039068 - ET INFO Observed Anonymous File Sharing Service Domain
(send .vis .ee in TLS SNI) (info.rules)
2039069 - ET PHISHING Interac (CA) Account Credential Phish Landing
Page 2022-09-30 (phishing.rules)
2039070 - ET INFO 404 Response with Javascript Variable in Page (info.rules)
2039071 - ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup
(market .contradecapital .com) (malware.rules)
2039072 - ET MALWARE Observed Lazarus Domain (market
.contradecapital .com in TLS SNI) (malware.rules)
2039073 - ET MALWARE Havoc Framework CnC Request (malware.rules)
2039074 - ET MALWARE Havoc Framework CnC Response (malware.rules)
2039075 - ET MALWARE TA404/Zinc Trojanized KiTTY CnC Checkin (malware.rules)
2039076 - ET MALWARE TA404/Zinc Trojanized muPDF/Subliminal CnC
Checkin (malware.rules)
2039077 - ET MALWARE WP CharCode Inject (malware.rules)
2039078 - ET MALWARE SocGholish Domain in DNS Lookup (premiere
.4tosocialbeginners .com) (malware.rules)

Pro:

2852460 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Piom.ar CnC Domain
in DNS Lookup (mobile_malware.rules)
2852461 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SpyNote.p
ac CnC Domain in DNS Lookup (mobile_malware.rules)
2852462 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.JYI DNS
Lookup (mobile_malware.rules)
2852463 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CAF CnC Domain in
DNS Lookup (mobile_malware.rules)
2852464 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.qi CnC
Domain in DNS Lookup (mobile_malware.rules)
2852465 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SpyNote.ba CnC
Domain in DNS Lookup (mobile_malware.rules)
2852466 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Bahamut.d CnC
Domain in DNS Lookup (mobile_malware.rules)
2852467 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Lucbot.a CnC
Domain in DNS Lookup (mobile_malware.rules)
2852468 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.TwMobo.m CnC
Domain in DNS Lookup (mobile_malware.rules)
2852469 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-09-29 1) (coinminer.rules)
2852470 - ETPRO MALWARE Win32/Remcos RAT Checkin 839 (malware.rules)
2852471 - ETPRO MALWARE Go/Chaos Checkin Activity (malware.rules)

[///] Modified active rules: [///]

2036596 - ET EXPLOIT [Rapid7] Zyxel ZTP setWanPortSt mtu Parameter
Exploit Attempt (CVE-2022-30525) (exploit.rules)
2038840 - ET MALWARE Brute Ratel Fake User-Agent (malware.rules)

Date:

Friday, September 30, 2022

Summary title:

15 new OPEN, 27 new PRO (15 + 12) Various Android Mobile Malware, Lazarus, TA404/Zinc, Havoc Framework, and ProxyNotShell (CVE-2022-41040, CVE-2022-41082)