Daily Ruleset Update Summary 2022/11/03

Daily Ruleset Update Summary

[***] Summary: [***]

59 new OPEN, 61 new PRO (59 + 2) Emotet, Ursnif, CoinMiner,
Win32/FlyStudio.OJJ

Thanks @Mandiant @Thingzeye

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2039624 - ET MALWARE Emotet Style Request Activity (GET) (malware.rules)
2039625 - ET MALWARE Observed DNS Query to Ursnif Domain (lionnik .xyz)
(malware.rules)
2039626 - ET MALWARE Observed DNS Query to Ursnif Domain (fishenddog
.xyz) (malware.rules)
2039627 - ET MALWARE Observed DNS Query to Ursnif Domain (astope .xyz)
(malware.rules)
2039628 - ET MALWARE Observed DNS Query to Ursnif Domain (mamount .cyou)
(malware.rules)
2039629 - ET MALWARE Observed DNS Query to Ursnif Domain (pinki .cyou)
(malware.rules)
2039630 - ET MALWARE Observed DNS Query to Ursnif Domain (daydayvin .xyz)
(malware.rules)
2039631 - ET MALWARE Observed DNS Query to Ursnif Domain (kidup .xyz)
(malware.rules)
2039632 - ET MALWARE Observed DNS Query to Ursnif Domain (damnater .com)
(malware.rules)
2039633 - ET MALWARE Observed DNS Query to Ursnif Domain (minotos .xyz)
(malware.rules)
2039634 - ET MALWARE Observed DNS Query to Ursnif Domain (isteros .com)
(malware.rules)
2039635 - ET MALWARE Observed DNS Query to Ursnif Domain (dodstep .cyou)
(malware.rules)
2039636 - ET MALWARE Observed DNS Query to Ursnif Domain (logotep .xyz)
(malware.rules)
2039637 - ET MALWARE Observed DNS Query to Ursnif Domain (higmon .cyou)
(malware.rules)
2039638 - ET MALWARE Observed DNS Query to Ursnif Domain (gigiman .xyz)
(malware.rules)
2039639 - ET MALWARE Observed DNS Query to Ursnif Domain (fineg .xyz)
(malware.rules)
2039640 - ET MALWARE Observed DNS Query to Ursnif Domain (pipap .xyz)
(malware.rules)
2039641 - ET MALWARE Observed DNS Query to Ursnif Domain (prises .cyou)
(malware.rules)
2039642 - ET MALWARE Observed DNS Query to Ursnif Domain (binchfog .xyz)
(malware.rules)
2039643 - ET MALWARE Observed DNS Query to Ursnif Domain (gigeram .com)
(malware.rules)
2039644 - ET MALWARE Observed DNS Query to Ursnif Domain (mainwog .xyz)
(malware.rules)
2039645 - ET MALWARE Observed DNS Query to Ursnif Domain (gigimas .xyz)
(malware.rules)
2039646 - ET MALWARE Observed DNS Query to Ursnif Domain (tornton .xyz)
(malware.rules)
2039647 - ET MALWARE Observed DNS Query to Ursnif Domain (dodsman .com)
(malware.rules)
2039648 - ET MALWARE Observed DNS Query to Ursnif Domain (rorfog .com)
(malware.rules)
2039649 - ET MALWARE Observed DNS Query to Ursnif Domain (reaso .xyz)
(malware.rules)
2039650 - ET MALWARE Observed DNS Query to Ursnif Domain (giantos .xyz)
(malware.rules)
2039651 - ET MALWARE Observed Ursnif Domain in TLS SNI (lionnik .xyz)
(malware.rules)
2039652 - ET MALWARE Observed Ursnif Domain in TLS SNI (fishenddog .xyz)
(malware.rules)
2039653 - ET MALWARE Observed Ursnif Domain in TLS SNI (astope .xyz)
(malware.rules)
2039654 - ET MALWARE Observed Ursnif Domain in TLS SNI (mamount .cyou)
(malware.rules)
2039655 - ET MALWARE Observed Ursnif Domain in TLS SNI (pinki .cyou)
(malware.rules)
2039656 - ET MALWARE Observed Ursnif Domain in TLS SNI (daydayvin .xyz)
(malware.rules)
2039657 - ET MALWARE Observed Ursnif Domain in TLS SNI (kidup .xyz)
(malware.rules)
2039658 - ET MALWARE Observed Ursnif Domain in TLS SNI (damnater .com)
(malware.rules)
2039659 - ET MALWARE Observed Ursnif Domain in TLS SNI (minotos .xyz)
(malware.rules)
2039660 - ET MALWARE Observed Ursnif Domain in TLS SNI (isteros .com)
(malware.rules)
2039661 - ET MALWARE Observed Ursnif Domain in TLS SNI (dodstep .cyou)
(malware.rules)
2039662 - ET MALWARE Observed Ursnif Domain in TLS SNI (logotep .xyz)
(malware.rules)
2039663 - ET MALWARE Observed Ursnif Domain in TLS SNI (higmon .cyou)
(malware.rules)
2039664 - ET MALWARE Observed Ursnif Domain in TLS SNI (vavilgo .xyz)
(malware.rules)
2039665 - ET MALWARE Observed Ursnif Domain in TLS SNI (gigiman .xyz)
(malware.rules)
2039666 - ET MALWARE Observed Ursnif Domain in TLS SNI (fineg .xyz)
(malware.rules)
2039667 - ET MALWARE Observed Ursnif Domain in TLS SNI (pipap .xyz)
(malware.rules)
2039668 - ET MALWARE Observed Ursnif Domain in TLS SNI (prises .cyou)
(malware.rules)
2039669 - ET MALWARE Observed Ursnif Domain in TLS SNI (binchfog .xyz)
(malware.rules)
2039670 - ET MALWARE Observed Ursnif Domain in TLS SNI (gigeram .com)
(malware.rules)
2039671 - ET MALWARE Observed Ursnif Domain in TLS SNI (mainwog .xyz)
(malware.rules)
2039672 - ET MALWARE Observed Ursnif Domain in TLS SNI (gigimas .xyz)
(malware.rules)
2039673 - ET MALWARE Observed Ursnif Domain in TLS SNI (fingerpin .cyou)
(malware.rules)
2039674 - ET MALWARE Observed Ursnif Domain in TLS SNI (tornton .xyz)
(malware.rules)
2039675 - ET MALWARE Observed Ursnif Domain in TLS SNI (dodsman .com)
(malware.rules)
2039676 - ET MALWARE Observed Ursnif Domain in TLS SNI (rorfog .com)
(malware.rules)
2039677 - ET MALWARE Observed Ursnif Domain in TLS SNI (reaso .xyz)
(malware.rules)
2039678 - ET MALWARE Observed Ursnif Domain in TLS SNI (giantos .xyz)
(malware.rules)
2039679 - ET MALWARE Win32/Ursnif LDR4 Beacon (POST) (malware.rules)
2039680 - ET MALWARE EICAR File Sent With X-Powered By Kaspersky Labs
2022-11-03 (malware.rules)
2039681 - ET MALWARE Win32/FlyStudio.OJJ CnC Checkin (malware.rules)
2039682 - ET INFO External IP Lookup Domain (peoplesearch .real .com) in
DNS Lookup (info.rules)

Pro:

2852771 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-11-03 1) (coinminer.rules)
2852772 - ETPRO PHISHING Successful Credem Banking Phish 2022-11-03
(phishing.rules)

[///] Modified active rules: [///]

2839423 - ETPRO EXPLOIT_KIT PurpleFox EK Framework Certificate Observed
(exploit_kit.rules)

[---] Disabled and modified rules: [---]

2009986 - ET P2P Octoshape UDP Session (p2p.rules)
2014703 - ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port
Reserved Bit Set (dns.rules)
2850028 - ETPRO EXPLOIT VMware vCenter Vulnerable Path M1 flowbit set
(CVE-2021-22005) (exploit.rules)
2850029 - ETPRO EXPLOIT VMware vCenter Vulnerable Path M2 flowbit set
(CVE-2021-22005) (exploit.rules)
2850030 - ETPRO EXPLOIT VMware vCenter Vulnerable Path M3 flowbit set
(CVE-2021-22005) (exploit.rules)
2850031 - ETPRO EXPLOIT VMWare vCenter - Server Responded to Request For
Path Vulnerable to RCE (CVE-2021-22005) (exploit.rules)
2850055 - ETPRO EXPLOIT VMware vCenter RCE Exploitation Attempt M1
(CVE-2021-22005) (exploit.rules)

Date:

Thursday, November 3, 2022

Summary title:

59 new OPEN, 61 new PRO (59 + 2) Emotet, Ursnif, CoinMiner, Win32/FlyStudio.OJJ