Daily Ruleset Update Summary
Daily Ruleset Update Summary 2022/11/04

[***] Summary: [***]

61 new OPEN, 83 new PRO (61 + 22) Ursnif, Win32\Cryptbot, ROMCOM RAT,
Kutaki Stealer, Tons of Mobile Malware, CoinMiner, and Various Phish

Thanks @James_inthe_box @500mk500 @BlackBerry @Unit42_Intel @JAMESWT_MHT
@cyb3rops

Happy Free Sig Friday!

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2039683 - ET ATTACK_RESPONSE Possible PowerShell AMSI Bypass Inbound
(attack_response.rules)
2039684 - ET INFO localhost .run Domain in DNS Lookup DNS Lookup (.lhr
.life) (info.rules)
2039685 - ET INFO localhost .run Domain in DNS Lookup DNS Lookup (.lhr
.rocks) (info.rules)
2039686 - ET INFO localhost .run Domain in DNS Lookup DNS Lookup
(.lhrtunnel .link) (info.rules)
2039687 - ET INFO localhost .run TLS Certification Observed (info.rules)
2039688 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039689 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039690 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039691 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039692 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039693 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039694 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039695 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039696 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039697 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039698 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039699 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039700 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039701 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039702 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039703 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039704 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039705 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039706 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039707 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039708 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039709 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039710 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039711 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039712 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039713 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039714 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2039715 - ET MALWARE Observed DNS Query to Hyperion Obfuscator Domain
(plague .fun) (malware.rules)
2039716 - ET MALWARE Hyperion Obfuscator Payload Inbound (malware.rules)
2039717 - ET PHISHING Twitter Credential Phish Landing Page 2022-11-04
(phishing.rules)
2039718 - ET MALWARE Win32/DataStealer.P CnC Checkin (malware.rules)
2039719 - ET MALWARE Win32/Delf.UUW CnC Keep-Alive (malware.rules)
2039720 - ET MALWARE Win32\Cryptbot CnC Domain (kyrsti44 .top) in DNS
Lookup (malware.rules)
2039721 - ET MALWARE Win32\Cryptbot CnC Domain (okwnyw02 .top) in DNS
Lookup (malware.rules)
2039722 - ET MALWARE Win32\Cryptbot CnC Domain (okwydg05 .top) in DNS
Lookup (malware.rules)
2039723 - ET MALWARE Win32\Cryptbot CnC Domain (towcqx32 .top) in DNS
Lookup (malware.rules)
2039724 - ET MALWARE Win32\Cryptbot CnC Domain (okwerh01 .top) in DNS
Lookup (malware.rules)
2039725 - ET MALWARE Win32\Cryptbot CnC Domain (suqzyt03 .top) in DNS
Lookup (malware.rules)
2039726 - ET MALWARE Win32\Cryptbot CnC Domain (suqyjb01 .top) in DNS
Lookup (malware.rules)
2039727 - ET MALWARE Win32\Cryptbot CnC Domain (okwyeg04 .top) in DNS
Lookup (malware.rules)
2039728 - ET MALWARE Win32\Cryptbot CnC Domain (pefjfw62 .top) in DNS
Lookup (malware.rules)
2039729 - ET MALWARE Win32\Cryptbot CnC Domain (suqpvu08 .top) in DNS
Lookup (malware.rules)
2039730 - ET MALWARE Win32\Cryptbot CnC Domain (towhfs22 .top) in DNS
Lookup (malware.rules)
2039731 - ET MALWARE Win32\Cryptbot CnC Domain (suqosk04 .top) in DNS
Lookup (malware.rules)
2039732 - ET MALWARE Win32\Cryptbot CnC Domain (suqyqu10 .top) in DNS
Lookup (malware.rules)
2039733 - ET MALWARE Win32\Cryptbot CnC Domain (kyrjwt45 .top) in DNS
Lookup (malware.rules)
2039734 - ET MALWARE Win32\Cryptbot CnC Domain (suqzpe02 .top) in DNS
Lookup (malware.rules)
2039735 - ET MALWARE Win32\Cryptbot CnC Domain (suqycd05 .top) in DNS
Lookup (malware.rules)
2039736 - ET MALWARE Win32\Cryptbot CnC Domain (suqoyw07 .top) in DNS
Lookup (malware.rules)
2039737 - ET MALWARE Win32\Cryptbot CnC Domain (towspd42 .top) in DNS
Lookup (malware.rules)
2039738 - ET MALWARE ROMCOM RAT CnC Domain (you-supported .com) in DNS
Lookup (malware.rules)
2039739 - ET MALWARE ROMCOM RAT Campaign Domain (wveeam .com) in DNS
Lookup (malware.rules)
2039740 - ET MALWARE ROMCOM RAT Campaign Domain (keepas .org) in DNS
Lookup (malware.rules)
2039741 - ET MALWARE Kutaki Stealer CnC Domain (terebinnahicc .club) in
DNS Lookup (malware.rules)
2039742 - ET MALWARE Kutaki Stealer CnC Domain (treysbeatend .com) in DNS
Lookup (malware.rules)
2039743 - ET PHISHING Successful Nordea Netbank Credential Phish
2022-11-04 (phishing.rules)

Pro:

2852773 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.JFU CnC Domain
in DNS Lookup (mobile_malware.rules)
2852774 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.JFU CnC Domain
in DNS Lookup (mobile_malware.rules)
2852775 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.JFU CnC Domain
in DNS Lookup (mobile_malware.rules)
2852776 - ETPRO MOBILE_MALWARE Observed
Android/TrojanDownloader.Agent.AEH Domain in TLS SNI (mobile_malware.rules)
2852777 - ETPRO MOBILE_MALWARE Android/Spy.Facestealer.EF Checkin
(mobile_malware.rules)
2852778 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.XC CnC Domain in DNS
Lookup (mobile_malware.rules)
2852779 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Piom.aroh CnC Domain in
DNS Lookup (mobile_malware.rules)
2852780 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.ss CnC
Beacon (mobile_malware.rules)
2852781 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.HDA Checkin
(mobile_malware.rules)
2852782 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Fakecalls.at CnC
Domain in DNS Lookup (mobile_malware.rules)
2852783 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.o CnC
Domain in DNS Lookup (mobile_malware.rules)
2852784 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.o CnC
Domain in DNS Lookup (mobile_malware.rules)
2852785 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Piom.arpb CnC Domain in
DNS Lookup (mobile_malware.rules)
2852786 - ETPRO MOBILE_MALWARE Android.Backdoor.685 CnC Domain in DNS
Lookup (mobile_malware.rules)
2852787 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.o CnC
Domain in DNS Lookup (mobile_malware.rules)
2852788 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.o CnC
Domain in DNS Lookup (mobile_malware.rules)
2852789 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Hiddapp.ch CnC Domain in
DNS Lookup (mobile_malware.rules)
2852790 - ETPRO MOBILE_MALWARE Android/Spy.Banker.BOF CnC Domain in DNS
Lookup (mobile_malware.rules)
2852791 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Jocker.ei CnC Domain in
DNS Lookup (mobile_malware.rules)
2852792 - ETPRO MOBILE_MALWARE Android/Spy.Agent.ACD Checkin
(mobile_malware.rules)
2852793 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Fakecalls.at
Checkin 2 (mobile_malware.rules)
2852794 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-11-04 1) (coinminer.rules)

Date:
Summary title:
61 new OPEN, 83 new PRO (61 + 22) Ursnif, Win32\Cryptbot, ROMCOM RAT, Kutaki Stealer, Tons of Mobile Malware, CoinMiner, and Various Phish