Daily Ruleset Update Summary 2022/11/21

Daily Ruleset Update Summary

[***] Summary: [***]

5 new OPEN, 11 new PRO (5 + 6). SocGholish, Remcos, Aurora Stealer,
Various Others.

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2039813 - ET HUNTING 7-zip Executable Requested (GET) (hunting.rules)
2039814 - ET INFO DYNAMIC_DNS Query to ath .cx Domain (info.rules)
2039815 - ET MALWARE Win32/Filecoder.OJC CnC Checkin (malware.rules)
2039816 - ET MALWARE Golang Aurora Stealer Exfil Activity (malware.rules)
2039817 - ET MALWARE SocGholish Domain in DNS Lookup (mini .ptipexcel
.com) (malware.rules)

Pro:

2852835 - ETPRO MALWARE Win32/Remcos RAT Checkin 850 (malware.rules)
2852836 - ETPRO MALWARE Win32/Remcos RAT Checkin 851 (malware.rules)
2852837 - ETPRO PHISHING Successful Generic Phish 2022-11-21
(phishing.rules)
2852838 - ETPRO PHISHING Successful Cembra Money Bank Phish 2022-11-21
(phishing.rules)
2852839 - ETPRO PHISHING Successful Twitter Credential Phish 2022-11-18
(phishing.rules)
2852840 - ETPRO PHISHING Twitter Phish Landing Page 2022-11-18
(phishing.rules)

[///] Modified active rules: [///]

2016379 - ET INFO JAR Containing Executable Downloaded (info.rules)
2023231 - ET WEB_SERVER HTTP Request to a *.33db9538.com domain - Anuna
Checkin - Compromised PHP Site (web_server.rules)
2023234 - ET WEB_SERVER HTTP Request to a *.54dfa1cb.com domain - Anuna
Checkin - Compromised PHP Site (web_server.rules)
2023668 - ET INFO Unconfigured nginx Access (info.rules)
2023882 - ET INFO HTTP Request to a *.top domain (info.rules)
2025553 - ET INFO Possible Rogue LoJack Asset Tracking Agent (info.rules)
2025627 - ET INFO [eSentire] Possible Kali Linux Updates (info.rules)
2026758 - ET INFO External Host Probing for ChromeCast Devices
(info.rules)
2026888 - ET INFO DNS Query for Suspicious .icu Domain (info.rules)
2026889 - ET INFO Suspicious Domain (*.icu) in TLS SNI (info.rules)
2026988 - ET INFO PowerShell NoProfile Command Received In Powershell
Stagers (info.rules)
2026995 - ET INFO PowerShell DownloadString Command Common In Powershell
Stagers (info.rules)
2027251 - ET INFO Dotted Quad Host DOC Request (info.rules)
2027265 - ET INFO Dotted Quad Host PDF Request (info.rules)
2027863 - ET INFO Observed DNS Query to .biz TLD (info.rules)
2027864 - ET INFO Observed DNS Query to .okinawa TLD (info.rules)
2027865 - ET INFO Observed DNS Query to .cloud TLD (info.rules)
2027866 - ET INFO Observed DNS Query to .desi TLD (info.rules)
2027867 - ET INFO Observed DNS Query to .life TLD (info.rules)
2027868 - ET INFO Observed DNS Query to .work TLD (info.rules)
2027870 - ET INFO Observed DNS Query to .world TLD (info.rules)
2027871 - ET INFO Observed DNS Query to .fit TLD (info.rules)
2027874 - ET INFO HTTP Request to Suspicious *.cloud Domain (info.rules)
2027876 - ET INFO HTTP Request to Suspicious *.life Domain (info.rules)
2027877 - ET INFO HTTP Request to Suspicious *.work Domain (info.rules)
2027879 - ET INFO HTTP Request to Suspicious *.world Domain (info.rules)
2033830 - ET MALWARE HCRootkit CnC Domain in DNS Lookup
(hkxpqdtgsucylodaejmzmtnkpfvojabe .com) (malware.rules)
2033831 - ET MALWARE HCRootkit CnC Domain in DNS Lookup
(etzndtcvqvyxajpcgwkzsoweaubilflh .com) (malware.rules)
2033832 - ET MALWARE HCRootkit CnC Domain in DNS Lookup
(esnoptdkkiirzewlpgmccbwuynvxjumf .name) (malware.rules)
2034561 - ET INFO Observed DNS Query to Commonly Abused Preview Domain
(preview-domain .com) (info.rules)
2034634 - ET INFO webhook .site in TLS SNI (info.rules)
2034635 - ET INFO Python BaseHTTP ServerBanner (info.rules)
2035227 - ET INFO URL Shortener Service Domain in DNS Lookup (vk .sv)
(info.rules)
2035538 - ET INFO infinityfree .net Domain in DNS Lookup (info.rules)
2035655 - ET INFO Image Hosting Domain in DNS Lookup (hizliresim .com)
(info.rules)
2036642 - ET MALWARE Bitter APT Related Domain in DNS Lookup
(emshedulersvc .com) (malware.rules)
2036644 - ET MALWARE Bitter APT Related Domain in DNS Lookup
(diyefosterfeeds .com) (malware.rules)
2036873 - ET INFO Peer-to-Peer File Sharing Service Domain in DNS Lookup
(ipfs .io) (info.rules)
2037269 - ET INFO Custom Logo Domain Domain in DNS Lookup (logodownload
.org) (info.rules)
2037763 - ET INFO Observed File Sharing Domain (roamresearch .com in TLS
SNI) (info.rules)
2038532 - ET MALWARE Shuckworm/Gamaredon CnC Domain (heato .ru) in DNS
Lookup (malware.rules)
2038533 - ET MALWARE Shuckworm/Gamaredon CnC Domain (motoristo .ru) in
DNS Lookup (malware.rules)
2038741 - ET INFO URL Shortening Service Domain in DNS Lookup (www
.temporary-url .com) (info.rules)
2038743 - ET MALWARE Suspected Win32/TinyNode Activity (Outbound)
(malware.rules)
2819915 - ETPRO MALWARE Jupiter Banker/Bolek/Kbot DNS Lookup
(malware.rules)
2822354 - ETPRO INFO DNS Query to server.com (Possible Misconfiguration)
(info.rules)
2823117 - ETPRO INFO DNS TXT Response Contains URL (info.rules)
2823554 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup
(mobile_malware.rules)
2827579 - ETPRO INFO .moe Domain in TLS SNI (info.rules)
2828218 - ETPRO MALWARE Cerber Domain Observed (1mudaw .top in TLS SNI)
(malware.rules)
2832311 - ETPRO MALWARE SocketPlayer Netflix Killswitch DNS Lookup 3
(asdkaaskdlaksdjjkjsdnddasakkkaksjdjndkjansdkswda) (malware.rules)
2833171 - ETPRO INFO Dynamic DNS Provider DNS Lookup (gotdns .ch)
(info.rules)
2833891 - ETPRO MALWARE SocketPlayer Netflix Killswitch DNS Lookup 5
(opkqpowekdasdoaijsdoiiowqewqewowekkjndkjansdka) (malware.rules)
2834878 - ETPRO HUNTING Suspicious Registrar Nameservers in DNS Response
(internet .bs) (hunting.rules)
2838131 - ETPRO INFO HTTP Request with Lowercase connection Header
Observed (info.rules)
2838132 - ETPRO INFO HTTP Request with Lowercase accept Header Observed
(info.rules)
2838428 - ETPRO MALWARE Observed Malicious SSL Cert (Inception Group CnC)
(malware.rules)
2838429 - ETPRO MALWARE Observed Malicious SSL Cert (Inception Group CnC)
(malware.rules)
2844625 - ETPRO MALWARE Observed Glupteba CnC Domain in TLS SNI
(malware.rules)
2849245 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 158
(mobile_malware.rules)
2851070 - ETPRO INFO AdGuard DNS Over HTTPS Certificate Inbound
(info.rules)
2851362 - ETPRO MALWARE Win32/MetaStealer Related Activity (GET)
(malware.rules)
2851363 - ETPRO MALWARE Win32/MetaStealer Related Activity (POST)
(malware.rules)

[---] Disabled and modified rules: [---]

2019244 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 1 (web_server.rules)
2019245 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 2 (web_server.rules)
2019246 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 3 (web_server.rules)
2019247 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 4 (web_server.rules)
2019248 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 5 (web_server.rules)
2019249 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 6 (web_server.rules)
2019250 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 7 (web_server.rules)
2019251 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 8 (web_server.rules)
2019252 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 9 (web_server.rules)
2019253 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 10 (web_server.rules)
2019254 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 11 (web_server.rules)
2019255 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 12 (web_server.rules)
2808263 - ETPRO WEB_CLIENT Possible Adobe Flash CVE-2014-0536
(web_client.rules)
2808301 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free
(CVE-2014-2801) (web_client.rules)
2808302 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free
(CVE-2014-2804) (web_client.rules)
2808757 - ETPRO WEB_CLIENT Possible Internet Explorer Remote Code
Execution (CVE-2014-4080) (web_client.rules)
2808758 - ETPRO WEB_CLIENT Possible Internet Explorer Remote Code
Execution (CVE-2014-4081) (web_client.rules)
2808759 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
(CVE-2014-4084) (web_client.rules)
2808762 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
(CVE-2014-4089) (web_client.rules)
2808764 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
(CVE-2014-4094) (web_client.rules)

[---] Removed rules: [---]

2028609 - ET MALWARE Magecart CnC Domain Observed in DNS Query
(malware.rules)
2029058 - ET MALWARE Win32/Beapy CnC Domain in DNS Lookup (malware.rules)
2034072 - ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup
(malware.rules)
2034074 - ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup
(malware.rules)
2034075 - ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup
(malware.rules)
2037719 - ET MALWARE Bitter APT Domain in DNS Lookup (emshedulersvc .com)
(malware.rules)
2037720 - ET MALWARE Bitter APT Domain in DNS Lookup (diyefosterfeeds
.com) (malware.rules)
2038908 - ET MALWARE Gamaredon Payload Delivery Domain (heato .ru) in DNS
Lookup (malware.rules)
2038909 - ET MALWARE Gamaredon Payload Delivery Domain (motoristo .ru) in
DNS Lookup (malware.rules)
2819861 - ETPRO MALWARE MultiGrainPOS Checkin (malware.rules)
2819862 - ETPRO MALWARE MultiGrainPOS Checkin (malware.rules)
2820293 - ETPRO MALWARE Bolek/Kbot CnC DNS Lookup (knutesecos.com)
(malware.rules)
2824089 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup
(mobile_malware.rules)
2825179 - ETPRO MALWARE Carbanak PowerShell DNS TXT CnC Beacon 2
(malware.rules)
2826193 - ETPRO MALWARE ABUSE.CH TorrentLocker Payment Domain (flackbon .
tw) (malware.rules)
2828213 - ETPRO MALWARE Sage Domain (er29sl .com in DNS Lookup)
(malware.rules)
2828268 - ETPRO MALWARE Malicious Domain CStrike C2 (blockbitcoin .com)
in DNS Lookup (malware.rules)
2828928 - ETPRO MALWARE PowerRatankba DNS Lookup 8 (malware.rules)
2832214 - ETPRO MALWARE Observed Malicious SSL Cert (Zeus Panda CnC)
(malware.rules)
2835199 - ETPRO MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)
(malware.rules)
2835695 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2839083 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2839085 - ETPRO MALWARE Observed Malicious SSL Cert (SONE CnC)
(malware.rules)
2839796 - ETPRO MALWARE Observed Malicious SSL Cert (GRIFFON CnC)
(malware.rules)
2840391 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC)
2020-01-10 (malware.rules)
2840478 - ETPRO MALWARE Observed Malicious SSL Cert (Get2 CnC)
(malware.rules)
2841826 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2842774 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC)
(malware.rules)
2843056 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC)
(malware.rules)
2843747 - ETPRO MALWARE Observed Taurus Stealer CnC Domain in TLS SNI
(malware.rules)
2844835 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID)
(malware.rules)
2845032 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (dns
.dns-over-https .com) (info.rules)
2845082 - ETPRO MOBILE_MALWARE Android/Hiddad.AJA DNS Lookup
(mobile_malware.rules)
2845593 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT)
(malware.rules)
2845610 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT)
(malware.rules)
2845681 - ETPRO MOBILE_MALWARE Android Spy Easyphonetrack TLS SNI
(mobile_malware.rules)
2847997 - ETPRO MALWARE Observed Glupteba CnC Domain in TLS SNI
(malware.rules)
2848268 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 25
(mobile_malware.rules)
2848596 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 77
(mobile_malware.rules)
2848598 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 79
(mobile_malware.rules)
2848601 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 82
(mobile_malware.rules)
2849065 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 128
(mobile_malware.rules)
2849140 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 140
(mobile_malware.rules)
2849204 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 152
(mobile_malware.rules)
2849419 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 172
(mobile_malware.rules)
2849631 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 178
(mobile_malware.rules)
2851715 - ETPRO MOBILE_MALWARE Android/Spy.Agent.BWB CnC Domain in DNS
Lookup (mobile_malware.rules)
2851716 - ETPRO MOBILE_MALWARE Android/Spy.Agent.BZV CnC Domain in DNS
Lookup (mobile_malware.rules)
2852643 - ETPRO MALWARE WinGo/Agent.IE Exfil (malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Monday, November 21, 2022

Summary title:

5 new OPEN, 11 new PRO (5 + 6). SocGholish, Remcos, Aurora Stealer, Various Others.