Daily Ruleset Update Summary 2022/11/22

Daily Ruleset Update Summary

[***] Summary: [***]

14 new OPEN, 20 new PRO (14 + 6)

Thanks @narimanGharib, @Thingzeye

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2039818 - ET HUNTING Redirect Link in TikTok URL (hunting.rules)
2039819 - ET MALWARE TA453 Domain in DNS Lookup (washingtonlnstitute
.org) (malware.rules)
2039820 - ET MALWARE Observed TA453 Domain (washingtonlnstitute .org in
TLS SNI) (malware.rules)
2039821 - ET PHISHING Generic Credential Phish Landing Page 2022-11-22
(phishing.rules)
2039822 - ET PHISHING Ulpian Credential Phish Landing Page 2022-11-22
(phishing.rules)
2039823 - ET MALWARE TA444 Domain in DNS Lookup (sharedrive .ink)
(malware.rules)
2039824 - ET MALWARE TA444 Domain in DNS Lookup (dnx .capital)
(malware.rules)
2039825 - ET MALWARE Observed TA453 Domain (sharedrive .ink in TLS SNI)
(malware.rules)
2039826 - ET MALWARE Observed TA453 Domain (dnx .capital in TLS SNI)
(malware.rules)
2039827 - ET PHISHING Successful Generic Credential OTP Phish 2022-11-22
(phishing.rules)
2039828 - ET PHISHING Successful Generic Credential Phish 2022-11-22
(phishing.rules)
2039829 - ET MOBILE_MALWARE Android/ShartBot CNC Domain (cdopea .store)
in DNS Lookup (mobile_malware.rules)
2039830 - ET MALWARE SocGholish Domain in DNS Lookup (dashboard
.skybacherslocker .com) (malware.rules)
2039831 - ET MALWARE SocGholish Domain in DNS Lookup (montage
.travelguidediva .com) (malware.rules)

Pro:

2852842 - ETPRO MALWARE Win32/Spy.Delf Variant Sending System Information
(POST) (malware.rules)
2852843 - ETPRO PHISHING Successful Generic Phish 2022-11-22
(phishing.rules)
2852844 - ETPRO PHISHING Successful National Bank of Canada Phish
2022-11-22 (phishing.rules)
2852845 - ETPRO MALWARE DonotGroup Kaspov Related UA (malware.rules)
2852846 - ETPRO MALWARE DonotGroup Kaspov Related UA (malware.rules)
2852847 - ETPRO MALWARE XWorm Short C&C Request (flowbit set)
(malware.rules)

[///] Modified active rules: [///]

2007727 - ET P2P Possible Torrent Download via HTTP Request (p2p.rules)
2022842 - ET MALWARE ProjectSauron Remsec/HTTPBrowser/Pisloader Covert
DNS CnC Channel TXT Lookup (malware.rules)
2024731 - ET MALWARE DNS Query For TURNEDUP.Backdoor CnC
(securityupdated) (malware.rules)
2026546 - ET MALWARE MICROPSIA CnC Domain Observed in SNI (samwinchester
.club) (malware.rules)
2027312 - ET MALWARE AridViper CnC Domain in SNI (malware.rules)
2033822 - ET MALWARE HCRootkit CnC Domain in DNS Lookup
(ywbgrcrupasdiqxknwgceatlnbvmezti .com) (malware.rules)
2033823 - ET MALWARE HCRootkit CnC Domain in DNS Lookup
(yhgrffndvzbtoilmundkmvbaxrjtqsew .com) (malware.rules)
2033824 - ET MALWARE HCRootkit CnC Domain in DNS Lookup
(wcmbqxzeuopnvyfmhkstaretfciywdrl .name) (malware.rules)
2033825 - ET MALWARE HCRootkit CnC Domain in DNS Lookup
(ruciplbrxwjscyhtapvlfskoqqgnxevw .name) (malware.rules)
2033828 - ET MALWARE HCRootkit CnC Domain in DNS Lookup
(pdjwebrfgdyzljmwtxcoyomapxtzchvn .com) (malware.rules)
2033829 - ET MALWARE HCRootkit CnC Domain in DNS Lookup
(nfcomizsdseqiomzqrxwvtprxbljkpgd .name) (malware.rules)
2809606 - ETPRO MALWARE PWS.WIN32/BZUB DNS Query to CNAME related to
cyber espionage 1 (malware.rules)
2809607 - ETPRO MALWARE PWS.WIN32/BZUB DNS Query to CNAME related to
cyber espionage 2 (malware.rules)
2809608 - ETPRO MALWARE PWS.WIN32/BZUB DNS Query to CNAME related to
cyber espionage 3 (malware.rules)
2823895 - ETPRO MALWARE Chthonic TCP Domain Lookup 11 (malware.rules)
2823947 - ETPRO MALWARE Chthonic TCP Domain Lookup 12 (malware.rules)
2824072 - ETPRO MALWARE Chthonic TCP Domain Lookup 03 (malware.rules)
2824077 - ETPRO MALWARE Chthonic TCP Domain Lookup 08 (malware.rules)
2824078 - ETPRO MALWARE Chthonic TCP Domain Lookup 09 (malware.rules)
2824079 - ETPRO MALWARE Chthonic TCP Domain Lookup 10 (malware.rules)
2828182 - ETPRO MALWARE DNSMessenger/FreeMilk Payload DNS Query
(malware.rules)
2831092 - ETPRO MALWARE Ursnif Inject Domain (oncofonderot .top in TLS
SNI) (malware.rules)
2852499 - ETPRO MALWARE Win32/XWorm CnC Command (RD-) (malware.rules)

[---] Removed rules: [---]

2023022 - ET MALWARE ProjectSauron Remsec DNS Lookup (myhomemusic. com)
(malware.rules)
2027628 - ET MALWARE APT33 CnC Domain in DNS Lookup (malware.rules)
2031408 - ET MALWARE Observed AridViper CnC Domain in TLS SNI
(malware.rules)
2034067 - ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup
(malware.rules)
2034068 - ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup
(malware.rules)
2034069 - ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup
(malware.rules)
2034070 - ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup
(malware.rules)
2034071 - ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup
(malware.rules)
2034073 - ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup
(malware.rules)
2034123 - ET MALWARE Observed Elysium Stealer Domain in TLS SNI (phonefix
.bar) (malware.rules)
2824070 - ETPRO MALWARE Chthonic TCP Domain Lookup 01 (malware.rules)
2824071 - ETPRO MALWARE Chthonic TCP Domain Lookup 02 (malware.rules)
2828235 - ETPRO MALWARE DNSMessenger CnC Beacon via DNS (malware.rules)
2833828 - ETPRO MALWARE STOLENPENCIL CnC Domain in DNS Lookup
(malware.rules)
2834076 - ETPRO MALWARE Observed DNS Query for Ursnif Domain
(malware.rules)
2839443 - ETPRO MALWARE Observed DNS Query to Known Queu Downloader Sub
Domain (malware.rules)
2844155 - ETPRO MALWARE Observed MythBot CnC Domain in TLS SNI
(malware.rules)
2846747 - ETPRO MOBILE_MALWARE Android/Obfus.RJ (TLS SNI) 78
(mobile_malware.rules)
2848442 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 40
(mobile_malware.rules)
2848498 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 61
(mobile_malware.rules)
2848947 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 111
(mobile_malware.rules)
2849027 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 123
(mobile_malware.rules)
2849150 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 149
(mobile_malware.rules)
2849205 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 153
(mobile_malware.rules)
2849894 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 186
(mobile_malware.rules)
2852791 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Jocker.ei CnC Domain in
DNS Lookup (mobile_malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Tuesday, November 22, 2022

Summary title:

14 new OPEN, 20 new PRO (14 + 6)