[***] Summary: [***]

8 new OPEN, 18 new PRO (8 + 10)

Thanks @Thingzeye

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

Due to US holidays, rule updates and releases for the remainder of the
week may be lighter than usual. Full releases will continue from Monday
(28th) next week.

[+++] Added rules: [+++]

Open:

2039832 - ET USER_AGENTS Observed Malicious VBS Related UA
(user_agents.rules)
2039833 - ET EXPLOIT D-Link Related Command Injection Attempt Inbound
(CVE-2013-7471) (exploit.rules)
2039834 - ET MALWARE Win32/Gh0st RAT Variant CnC Checkin response
(malware.rules)
2039835 - ET PHISHING Successful Credit Agricole Credential Phish
2022-11-23 (phishing.rules)
2039836 - ET PHISHING Successful BT GROUP Credential Phish 2022-11-23
(phishing.rules)
2039837 - ET PHISHING WalletConnect Stealer Landing Page 2022-11-23
(phishing.rules)
2039838 - ET MALWARE SocGholish Domain in DNS Lookup (hook .adieh .com)
(malware.rules)
2039839 - ET MALWARE SocGholish Domain in DNS Lookup (subscribe .3gbling
.com) (malware.rules)

Pro:

2852848 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-11-21 1) (coinminer.rules)
2852849 - ETPRO MALWARE Win32/XWorm CnC Command (rec) (malware.rules)
2852850 - ETPRO MALWARE Win32/XWorm CnC Command (CLOSE) (malware.rules)
2852851 - ETPRO MALWARE Win32/XWorm CnC Command (uninstall)
(malware.rules)
2852852 - ETPRO MALWARE Win32/XWorm CnC Command (getinfo) M1
(malware.rules)
2852853 - ETPRO MALWARE Win32/XWorm CnC Command (getinfo) M2
(malware.rules)
2852854 - ETPRO MALWARE Win32/XWorm CnC Command (openhide) (malware.rules)
2852855 - ETPRO MALWARE Win32/XWorm CnC Command (shellfuc) (malware.rules)
2852856 - ETPRO MALWARE TA406 FatBoy CnC POST Request (malware.rules)
2852857 - ETPRO MALWARE TA406 FatBoy CnC GET Request (malware.rules)

[///] Modified active rules: [///]

2039825 - ET MALWARE Observed TA444 Domain (sharedrive .ink in TLS SNI)
(malware.rules)
2039826 - ET MALWARE Observed TA444 Domain (dnx .capital in TLS SNI)
(malware.rules)
2852487 - ETPRO MALWARE Win32/XWorm CnC Command (PING?) (malware.rules)
2852488 - ETPRO MALWARE Win32/XWorm CnC Command (PING!) (malware.rules)
2852499 - ETPRO MALWARE Win32/XWorm CnC Command (RD-) (malware.rules)
2852500 - ETPRO MALWARE Win32/XWorm CnC Command (RD+) (malware.rules)

[---] Disabled and modified rules: [---]

2019256 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 13 (web_server.rules)
2019257 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 14 (web_server.rules)
2019258 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 15 (web_server.rules)
2019259 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 16 (web_server.rules)
2019260 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 17 (web_server.rules)
2019261 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 18 (web_server.rules)
2019262 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 19 (web_server.rules)
2019263 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 20 (web_server.rules)
2019264 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 21 (web_server.rules)
2019265 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 22 (web_server.rules)
2019266 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 23 (web_server.rules)
2019267 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 24 (web_server.rules)
2019268 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 25 (web_server.rules)
2019269 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 26 (web_server.rules)
2019270 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 27 (web_server.rules)
2019271 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 28 (web_server.rules)
2019272 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 29 (web_server.rules)
2019273 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE
Generic 30 (web_server.rules)
2019415 - ET POLICY SSLv3 inbound connection to server vulnerable to
POODLE attack (policy.rules)
2019416 - ET POLICY SSLv3 outbound connection from client vulnerable to
POODLE attack (policy.rules)
2039752 - ET MALWARE SocGholish CnC Domain in DNS Lookup (campaign
.tworiversboat .com) (malware.rules)
2808987 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
CVE-2014-4126 (web_client.rules)
2808990 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free
CVE-2014-4129 (web_client.rules)
2808996 - ETPRO WEB_CLIENT Internet Explorer 11 Sandbox Escapes
vulnerable ActiveX control in executable (CVE-2014-4123) (web_client.rules)
2809000 - ETPRO WEB_CLIENT Possible Internet Explorer Memory Corruption
Vulnerability CVE-2014-4141 (web_client.rules)
2809143 - ETPRO WEB_CLIENT Possible Internet Explorer CSecurityContext
Use-After-Free CVE-2014-4143 (web_client.rules)
2809144 - ETPRO WEB_CLIENT Possible Internet Explorer
IE_AudioSrv_SandboxEscape (CVE-2014-6322) (web_client.rules)

[---] Removed rules: [---]

2019369 - ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M2
(exploit_kit.rules)
2019370 - ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M3
(exploit_kit.rules)
2019372 - ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-1347 M2
(exploit_kit.rules)
2019374 - ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-3897 M1
(exploit_kit.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
8 new OPEN, 18 new PRO (8 + 10)