Daily Ruleset Update Summary 2022/11/24

Daily Ruleset Update Summary

[***] Summary: [***]

0 new OPEN, 27 new PRO (0 + 27)

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Pro:

2852858 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CKR CnC Domain in DNS
Lookup (mobile_malware.rules)
2852859 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Rewardsteal.e CnC
Domain in DNS Lookup (mobile_malware.rules)
2852860 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Rewardsteal.e CnC
Domain in DNS Lookup (mobile_malware.rules)
2852861 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Rewardsteal.e CnC
Domain in DNS Lookup (mobile_malware.rules)
2852862 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.aac Checkin
(mobile_malware.rules)
2852863 - ETPRO MOBILE_MALWARE Observed Android/Agent.EAT Domain in TLS
SNI (mobile_malware.rules)
2852864 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CKR CnC Domain in DNS
Lookup (mobile_malware.rules)
2852865 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Rewardsteal.e CnC
Domain in DNS Lookup (mobile_malware.rules)
2852866 - ETPRO MOBILE_MALWARE Android/Spy.Agent.BSA Checkin
(mobile_malware.rules)
2852867 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Xhunter.a CnC Domain in
DNS Lookup (mobile_malware.rules)
2852868 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.a CnC Domain
in DNS Lookup (mobile_malware.rules)
2852869 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CKR CnC Domain in DNS
Lookup (mobile_malware.rules)
2852870 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes
(malware.rules)
2852871 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M1
(malware.rules)
2852872 - ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M1
(malware.rules)
2852873 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2
(malware.rules)
2852874 - ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M2
(malware.rules)
2852875 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M3
(malware.rules)
2852876 - ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M3
(malware.rules)
2852877 - ETPRO MALWARE Observed Malicious SSL/TLS Certificate
(LunarReborn C2) (malware.rules)
2852878 - ETPRO MALWARE LunarReborn CnC Checkin (malware.rules)
2852879 - ETPRO EXPLOIT Possible Encoded Stored XSS Delivered via SMTP
Filename Observed M1 (exploit.rules)
2852880 - ETPRO EXPLOIT Possible Encoded Stored XSS Delivered via SMTP
Filename Observed M2 (exploit.rules)
2852881 - ETPRO EXPLOIT Possible Encoded Stored XSS Delivered via SMTP
Filename Observed M3 (exploit.rules)
2852882 - ETPRO EXPLOIT Possible Encoded Stored XSS Delivered via SMTP
Filename Observed M4 (exploit.rules)
2852883 - ETPRO EXPLOIT Possible Encoded Stored XSS Delivered via SMTP
Filename Observed M5 (exploit.rules)
2852884 - ETPRO EXPLOIT Possible Encoded Stored XSS Delivered via SMTP
Filename Observed M6 (exploit.rules)

[///] Modified active rules: [///]

2852710 - ETPRO MOBILE_MALWARE Android/Simplocker.B Checkin 2
(mobile_malware.rules)

[---] Removed rules: [---]

2852487 - ETPRO MALWARE Win32/XWorm CnC Command (PING?) (malware.rules)
2852488 - ETPRO MALWARE Win32/XWorm CnC Command (PING!) (malware.rules)
2852489 - ETPRO MALWARE Win32/XWorm CnC Command (DDosS) (malware.rules)
2852490 - ETPRO MALWARE Win32/XWorm CnC Command (DDosT) (malware.rules)
2852491 - ETPRO MALWARE Win32/XWorm CnC Command (Cilpper) (malware.rules)
2852492 - ETPRO MALWARE Win32/XWorm CnC Command (hidefolderfile)
(malware.rules)
2852493 - ETPRO MALWARE Win32/XWorm CnC Command (showfolderfile)
(malware.rules)
2852494 - ETPRO MALWARE Win32/XWorm CnC Command (creatnewfolder)
(malware.rules)
2852495 - ETPRO MALWARE Win32/XWorm CnC Command (creatfile)
(malware.rules)
2852496 - ETPRO MALWARE Win32/XWorm CnC Command (downloadfile)
(malware.rules)
2852497 - ETPRO MALWARE Win32/XWorm CnC Command (sendfileto)
(malware.rules)
2852498 - ETPRO MALWARE Win32/XWorm CnC Command (DW) (malware.rules)
2852499 - ETPRO MALWARE Win32/XWorm CnC Command (RD-) (malware.rules)
2852500 - ETPRO MALWARE Win32/XWorm CnC Command (RD+) (malware.rules)
2852501 - ETPRO MALWARE Win32/XWorm CnC Command (###) (malware.rules)
2852502 - ETPRO MALWARE Win32/XWorm CnC Command ($$$) (malware.rules)
2852503 - ETPRO MALWARE Win32/XWorm CnC Command (^^^g) (malware.rules)
2852504 - ETPRO MALWARE Win32/XWorm CnC Command (ENC) (malware.rules)
2852505 - ETPRO MALWARE Win32/XWorm CnC Command (HVNC) (malware.rules)
2852847 - ETPRO MALWARE XWorm Short C&C Request (flowbit set)
(malware.rules)
2852849 - ETPRO MALWARE Win32/XWorm CnC Command (rec) (malware.rules)
2852850 - ETPRO MALWARE Win32/XWorm CnC Command (CLOSE) (malware.rules)
2852851 - ETPRO MALWARE Win32/XWorm CnC Command (uninstall)
(malware.rules)
2852852 - ETPRO MALWARE Win32/XWorm CnC Command (getinfo) M1
(malware.rules)
2852853 - ETPRO MALWARE Win32/XWorm CnC Command (getinfo) M2
(malware.rules)
2852854 - ETPRO MALWARE Win32/XWorm CnC Command (openhide) (malware.rules)
2852855 - ETPRO MALWARE Win32/XWorm CnC Command (shellfuc) (malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Thursday, November 24, 2022

Summary title:

0 new OPEN, 27 new PRO (0 + 27)