[***] Summary: [***]

16 new OPEN, 25 new PRO (16 + 9) TA444, SugarCRM Exploits, IcedID,
AsyncRAT and various Phishing/Coinminers.

Thanks @Intrinsec, @ASEC_Analysis, @malwareforme

The Emerging Threats mailing list is migrating to Discourse. Please
visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2043272 - ET EXPLOIT SugarCRM Auth Bypass Attempt 2022-12-31 (exploit.rules)
2043273 - ET EXPLOIT SugarCRM PHP Shell Upload Attempt (exploit.rules)
2043274 - ET INFO Observed certreq User-Agent (NDES client) (info.rules)
2043275 - ET MALWARE Observed IcedID Domain in DNS Lookup
(spkdeutshnewsupp .com) (malware.rules)
2043276 - ET MALWARE Observed IcedID Domain in DNS Lookup
(bayernbadabum .com) (malware.rules)
2043277 - ET MALWARE Win32/Nitol.A CnC Checkin M3 (malware.rules)
2043278 - ET MALWARE Observed DNS Query to TA444/Lazarus Domain
(concrecapital .com) (malware.rules)
2043279 - ET MALWARE TA444 Related Domain (updatezone .org) in DNS
Lookup (malware.rules)
2043280 - ET MALWARE TA444 Related Domain (autoprotect .com .de) in
DNS Lookup (malware.rules)
2043281 - ET MALWARE TA444 Related Domain (autoprotect .gb .net) in
DNS Lookup (malware.rules)
2043282 - ET MALWARE TA444 Related Domain (azure-security .online)
in DNS Lookup (malware.rules)
2043283 - ET MALWARE TA444 Related Domain (azure-security .site) in
DNS Lookup (malware.rules)
2043284 - ET MALWARE TA444 Related Domain (hoststudio .org) in DNS
Lookup (malware.rules)
2043285 - ET MALWARE TA444 Related Domain (thecloudnet .org) in DNS
Lookup (malware.rules)
2043286 - ET PHISHING Manhattan College Phish Landing Page
2022-01-10 (phishing.rules)
2043287 - ET PHISHING Successful Manhattan College Credential Phish
2022-01-10 (phishing.rules)

Pro:

2853029 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2023-01-11 1) (coinminer.rules)
2853030 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2023-01-10 2) (coinminer.rules)
2853031 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2023-01-10 3) (coinminer.rules)
2853032 - ETPRO HUNTING HTTP POST with PHP Code Header in PNG file -
Inbound (hunting.rules)
2853033 - ETPRO MALWARE Win32/AsyncRAT CnC Request (GET) (malware.rules)
2853034 - ETPRO MALWARE Observed DNS Query to AsyncRAT Domain (malware.rules)
2853035 - ETPRO MALWARE Observed DNS Query to AsyncRAT Domain (malware.rules)
2853036 - ETPRO PHISHING Security Awareness Campaign Domain in DNS
Lookup (phishing.rules)
2853037 - ETPRO PHISHING Security Awareness Campaign Domain in DNS
Lookup (phishing.rules)

[///] Modified active rules: [///]

2026921 - ET ATTACK_RESPONSE PowerShell Execution String Base64
Encoded New-Object (ctT2J) in DNS TXT Response (attack_response.rules)

[///] Modified inactive rules: [///]

2026921 - ET ATTACK_RESPONSE PowerShell Execution String Base64
Encoded New-Object (ctT2J) in DNS TXT Response (attack_response.rules)

Date:
Summary title:
16 new OPEN, 25 new PRO (16 + 9) TA444, SugarCRM Exploits, IcedID, AsyncRAT and various Phishing/Coinminers.