[***] Summary: [***]

36 new OPEN, 48 new PRO (36 + 12) CVE-2022-47966, DNS over HTTPS,
Rustdesk, BatLoader, Playful Taurus, Kimsuky, and many more.

Thanks @ahnlab, @TrendMicro, @unit42_intel

The Emerging Threats mailing list is migrating to Discourse. Please
visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2043335 - ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M1
(CVE-2022-47966) (exploit.rules)
2043336 - ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M2
(CVE-2022-47966) (exploit.rules)
2043337 - ET INFO Request for EXE via Powershell (info.rules)
2043338 - ET INFO Observed DNS Over HTTPS Domain in TLS SNI (dns2
.dns-ga .de) (info.rules)
2043339 - ET INFO Observed DNS Over HTTPS Domain in TLS SNI (nebula
.sly .io) (info.rules)
2043340 - ET INFO Observed DNS Over HTTPS Domain in TLS SNI (dns
.rotunneling .net) (info.rules)
2043341 - ET INFO Observed DNS Over HTTPS Domain in TLS SNI (secure
.avastdns .com) (info.rules)
2043342 - ET INFO Observed DNS Over HTTPS Domain in TLS SNI (lindung
.pp .ua) (info.rules)
2043343 - ET INFO RustDesk Domain in DNS Lookup (info.rules)
2043344 - ET MALWARE BatLoader CnC Domain (grammarlycheck2 .com) in
DNS Lookup (malware.rules)
2043345 - ET MALWARE BatLoader CnC Domain (updatea1 .com) in DNS
Lookup (malware.rules)
2043346 - ET MALWARE BatLoader CnC Domain (updateclientssoftware
.com) in DNS Lookup (malware.rules)
2043347 - ET MALWARE BatLoader CnC Domain (t1pixel .com) in DNS
Lookup (malware.rules)
2043348 - ET MALWARE BatLoader CnC Domain (24xpixeladvertising .com)
in DNS Lookup (malware.rules)
2043349 - ET MALWARE BatLoader CnC Domain (clodtechnology .com) in
DNS Lookup (malware.rules)
2043350 - ET MALWARE BatLoader CnC Domain (updatecloudservice1 .com)
in DNS Lookup (malware.rules)
2043351 - ET MALWARE BatLoader CnC Domain (externalchecksso .com) in
DNS Lookup (malware.rules)
2043352 - ET MALWARE BatLoader CnC Domain (cloudupdatesss .com) in
DNS Lookup (malware.rules)
2043353 - ET MALWARE Observed BatLoader Domain (grammarlycheck2
.com) in TLS SNI (malware.rules)
2043354 - ET MALWARE Observed BatLoader Domain (updatea1 .com) in
TLS SNI (malware.rules)
2043355 - ET MALWARE Observed BatLoader Domain
(updateclientssoftware .com) in TLS SNI (malware.rules)
2043356 - ET MALWARE Observed BatLoader Domain (t1pixel .com) in TLS
SNI (malware.rules)
2043357 - ET MALWARE Observed BatLoader Domain (24xpixeladvertising
.com) in TLS SNI (malware.rules)
2043358 - ET MALWARE Observed BatLoader Domain (clodtechnology .com)
in TLS SNI (malware.rules)
2043359 - ET MALWARE Observed BatLoader Domain (updatecloudservice1
.com) in TLS SNI (malware.rules)
2043360 - ET MALWARE Observed BatLoader Domain (externalchecksso
.com) in TLS SNI (malware.rules)
2043361 - ET MALWARE Observed BatLoader Domain (cloudupdatesss .com)
in TLS SNI (malware.rules)
2043362 - ET MALWARE Playful Taurus Malicious SSL Certificate
Observed (malware.rules)
2043363 - ET MALWARE Playful Taurus CnC Domain (vpnkerio .com) in
DNS Lookup (malware.rules)
2043364 - ET MALWARE Playful Taurus Observe malicious SSL Cert
(self-signed www .netgate .com) (malware.rules)
2043365 - ET MALWARE Playful Taurus CnC Domain (scm .oracleapps
.org) in DNS Lookup (malware.rules)
2043366 - ET MALWARE Playful Taurus CnC Domain (update .adboeonline
.net) in DNS Lookup (malware.rules)
2043367 - ET MALWARE Playful Taurus CnC Domain (mail .indiarailways
.net) in DNS Lookup (malware.rules)
2043368 - ET MALWARE Playful Taurus CnC Domain (update .delldrivers
.in) in DNS Lookup (malware.rules)
2043369 - ET MALWARE Kimsuky Related CnC (malware.rules)
2043370 - ET MALWARE Kimsuky CnC Domain (lifehelper .kr) in DNS
Lookup (malware.rules)

Pro:

2853060 - ETPRO HUNTING Possible PowerShell Inbound - Casing Anomaly
(Replace) M1 (hunting.rules)
2853061 - ETPRO HUNTING Possible PowerShell Inbound - Casing Anomaly
(Replace) M2 (hunting.rules)
2853062 - ETPRO HUNTING Possible PowerShell Inbound - Casing Anomaly
(StringChar) M1 (hunting.rules)
2853063 - ETPRO HUNTING Possible PowerShell Inbound - Char Concat
Obfuscation (hunting.rules)
2853064 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2023-01-19 1) (coinminer.rules)
2853066 - ETPRO MALWARE UltimateLoader Domain in DNS Lookup (malware.rules)
2853067 - ETPRO MALWARE UltimateLoader Payload Response (malware.rules)
2853068 - ETPRO MALWARE UltimateLoader Payload Response (malware.rules)
2853069 - ETPRO MALWARE Win32/Remcos RAT Checkin 859 (malware.rules)
2853070 - ETPRO MALWARE Win32/Remcos RAT Checkin 860 (malware.rules)
2853071 - ETPRO MALWARE UltimateLoader Payload Request (malware.rules)
2853072 - ETPRO MALWARE PS1Loader Exfil (malware.rules)

[///] Modified active rules: [///]

2035087 - ET INFO Gophish X-Server (info.rules)
2043308 - ET MALWARE Win32/Emotet CnC Activity M12 (POST) (malware.rules)
2845553 - ETPRO PHISHING Suspected GoPhish Phishing Landing M1
(phishing.rules)
2852950 - ETPRO PHISHING Suspected GoPhish Phishing Landing M2
(phishing.rules)

[---] Disabled and modified rules: [---]

2018147 - ET WEB_CLIENT Possible IE10 Use After Free CVE-2014-0322
(web_client.rules)
2018308 - ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 2 (exploit.rules)
2018309 - ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 3 (exploit.rules)
2018310 - ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 4 (exploit.rules)
2018311 - ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 5 (exploit.rules)
2018312 - ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 6 (exploit.rules)
2018314 - ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 1 (exploit.rules)
2018559 - ET EXPLOIT SUSPICIOUS DTLS Pre 1.0 Fragmented Client Hello
Possible CVE-2014-0195 (exploit.rules)
2018561 - ET EXPLOIT SUSPICIOUS DTLS 1.2 Fragmented Client Hello
Possible CVE-2014-0195 (exploit.rules)
2019181 - ET MOBILE_MALWARE Possible Android CVE-2014-6041
(mobile_malware.rules)
2019418 - ET EXPLOIT SSL excessive fatal alerts (possible POODLE
attack against server) (exploit.rules)
2019420 - ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download
(web_client.rules)
2019897 - ET EXPLOIT Possible PYKEK Priv Esc in-use (exploit.rules)
2020067 - ET EXPLOIT Possible CVE-2014-6332 Arrays with Offset Dec
23 (exploit.rules)
2039427 - ET MALWARE SocGholish Domain in DNS Lookup (festival
.robingaster .com) (malware.rules)
2042953 - ET MALWARE SocGholish Domain in DNS Lookup (fittingroom
.gibbsjewelry .com) (malware.rules)
2042954 - ET MALWARE SocGholish Domain in DNS Lookup (deposit
.coveprice .com) (malware.rules)
2042955 - ET MALWARE SocGholish Domain in DNS Lookup (brooklands
.harteverything .com) (malware.rules)
2807512 - ETPRO WEB_CLIENT PDF use after free (CVE-2014-0496) 2
(web_client.rules)
2807640 - ETPRO WEB_CLIENT Microsoft XML Core Services 3.0
same-origin policy bypass (CVE-2014-0266) (web_client.rules)
2807641 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After
free (CVE-2014-0270) (web_client.rules)
2807643 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After
free (CVE-2014-0273) (web_client.rules)
2807645 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After
free (CVE-2014-0275) (web_client.rules)
2807652 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After
free (CVE-2014-0279) (web_client.rules)
2807653 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After
free (CVE-2014-0281) (web_client.rules)
2807802 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After
free (CVE-2014-0299) (web_client.rules)
2809255 - ETPRO EXPLOIT SChannel Possible Heap Overflow
CVE-2014-6321 SSLv3 (exploit.rules)
2809256 - ETPRO EXPLOIT SChannel Possible Heap Overflow
CVE-2014-6321 TLSv1.0 (exploit.rules)
2809258 - ETPRO EXPLOIT SChannel Possible Heap Overflow
CVE-2014-6321 TLSv1.2 (exploit.rules)
2809299 - ETPRO WEB_CLIENT Internet Explorer Use After Free
CVE-2014-6329 M1 (web_client.rules)
2809300 - ETPRO WEB_CLIENT Internet Explorer Use After Free
CVE-2014-6329 M2 (web_client.rules)
2809301 - ETPRO WEB_CLIENT Internet Explorer Use After Free
CVE-2014-6329 M3 (web_client.rules)
2809302 - ETPRO WEB_CLIENT Possible Internet Explorerer Use After
Free CVE-2014-6330 (web_client.rules)
2809304 - ETPRO WEB_CLIENT Microsoft Rich Text File Use-After-Free
cve-2014-6357 (web_client.rules)
2809305 - ETPRO WEB_CLIENT Microsoft Excel corrupted
OfficeArtBstoreContainer record download cve-2014-6360
(web_client.rules)
2809306 - ETPRO WEB_CLIENT Microsoft Excel corrupted incorrect type
assumed BiffRecord download cve-2014-6361 - SET (web_client.rules)
2809307 - ETPRO WEB_CLIENT Microsoft Excel corrupted incorrect type
assumed BiffRecord download cve-2014-6361 (web_client.rules)
2809308 - ETPRO WEB_CLIENT VBScript Use-After-Free CVE-2014-6363
(web_client.rules)
2809310 - ETPRO WEB_CLIENT Possible Internet Explorer Use After Free
CVE-2014-6366 (web_client.rules)
2809311 - ETPRO WEB_CLIENT Possible Internet Explorer Use After Free
CVE-2014-6369 (web_client.rules)
2809312 - ETPRO WEB_CLIENT IE Incorrect Object Type CVE-2014-6373
(web_client.rules)
2809380 - ETPRO EXPLOIT Possible CVE-2014-6324 Priv escalation
attempt (exploit.rules)

[---] Removed rules: [---]

2018179 - ET EXPLOIT Obfuscation Technique Used in CVE-2014-0322
Attacks (exploit.rules)
2019773 - ET EXPLOIT_KIT Possible Internet Explorer CVE-2014-6332
Common Construct b64 1 (Observed in Archie EK) (exploit_kit.rules)
2019774 - ET EXPLOIT_KIT Possible Internet Explorer CVE-2014-6332
Common Construct b64 2 (Observed in Archie EK) (exploit_kit.rules)
2019778 - ET EXPLOIT DLSw Information Disclosure CVE-2014-7992 (exploit.rules)
2019792 - ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common
Construct URLENCODE (exploit.rules)
2019793 - ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common
Construct HEX (exploit.rules)
2019794 - ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common
Construct HEXC (exploit.rules)
2019795 - ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common
Construct HEXCS (exploit.rules)
2019796 - ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common
Construct DECC (exploit.rules)
2019797 - ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common
Construct DECCS (exploit.rules)
2019806 - ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common
Construct (Reversed) (exploit.rules)