[***] Summary: [***]

40 new OPEN, 72 new PRO (40 + 32) CVE-2021-21974, TA430/Andariel,
Patchwork APT BADNEWS, SocGholishm Mobile Malware, Wallet Connect Phish

Thanks @WithSecure, @NoahWolf, @ConnectWiseCRU

The Emerging Threats mailing list is migrating to Discourse. Please visit
us at https://community.emergingthreats.net/

We will announce the mailing list retirement date in the near future.

[+++] Added rules: [+++]

Open:

2044078 - ET INFO DYNAMIC_DNS Query to a *.disisleri .com Domain
(info.rules)
2044079 - ET INFO DYNAMIC_DNS HTTP Request to a *.disisleri .com Domain
(info.rules)
2044080 - ET INFO DYNAMIC_DNS Query to a *.nicolasi .com Domain
(info.rules)
2044081 - ET INFO DYNAMIC_DNS HTTP Request to a *.nicolasi .com Domain
(info.rules)
2044082 - ET INFO DYNAMIC_DNS Query to a *.xseller .com Domain
(info.rules)
2044083 - ET INFO DYNAMIC_DNS HTTP Request to a *.xseller .com Domain
(info.rules)
2044084 - ET INFO DYNAMIC_DNS Query to a *.tuquy .com Domain (info.rules)
2044085 - ET INFO DYNAMIC_DNS HTTP Request to a *.tuquy .com Domain
(info.rules)
2044086 - ET MALWARE TA430/Andariel ACRES Backdoor Activity (GET)
(malware.rules)
2044087 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (officenced .com) (info.rules)
2044088 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (prizemons .com) (info.rules)
2044089 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (mesharepoint .com) (info.rules)
2044090 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (prizewel .com) (info.rules)
2044091 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (sharesbyte .com) (info.rules)
2044092 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (sharession .com) (info.rules)
2044093 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (prizegives .com) (info.rules)
2044094 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (prizewings .com) (info.rules)
2044095 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (doctricant .com) (info.rules)
2044096 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (attemplate .com) (info.rules)
2044097 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (templatent .com) (info.rules)
2044098 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (sharepointle .com) (info.rules)
2044099 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (officences .com) (info.rules)
2044100 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (sharestion .com) (info.rules)
2044101 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (sharepointin .com) (info.rules)
2044102 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (officested .com) (info.rules)
2044103 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (mcsharepoint .com) (info.rules)
2044104 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (officence .com) (info.rules)
2044105 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (templatern .com) (info.rules)
2044106 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (sharepointen .com) (info.rules)
2044107 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (officentry .com) (info.rules)
2044108 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (templateau .com) (info.rules)
2044109 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (shareholds .com) (info.rules)
2044110 - ET INFO Microsoft Defender Attack Simulation Training Domain in
DNS Lookup (windocyte .com) (info.rules)
2044111 - ET MALWARE Patchwork APT BADNEWS Variant CnC Checkin M1
(malware.rules)
2044112 - ET MALWARE Patchwork APT BADNEWS Variant CnC Checkin M2
(malware.rules)
2044113 - ET MALWARE Patchwork APT BADNEWS CnC Domain (bingoplant .live)
in DNS Lookup (malware.rules)
2044114 - ET EXPLOIT VMWare ESXi 6.7.0 OpenSLP Remote Code Execution
Attempt - Directory Agent Advertisement Heap Overflow (CVE-2021-21974)
(exploit.rules)
2044115 - ET PHISHING Successful Wallet Connect Private Key Phish
2023-02-03 (phishing.rules)
2044116 - ET PHISHING Successful Wallet Connect Pass Phrase Phish
2023-02-03 (phishing.rules)
2044117 - ET PHISHING Successful Wallet Connect Key Store Phish
2023-02-03 (phishing.rules)

Pro:

2853301 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC
Domain in DNS Lookup (mobile_malware.rules)
2853302 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC
Domain in DNS Lookup (mobile_malware.rules)
2853303 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC
Domain in DNS Lookup (mobile_malware.rules)
2853304 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC
Domain in DNS Lookup (mobile_malware.rules)
2853305 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC
Domain in DNS Lookup (mobile_malware.rules)
2853306 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC
Domain in DNS Lookup (mobile_malware.rules)
2853307 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Rewardsteal.l CnC
Domain in DNS Lookup (mobile_malware.rules)
2853308 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CMO CnC Domain in DNS
Lookup (mobile_malware.rules)
2853309 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.aay CnC Domain
in DNS Lookup (mobile_malware.rules)
2853310 - ETPRO MOBILE_MALWARE Observed Trojan-Spy.AndroidOS.Agent.aay
Domain in TLS SNI (mobile_malware.rules)
2853311 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Fakecalls.at CnC
Domain in DNS Lookup (mobile_malware.rules)
2853312 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Fakecalls.at CnC
Domain in DNS Lookup (mobile_malware.rules)
2853313 - ETPRO MOBILE_MALWARE Trojan-Downloader.AndroidOS.Banker.a CnC
Domain in DNS Lookup (mobile_malware.rules)
2853314 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC
Domain in DNS Lookup (mobile_malware.rules)
2853315 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC
Domain in DNS Lookup (mobile_malware.rules)
2853316 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC
Domain in DNS Lookup (mobile_malware.rules)
2853317 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC
Domain in DNS Lookup (mobile_malware.rules)
2853318 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC
Domain in DNS Lookup (mobile_malware.rules)
2853319 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC
Domain in DNS Lookup (mobile_malware.rules)
2853320 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC
Domain in DNS Lookup (mobile_malware.rules)
2853321 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC
Domain in DNS Lookup (mobile_malware.rules)
2853322 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC
Domain in DNS Lookup (mobile_malware.rules)
2853323 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC
Domain in DNS Lookup (mobile_malware.rules)
2853324 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.bf CnC
Domain in DNS Lookup (mobile_malware.rules)
2853325 - ETPRO MOBILE_MALWARE Android.Spy.5254 Checkin
(mobile_malware.rules)
2853326 - ETPRO MOBILE_MALWARE Android.Spy.5254 Checkin 2
(mobile_malware.rules)
2853327 - ETPRO MOBILE_MALWARE Android.Spy.5254 Checkin 3
(mobile_malware.rules)
2853328 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.fc CnC
Domain in DNS Lookup (mobile_malware.rules)
2853329 - ETPRO MOBILE_MALWARE Trojan-Clicker.AndroidOS.Xafekopy.e CnC
Domain in DNS Lookup (mobile_malware.rules)
2853330 - ETPRO MOBILE_MALWARE Observed
Trojan-Clicker.AndroidOS.Xafekopy.e Domain in TLS SNI (mobile_malware.rules)
2853331 - ETPRO HUNTING Look-alike Domain Query (.rest) (hunting.rules)
2853332 - ETPRO HUNTING Look-alike Domain Query (.surf) (hunting.rules)

[+++] Enabled and modified rules: [+++]

2040144 - ET MALWARE SocGholish Domain in DNS Lookup (pastor .cntcog
.org) (malware.rules)
2043024 - ET MALWARE SocGholish Domain in DNS Lookup (people .fl2wealth
.com) (malware.rules)
2043159 - ET MALWARE SocGholish Domain in DNS Lookup (kinematics
.starmidwest .com) (malware.rules)
2043160 - ET MALWARE SocGholish Domain in DNS Lookup (passphrase
.singinganewsong .com) (malware.rules)