[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] Daily Ruleset Update Summary 2022/04/29
From: James Emery-Callcott <jcallcott () emergingthreats ! net>
Date: 2022-04-29 21:17:22
Message-ID: CAMAH=ZiFXx7Ty99GFaS=r7KhWvjB6SrFcPMsWnaCRNiz30P2OQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
[***] Summary: [***]
14 new OPEN, 20 new PRO (14 + 6). Nerbian RAT, Win32/AveMaria, CYY,
Others.
Thanks @InQuest
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2036414 - ET MALWARE DDoS Win32/Nitol.A Checkin (malware.rules)
2036415 - ET MALWARE Win32.ServStart.D Checkin (malware.rules)
2036416 - ET EXPLOIT Possible VMware Workspace ONE Access RCE via
Server-Side Template Injection Inbound (CVE-2022-22954) (exploit.rules)
2036417 - ET MALWARE Nobelium APT Related Activity (GET) (malware.rules)
2036418 - ET MALWARE China Based APT Related Domain in DNS Lookup (p1
.offline-microsoft .com) (malware.rules)
2036419 - ET MALWARE China Based APT Related Domain in DNS Lookup (portal
.super-encrypt .com) (malware.rules)
2036420 - ET INFO URL Shortening Service Domain in DNS Lookup (gg-l .xyz)
(info.rules)
2036421 - ET INFO Observed URL Shortening Service Domain (gg-l .xyz in
TLS SNI) (info.rules)
2036422 - ET INFO Observed Abused Redirect Service SSL Cert (svc
.dynamics .com) (info.rules)
2036423 - ET INFO Observed File Sharing Domain (www .cloudme .com in TLS
SNI) (info.rules)
2036424 - ET INFO File Retrieved from File Sharing Site (cloudme .com)
(info.rules)
2036425 - ET MOBILE_MALWARE Android/FakeWallet.D Activity (GET)
(mobile_malware.rules)
2036426 - ET MALWARE Nerbian RAT CnC Checkin (malware.rules)
2036427 - ET MALWARE Nerbian RAT Data Exfiltration (malware.rules)
Pro:
2851545 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-29 1) (coinminer.rules)
2851546 - ETPRO MALWARE Win32/TrojanDownloader.Agent.PXV Checkin
(malware.rules)
2851547 - ETPRO ADWARE_PUP CYY iMsg+ Checkin (adware_pup.rules)
2851548 - ETPRO MALWARE Win32/AveMaria CnC Exfil M1 (malware.rules)
2851549 - ETPRO MALWARE Win32/AveMaria CnC Exfil M2 (malware.rules)
2851550 - ETPRO MALWARE Win32/MetaStealer/TinyFluff Fake Avast AV Update
(GET) (malware.rules)
[///] Modified active rules: [///]
2035696 - ET MALWARE Win32/WindowsDefender Bypass Download Request
(malware.rules)
2036269 - ET ADWARE_PUP Win/Malware.Filetour Variant Checkin
(adware_pup.rules)
2036303 - ET HUNTING Terse Unencrypted Request for Google - Likely
Connectivity Check (hunting.rules)
2036362 - ET PHISHING Successful IRS Credential Phish 2022-04-25
(phishing.rules)
2036379 - ET PHISHING Successful Microsoft Account Credential Phish
2022-04-26 (phishing.rules)
2036392 - ET EXPLOIT [ConnectWise CRU] Java ECDSA (Psychic) Signed JWT
Bypass (CVE-2022-21449) (exploit.rules)
2851362 - ETPRO MALWARE Win32/MetaStealer/TinyFluff Related Activity
(GET) (malware.rules)
2851363 - ETPRO MALWARE Win32/MetaStealer/TinyFluff Related Activity
(POST) (malware.rules)
2851539 - ETPRO PHISHING Landbank Credential Phish Landing Page M2
2022-04-28 (phishing.rules)
2851540 - ETPRO PHISHING Landbank Credential Phish Landing Page M4
2022-04-28 (phishing.rules)
2851541 - ETPRO PHISHING Landbank Credential Phish Landing Page M6
2022-04-28 (phishing.rules)
2851543 - ETPRO PHISHING Successful Landbank Credential Phish M2
2022-04-28 (phishing.rules)
2851544 - ETPRO PHISHING Successful Landbank Credential Phish M3
2022-04-28 (phishing.rules)
[---] Removed rules: [---]
2023317 - ET EXPLOIT BIND9 msg->reserved Assertion DoS Packet Inbound
(CVE-2016-2776) (exploit.rules)
2816642 - ETPRO MALWARE Win32.ServStart.D Checkin (malware.rules)
2829522 - ETPRO MALWARE DDoS Win32/Nitol.A Checkin (malware.rules)
---------------------------------------
James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
[Attachment #5 (text/html)]
<div dir="ltr">[***] Summary: [***]<br><br> 14 \
new OPEN, 20 new PRO (14 + 6). Nerbian RAT, Win32/AveMaria, CYY, Others.<br><br> \
Thanks @InQuest<br><br> Please share issues, feedback, and requests at <a \
href="https://feedback.emergingthreats.net/feedback">https://feedback.emergingthreats.net/feedback</a><br><br>[+++] \
Added rules: [+++]<br><br>Open:<br><br> 2036414 - ET MALWARE DDoS \
Win32/Nitol.A Checkin (malware.rules)<br> 2036415 - ET MALWARE Win32.ServStart.D \
Checkin (malware.rules)<br> 2036416 - ET EXPLOIT Possible VMware Workspace ONE \
Access RCE via Server-Side Template Injection Inbound (CVE-2022-22954) \
(exploit.rules)<br> 2036417 - ET MALWARE Nobelium APT Related Activity (GET) \
(malware.rules)<br> 2036418 - ET MALWARE China Based APT Related Domain in DNS \
Lookup (p1 .offline-microsoft .com) (malware.rules)<br> 2036419 - ET MALWARE China \
Based APT Related Domain in DNS Lookup (portal .super-encrypt .com) \
(malware.rules)<br> 2036420 - ET INFO URL Shortening Service Domain in DNS Lookup \
(gg-l .xyz) (info.rules)<br> 2036421 - ET INFO Observed URL Shortening Service \
Domain (gg-l .xyz in TLS SNI) (info.rules)<br> 2036422 - ET INFO Observed Abused \
Redirect Service SSL Cert (svc .dynamics .com) (info.rules)<br> 2036423 - ET INFO \
Observed File Sharing Domain (www .cloudme .com in TLS SNI) (info.rules)<br> \
2036424 - ET INFO File Retrieved from File Sharing Site (cloudme .com) \
(info.rules)<br> 2036425 - ET MOBILE_MALWARE Android/FakeWallet.D Activity (GET) \
(mobile_malware.rules)<br> 2036426 - ET MALWARE Nerbian RAT CnC Checkin \
(malware.rules)<br> 2036427 - ET MALWARE Nerbian RAT Data Exfiltration \
(malware.rules)<br><br>Pro:<br><br> 2851545 - ETPRO COINMINER CoinMiner Known \
Malicious Stratum Authline (2022-04-29 1) (coinminer.rules)<br> 2851546 - ETPRO \
MALWARE Win32/TrojanDownloader.Agent.PXV Checkin (malware.rules)<br> 2851547 - \
ETPRO ADWARE_PUP CYY iMsg+ Checkin (adware_pup.rules)<br> 2851548 - ETPRO MALWARE \
Win32/AveMaria CnC Exfil M1 (malware.rules)<br> 2851549 - ETPRO MALWARE \
Win32/AveMaria CnC Exfil M2 (malware.rules)<br> 2851550 - ETPRO MALWARE \
Win32/MetaStealer/TinyFluff Fake Avast AV Update (GET) (malware.rules)<br><br>[///] \
Modified active rules: [///]<br><br> 2035696 - ET MALWARE \
Win32/WindowsDefender Bypass Download Request (malware.rules)<br> 2036269 - ET \
ADWARE_PUP Win/Malware.Filetour Variant Checkin (adware_pup.rules)<br> 2036303 - ET \
HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check \
(hunting.rules)<br> 2036362 - ET PHISHING Successful IRS Credential Phish \
2022-04-25 (phishing.rules)<br> 2036379 - ET PHISHING Successful Microsoft Account \
Credential Phish 2022-04-26 (phishing.rules)<br> 2036392 - ET EXPLOIT [ConnectWise \
CRU] Java ECDSA (Psychic) Signed JWT Bypass (CVE-2022-21449) (exploit.rules)<br> \
2851362 - ETPRO MALWARE Win32/MetaStealer/TinyFluff Related Activity (GET) \
(malware.rules)<br> 2851363 - ETPRO MALWARE Win32/MetaStealer/TinyFluff Related \
Activity (POST) (malware.rules)<br> 2851539 - ETPRO PHISHING Landbank Credential \
Phish Landing Page M2 2022-04-28 (phishing.rules)<br> 2851540 - ETPRO PHISHING \
Landbank Credential Phish Landing Page M4 2022-04-28 (phishing.rules)<br> 2851541 - \
ETPRO PHISHING Landbank Credential Phish Landing Page M6 2022-04-28 \
(phishing.rules)<br> 2851543 - ETPRO PHISHING Successful Landbank Credential Phish \
M2 2022-04-28 (phishing.rules)<br> 2851544 - ETPRO PHISHING Successful Landbank \
Credential Phish M3 2022-04-28 (phishing.rules)<br><br>[---] Removed \
rules: [---]<br><br> 2023317 - ET EXPLOIT BIND9 msg->reserved \
Assertion DoS Packet Inbound (CVE-2016-2776) (exploit.rules)<br> 2816642 - ETPRO \
MALWARE Win32.ServStart.D Checkin (malware.rules)<br> 2829522 - ETPRO MALWARE DDoS \
Win32/Nitol.A Checkin (malware.rules)<br clear="all"><div><br></div><br><div \
dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div \
dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><div dir="ltr"><table width="470" cellspacing="0" \
cellpadding="0" border="0" \
style="border-spacing:0px;border-collapse:collapse;color:rgb(51,51,51);font-family:Muli,sans-serif;font-size:13px"><tbody><tr><td \
style="padding:0px"><table cellspacing="0" cellpadding="0" border="0" \
style="border-spacing:0px;border-collapse:collapse;background-color:transparent"><tbody><tr><td \
valign="top" style="padding:0px 15px 0px 8px;font-size:1em"><table cellspacing="0" \
cellpadding="0" border="0" \
style="border-spacing:0px;border-collapse:collapse;background-color:transparent;line-h \
eight:1.4;font-family:Arial,Helvetica,sans-serif;font-size:11.7px;color:rgb(0,0,1)"><tbody><tr><td \
style="padding:0px"><div style="font-size:1.2em"><font color="#cccccc"><span \
style="font-size:12.8px">------------------------------</span><span \
style="font-size:12.8px">---------</span></font><br></div><div \
style="font-size:1.2em"><br></div><div style="font-size:1.2em">James \
Emery-Callcott</div></td></tr><tr><td style="padding:4px 0px"><div><span \
style="font-weight:700">Security Researcher</span> <span>| </span><span>ProofPoint \
Inc</span> <span>| </span><span>Emerging Threats Team</span></div></td></tr><tr><td \
style="padding:0px"><br><span></span></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></div><div \
dir="ltr"><br></div></div></div></div></div></div></div></div></div></div></div>
[Attachment #6 (text/plain)]
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic