[] Summary: []
512 new OPEN, 526 new PRO (512 + 14). Patchwork, Remcos, HTTP XOR’d Method, Others.
Thanks @CERT-FI, @Securelist
Please share issues, feedback, and requests at Feedback
[+++] Added rules: [+++]
Open:
2037963 - ET MALWARE Patchwork APT Related Activity M3 (POST) (malware.rules)
2037964 - ET MALWARE CosmicStrand Rootkit Related Domain in DNS Lookup (update .bokts .com) (malware.rules)
2037965 - ET HUNTING HTTP GET Request XOR Key 01 (hunting.rules)
2037966 - ET HUNTING HTTP GET Request XOR Key 02 (hunting.rules)
2037967 - ET HUNTING HTTP GET Request XOR Key 03 (hunting.rules)
— snip —
2038216 - ET HUNTING HTTP GET Request XOR Key fd (hunting.rules)
2038217 - ET HUNTING HTTP GET Request XOR Key fe (hunting.rules)
2038218 - ET HUNTING HTTP GET Request XOR Key ff (hunting.rules)
2038219 - ET HUNTING HTTP POST Request XOR Key 01 (hunting.rules)
2038220 - ET HUNTING HTTP POST Request XOR Key 02 (hunting.rules)
2038221 - ET HUNTING HTTP POST Request XOR Key 03 (hunting.rules)
— snip —
2038471 - ET HUNTING HTTP POST Request XOR Key fd (hunting.rules)
2038472 - ET HUNTING HTTP POST Request XOR Key fe (hunting.rules)
2038473 - ET HUNTING HTTP POST Request XOR Key ff (hunting.rules)
2038474 - ET HUNTING HTTP GET Request XOR e4 (hunting.rules)
Pro:
2852056 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-08-09 1) (coinminer.rules)
2852057 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-08-09 2) (coinminer.rules)
2852058 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-08-09 3) (coinminer.rules)
2852059 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-08-09 4) (coinminer.rules)
2852060 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-08-09 5) (coinminer.rules)
2852061 - ETPRO MALWARE Possible More_eggs Landing Page - Fake Resume/Profile Site (malware.rules)
2852062 - ETPRO MALWARE Win32/Remcos RAT Checkin 824 (malware.rules)
2852063 - ETPRO MALWARE Win32/Trojan-Dropper.MSIL.Sysn.gen CnC Exfil (malware.rules)
[///] Modified active rules: [///]
2018426 - ET MALWARE Netwire RAT Check-in (set) (malware.rules)
2023548 - ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE (exploit.rules)
2850022 - ETPRO JA3 Hash - Possible Ligolo Client/Golang Binary Client Connect (ja3.rules)
2850023 - ETPRO JA3 Hash - Possible Ligolo Server/Golang Binary Response (ja3.rules)
[—] Disabled rules: [—]
2034357 - ET MALWARE Observed Cobalt Strike Domain in TLS SNI (stackpatc-technologies .digital) (malware.rules)
2034391 - ET MALWARE Cobalt Strike Related CnC Domain in DNS Lookup (rackspare-technology .digital) (malware.rules)
2034393 - ET MALWARE Observed Cobalt Strike Domain (asureupdate .tech in TLS SNI) (malware.rules)
2034398 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (akastat .app) (malware.rules)
2034399 - ET MALWARE Observed Malicious Cobalt Strike SSL Cert (cdnengine .biz) (malware.rules)
2034400 - ET MALWARE Observed Cobalt Strike Related Domain (azurestat .app in TLS SNI) (malware.rules)
2034401 - ET MALWARE Cobalt Strike Related CnC Domain in DNS Lookup (akamaclouds .tech) (malware.rules)
2034403 - ET MALWARE Observed Malicious Cobalt Strike SSL Cert (setupfastonline .com) (malware.rules)
2034404 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (akamalupdate .site) (malware.rules)
2034405 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (c2 .hax .vg) (malware.rules)
2034406 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (azuresecure .tech) (malware.rules)
2034407 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (securesurvey .cloud) (malware.rules)
2034408 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (akabox .tech) (malware.rules)
2034409 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (electronicwhosaleonline .com) (malware.rules)
2034462 - ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (awsmcafee .com) (malware.rules)
2034473 - ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (bg .knonwsec .com) (malware.rules)
2036960 - ET MALWARE Win32.Stealer CnC Domain in DNS Lookup (kealkun .16mb .com) (malware.rules)
2036961 - ET MALWARE Win32.Stealer CnC Domain in DNS Lookup (ping .otwalkun .16mb .com) (malware.rules)
[—] Removed rules: [—]
2852009 - ETPRO MOBILE_MALWARE Trojan-Clicker.AndroidOS.Simpo.c CnC Domain in DNS Lookup (mobile_malware.rules)
2852010 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.st CnC Domain in DNS Lookup (mobile_malware.rules)
2852011 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.st CnC Domain in DNS Lookup (mobile_malware.rules)
2852013 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.st CnC Domain in DNS Lookup (mobile_malware.rules)
2852014 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.st CnC Domain in DNS Lookup (mobile_malware.rules)
2852015 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.st CnC Domain in DNS Lookup (mobile_malware.rules)