Daily Ruleset Update Summary 2022/09/12

Ruleset Updates
1

Summary:

12 new OPEN, 19 new PRO (12 + 7).
SideCopy APT, Various File Sharing, Powershell/PowHeartBeat, Remcos RAT and Mobile/Android.

Thanks @entdark_, @MalGamy12, @ESET, @TalosSecurity, @sans_isc and @bofheaded

Added rules:

Open:

  • 2038795 - ET MALWARE MSIL/TrojanDownloader.Agent.ITY Screenshot Upload Attempt (malware.rules)
  • 2038798 - ET MALWARE Sidecopy APT Related Backdoor Activity (malware.rules)
  • 2038799 - ET INFO Abused File Sharing Site Domain Observed (qaz .im) in DNS Lookup (info.rules)
  • 2038800 - ET INFO Abused File Sharing Site Domain Observed (qaz .su) in DNS Lookup (info.rules)
  • 2038801 - ET INFO Abused File Sharing Site Domain Observed (qaz .su) in TLS SNI (info.rules)
  • 2038802 - ET INFO Abused File Sharing Site Domain Observed (qaz .im) in TLS SNI (info.rules)
  • 2038803 - ET MALWARE PowerShell/PowHeartBeat CnC Domain (central.suhypercloud .org) in DNS Lookup (malware.rules)2038804 - ET MALWARE PowerShell/PowHeartBeat CnC Domain (airplane.travel-commercials .agency) in DNS Lookup (malware.rules)
  • 2038805 - ET INFO Observed DNS Query to Pastebin-style Service (justpaste .it) (info.rules)
  • 2038806 - ET INFO Observed Pastebin-style Service Domain (justpaste.it) in TLS SNI (info.rules)
  • 2038807 - ET MOBILE_MALWARE Android/Zanubis CnC Domain (fullcircleteam .com) in DNS Lookup (mobile_malware.rules)
  • 2038808 - ET MALWARE Win32/TrojanDownloader.VB.RTN Payload Delivery Request (malware.rules)

Pro:

  • 2852360 - ETPRO MALWARE Win32/Remcos RAT Checkin 833 (malware.rules)
  • 2852361 - ETPRO MALWARE Win32/Remcos RAT Checkin 834 (malware.rules)
  • 2852362 - ETPRO MALWARE Script/Unknown CnC Activity (malware.rules)
  • 2852363 - ETPRO MALWARE Observed DNS Query to Suspicious Domain (threatactor .lol) (malware.rules)
  • 2852364 - ETPRO MALWARE Observed DNS Query to Suspicious Domain (apt29 .lol) (malware.rules)

Modified active rules:

  • 2851826 - ETPRO MALWARE Arkei/Vidar Stealer Variant - Telegram Mirror Checkin (malware.rules)

Removed rules:

  • 2038795 - ET ADWARE_PUP MSIL/TrojanDownloader.Agent.ITY Screenshot Upload Attempt (adware_pup.rules)