Summary:
28 new OPEN, 29 new PRO (28 +1) CVE-2022-36804, TA444 Domains, SocGholish and Remcos.
Please share issues, feedback, and requests at Feedback
Added rules:
Open:
2038930 - ET EXPLOIT Atlassian Bitbucket CVE-2022-36804 Exploit Attempt (exploit.rules)
2038931 - ET HUNTING Windows Commands and Variables in DNS Reply (hunting.rules)
2038932 - ET CURRENT_EVENTS GitHub/CicleCI Themed Phishing Domain in DNS Lookup (circle-ci .com) (current_events.rules)
2038933 - ET CURRENT_EVENTS GitHub/CicleCI Themed Phishing Domain in DNS Lookup (emails-circleci .com) (current_events.rules)
2038934 - ET CURRENT_EVENTS GitHub/CicleCI Themed Phishing Domain in DNS Lookup (circle-cl .com) (current_events.rules)
2038935 - ET CURRENT_EVENTS GitHub/CicleCI Themed Phishing Domain in DNS Lookup (email-circleci .com) (current_events.rules)
2038936 - ET MALWARE Observed TA444 Domain (tptf .fund in TLS SNI) (malware.rules)
2038937 - ET MALWARE Observed TA444 Domain (docs .azurehosting .co in TLS SNI) (malware.rules)
2038938 - ET MALWARE Observed TA444 Domain (team .msteam .biz in TLS SNI) (malware.rules)
2038939 - ET MALWARE Observed TA444 Domain (share .anobaka .info in TLS SNI) (malware.rules)
2038940 - ET MALWARE Observed TA444 Domain (smbcgroup .us in TLS SNI) (malware.rules)
2038941 - ET MALWARE Observed TA444 Domain (perseus .bond in TLS SNI) (malware.rules)
2038942 - ET MALWARE Observed TA444 Domain (docuprivacy .com in TLS SNI) (malware.rules)
2038943 - ET MALWARE Observed TA444 Domain (privacysign .org in TLS SNI) (malware.rules)
2038944 - ET MALWARE Observed TA444 Domain (mizuhogroup .us in TLS SNI) (malware.rules)
2038945 - ET MALWARE Observed TA444 Domain (ms .onlineshares .cloud in TLS SNI) (malware.rules)
2038946 - ET MALWARE Observed TA444 Domain (tptf .cloud in TLS SNI) (malware.rules)
2038947 - ET MALWARE Win32/Cryptbot V2 Data Exfiltration Attempt (malware.rules)
2038948 - ET MALWARE SocGholish Domain in DNS Lookup (casting .faeryfox .com) (malware.rules)
2038949 - ET MALWARE SocGholish Domain in DNS Lookup (predator .foxscalesjewelry .com) (malware.rules)
2038950 - ET MALWARE SocGholish Domain in DNS Lookup (amplifier .myjesusloves .me) (malware.rules)
2038951 - ET MALWARE SocGholish Domain in DNS Lookup (loans .mistakenumberone .com) (malware.rules)
2038952 - ET MALWARE SocGholish Domain in DNS Lookup (restructuring .breatheinnew .life) (malware.rules)
2038953 - ET MALWARE SocGholish Domain in DNS Lookup (prompt .zonashoppers .academy) (malware.rules)
2038954 - ET MALWARE SocGholish Domain in DNS Lookup (hair .2topost .com) (malware.rules)
2038955 - ET MALWARE SocGholish Domain in DNS Lookup (custom .usmuchmedia .com) (malware.rules)
2038956 - ET MALWARE SocGholish CnC Domain in DNS Lookup (moments .abledity .com) (malware.rules)
2038957 - ET MALWARE SocGholish Domain in DNS Lookup (notes .fumcpittsburg .org) (malware.rules)
Pro:
2852396 - ETPRO MALWARE Win32/Remcos RAT Checkin 838 (malware.rules)
Modified active rules:
2031251 - ET MALWARE Possible SombRAT Initial DNS Lookup (malware.rules)