Summary:
15 new OPEN, 15 new PRO (15 + 0) APT28/FancyBear, CVE-2022-3184, DownWare, Matador and dYdX DNS sigs.
Thanks @h2jazi, @DuskRiseInc, @MBThreatIntel, @SentinelOne, @BleepinComputer, @maciejmensfeld and @Claroty
Please share issues, feedback, and requests at Feedback
Added rules:
Open:
2038958 - ET MALWARE APT28/FancyBear Related Activity (POST) (malware.rules)
2038959 - ET ATTACK_RESPONSE MalDoc/Generik.ILNMZZB Payload Inbound (attack_response.rules)
2038960 - ET ATTACK_RESPONSE JS/Spy.Banker.LD Credit Card Skimmer Inbound (attack_response.rules)
2038961 - ET PHISHING Generic Credential Phish Landing Page 2022-09-23 (phishing.rules)
2038962 - ET PHISHING Successful Credential Phish M1 2022-09-23 (phishing.rules)
2038963 - ET PHISHING Successful Credential Phish M2 2022-09-23 (phishing.rules)
2038964 - ET PHISHING Successful Credential Phish M3 2022-09-23 (phishing.rules)
2038965 - ET EXPLOIT Dataprobe iBoot-PDU Pre-Auth Remote Code Execution Attempt via git-update.php (CVE-2022-3184) M1 (exploit.rules)
2038966 - ET EXPLOIT Dataprobe iBoot-PDU Pre-Auth Remote Code Execution Attempt via git-update.php (CVE-2022-3184) M2 (exploit.rules)
2038967 - ET INFO SSH-2.0-Go version string Observed in Network Traffic - Inbound (info.rules)
2038968 - ET INFO SSH-2.0-Go version string Observed in Network Traffic - Outbound (info.rules)
2038969 - ET ADWARE_PUP Win32/DownWare.G Installer Request (adware_pup.rules)
2038970 - ET MALWARE Metador CnC Domain (networkselfhelp .com) in DNS Lookup (malware.rules)
2038971 - ET MALWARE dYdX NPM Package Backdoor Exfiltration Domain (api .circle-cdn .com) in DNS Lookup (malware.rules)
2038972 - ET MALWARE SocGholish Domain in DNS Lookup (malware.rules)
Modified active rules:
2037716 - ET MALWARE Win32/TrojanDownloader.AutoHK.MT CnC Checkin (malware.rules)
2038930 - ET EXPLOIT Atlassian Bitbucket CVE-2022-36804 Exploit Attempt (exploit.rules)
2814068 - ETPRO MALWARE XCodeGhost Beacon (malware.rules)