Summary:
26 new OPEN, 27 new PRO (26 + 1) LazyScripter, Win32/Sephus, SocGholish, and TA569
Thanks @malware_traffic @malwrhunterteam
Please share issues, feedback, and requests at Feedback
Added rules:
Open:
2039011 - ET MALWARE LazyScripter APT Related Domain in DNS Lookup (hpsj .firewall-gateway .net) (malware.rules)
2039012 - ET MALWARE LazyScripter APT Related Activity (GET) (malware.rules)
2039013 - ET MALWARE Lazyscripter APT Related Activity (Inbound) (malware.rules)
2039014 - ET MALWARE Win32/Sephus Related Domain in DNS Lookup (sephus .me) (malware.rules)
2039015 - ET MALWARE Win32/Sephus Related Activity (GET) (malware.rules)
2039016 - ET MALWARE Win32/Sephus Related Activity (POST) (malware.rules)
2039017 - ET PHISHING Successful TA398/Sidewinder APT Related Phish 2022-09-28 (phishing.rules)
2039018 - ET MALWARE DNSBin Demo (requestbin .net) - Data Exfil M2 (malware.rules)
2039019 - ET MALWARE Win32/Variant.Babar.74963 CnC Exfil (malware.rules)
2039020 - ET PHISHING Generic Credential Theft Landing Page M1 2022-09-28 (phishing.rules)
2039021 - ET PHISHING Generic Credential Theft Landing Page M2 2022-09-28 (phishing.rules)
2039022 - ET MALWARE Win32/SaintStealer Data Exfiltration Attempt M2 (malware.rules)
2039023 - ET MALWARE Maldoc Domain (word2022 .c1 .biz) in DNS Lookup (malware.rules)
2039024 - ET MALWARE TigerHunter DOTM CnC Checkin (malware.rules)
2039025 - ET PHISHING Successful Generic Credential Phish (phishing.rules)
2039026 - ET MALWARE SocGholish Domain in DNS Lookup (soendorg .top) (malware.rules)
2039027 - ET MALWARE TA569 Domain in DNS Lookup (luxury-limousine .com) (malware.rules)
2039028 - ET MALWARE TA569 sczriptzzbn JavaScript Inject (malware.rules)
2039029 - ET MALWARE TA569 Fake Captcha Download (malware.rules)
2039030 - ET MALWARE TA569 Domain in DNS Lookup (skambio-porte .com) (malware.rules)
2039031 - ET MALWARE TA569 Fake Browser Update (malware.rules)
2039032 - ET MALWARE SocGholish Domain in DNS Lookup (training .c1ypsilanti .org) (malware.rules)
2039033 - ET MALWARE SocGholish Domain in DNS Lookup (engine .discoveryhypnosis .com) (malware.rules)
2039034 - ET MALWARE SocGholish Domain in DNS Lookup (fundraising .mystylingmylife .xyz) (malware.rules)
2039035 - ET MALWARE SocGholish Domain in DNS Lookup (resale .adkelly .com) (malware.rules)
2039036 - ET MALWARE SocGholish Domain in DNS Lookup (auction .wonderwomanquilts .com) (malware.rules)
Pro:
2852451 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-09-28 1) (coinminer.rules)
Modified active rules:
2034940 - ET MALWARE Powershell Octopus Backdoor Activity (GET) (malware.rules)
2036590 - ET MALWARE Win32/Throwback CnC Activity (POST) (malware.rules)
2840017 - ETPRO MALWARE Powershell.WC/Octopus Backdoor CnC Initial Checkin (malware.rules)
2840018 - ETPRO MALWARE Powershell.WC/Octopus Backdoor CnC - Heartbeat (malware.rules)
2850024 - ETPRO MALWARE Powershell.WC Octopus Backdoor Sending Windows Information M2 (POST) (malware.rules)
** Modified inactive rules:**
2850333 - ETPRO MALWARE Powershell.WC Octopus Backdoor Activity (View) (malware.rules)
Removed rules:
2852450 - ETPRO MALWARE Fake Browser Update (malware.rules)