Daily Ruleset Update Summary 2022/09/30

Summary:

15 new OPEN, 27 new PRO (15 + 12) Various Android Mobile Malware,
Lazarus, TA404/Zinc, Havoc Framework, and ProxyNotShell
(CVE-2022-41040, CVE-2022-41082)

Thanks @moodYmOnster8, @SentinelOne, @LukasStefanko, @GossiTheDog,
Microsoft MSRC, and Microsoft MSTIC

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

Added rules:

Open:

2039064 - ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.aam CnC Domain in DNS Lookup (mobile_malware.rules)
2039065 - ET EXPLOIT Microsoft Exchange Remote Code Execution Attempt (CVE-2022-41040, CVE-2022-41082) (exploit.rules)
2039066 - ET WEB_SERVER Antsword Related Webshell Activity (Inbound) (web_server.rules)
2039067 - ET INFO Anonymous File Sharing Service Domain in DNS Lookup (send .vis .ee) (info.rules)
2039068 - ET INFO Observed Anonymous File Sharing Service Domain (send .vis .ee in TLS SNI) (info.rules)
2039069 - ET PHISHING Interac (CA) Account Credential Phish Landing Page 2022-09-30 (phishing.rules)
2039070 - ET INFO 404 Response with Javascript Variable in Page (info.rules)
2039071 - ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (market .contradecapital .com) (malware.rules)
2039072 - ET MALWARE Observed Lazarus Domain (market .contradecapital .com in TLS SNI) (malware.rules)
2039073 - ET MALWARE Havoc Framework CnC Request (malware.rules)
2039074 - ET MALWARE Havoc Framework CnC Response (malware.rules)
2039075 - ET MALWARE TA404/Zinc Trojanized KiTTY CnC Checkin (malware.rules)
2039076 - ET MALWARE TA404/Zinc Trojanized muPDF/Subliminal CnC Checkin (malware.rules)
2039077 - ET MALWARE WP CharCode Inject (malware.rules)
2039078 - ET MALWARE SocGholish Domain in DNS Lookup (premiere .4tosocialbeginners .com) (malware.rules)

Pro:

2852460 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Piom.ar CnC Domain in DNS Lookup (mobile_malware.rules)
2852461 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SpyNote.pac CnC Domain in DNS Lookup (mobile_malware.rules)
2852462 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.JYI DNS Lookup (mobile_malware.rules)
2852463 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CAF CnC Domain in DNS Lookup (mobile_malware.rules)
2852464 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.qi CnC Domain in DNS Lookup (mobile_malware.rules)
2852465 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SpyNote.ba CnC Domain in DNS Lookup (mobile_malware.rules)
2852466 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Bahamut.d CnC Domain in DNS Lookup (mobile_malware.rules)
2852467 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Lucbot.a CnC Domain in DNS Lookup (mobile_malware.rules)
2852468 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.TwMobo.m CnC Domain in DNS Lookup (mobile_malware.rules)
2852469 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-09-29 1) (coinminer.rules)
2852470 - ETPRO MALWARE Win32/Remcos RAT Checkin 839 (malware.rules)
2852471 - ETPRO MALWARE Go/Chaos Checkin Activity (malware.rules)

Modified active rules:

2036596 - ET EXPLOIT [Rapid7] Zyxel ZTP setWanPortSt mtu Parameter Exploit Attempt (CVE-2022-30525) (exploit.rules)
2038840 - ET MALWARE Brute Ratel Fake User-Agent (malware.rules)