Summary:
30 new OPEN, 37 new PRO (30 + 7). CVE-2022-41352, CVE-2022-30333, Remcos, Various APT, Various Phish.
Thanks @ankit_anubhav, @An0x90, @ThingzEye, @ESETresearch, @Unit42_Intel, @Jup1a
Please share issues, feedback, and requests at Feedback
Added rules:
Open:
2039141 - ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M1 (exploit.rules)
2039142 - ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M2 (exploit.rules)
2039143 - ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M4 (exploit.rules)
2039144 - ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M3 (exploit.rules)
2039145 - ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M6 (exploit.rules)
2039146 - ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M5 (exploit.rules)
2039147 - ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M7 (exploit.rules)
2039148 - ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M8 (exploit.rules)
2039149 - ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-30333) M1 (exploit.rules)
2039150 - ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-30333) M2 (exploit.rules)
2039151 - ET MALWARE Polonium APT CREEPYSNAIL Backdoor Related Activity (GET) (malware.rules)
2039152 - ET MALWARE Polonium APT PAPACREEP Backdoor Related Activity (malware.rules)
2039153 - ET MALWARE Arid Viper APT Related Domain in DNS Lookup (zakaria-chotzen .info) (malware.rules)
2039154 - ET MALWARE Observed Arid Viper APT Related Domain (zakaria-chotzen .info in TLS SNI) (malware.rules)
2039155 - ET CURRENT_EVENTS Observed DNS Query to Ficosha Phishing Domain 2022-10-11 (46c7829bbb3b4907a075841dd98a883d .v1 .radwarecloud .net) (current_events.rules)
2039156 - ET MALWARE HTML/Qbot Dropper (.zip) (malware.rules)
2039157 - ET MALWARE Observed DNS Query to Cobalt Strike Domain 2022-10-11 (pigahinilu .com) (malware.rules)
2039158 - ET MALWARE Observed Malicious SSL/TLS Certificate (QakBot) (malware.rules)
2039159 - ET MALWARE Observed Malicious SSL/TLS Certificate (QakBot) (malware.rules)
2039160 - ET PHISHING Generic Credential Phish Landing Page M1 2022-10-11 (phishing.rules)
2039161 - ET PHISHING Successful Generic Credential Phish 2022-10-11 (phishing.rules)
2039162 - ET PHISHING Successful Generic Credential Phish 2022-10-11 (phishing.rules)
2039163 - ET PHISHING Generic Credential Phish Landing Page M2 2022-10-11 (phishing.rules)
2039164 - ET PHISHING Generic Credential Phish Landing Page M1 2022-10-11 (phishing.rules)
2039165 - ET PHISHING Successful Generic Credential Phish 2022-10-11 (phishing.rules)
2039166 - ET PHISHING Generic Successful Phish 2022-10-11 (phishing.rules)
2039167 - ET PHISHING Successful Navy Federal Phish 2022-10-11 (phishing.rules)
2039168 - ET PHISHING Successful Trust Wallet Phish 2022-10-11 (phishing.rules)
2039169 - ET MALWARE SocGholish CnC Domain in DNS Lookup (demand .sageyogatherapies .com) (malware.rules)
2039170 - ET MALWARE Observed Malicious SSL/TLS Certificate (QakBot) (malware.rules)
Pro:
2852532 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-10-11 1) (coinminer.rules)
2852533 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-10-11 2) (coinminer.rules)
2852534 - ETPRO MALWARE Win32/Remcos RAT Checkin 842 (malware.rules)
2852535 - ETPRO MALWARE Win32/Remcos RAT Checkin 843 (malware.rules)
2852536 - ETPRO MALWARE Win32/Remcos RAT Checkin 844 (malware.rules)
2852537 - ETPRO PHISHING Successful Banco Itau Credential Phish 2022-10-10 (set) (phishing.rules)
2852538 - ETPRO PHISHING Successful Banco Itau Credential Phish 2022-10-10 (phishing.rules)
Modified active rules:
2022639 - ET MALWARE Possible Locky Ransomware Writing Encrypted File over - SMB and SMB-DS v2 (malware.rules)
2026520 - ET USER_AGENTS Suspicious User-Agent (Windows 8) (user_agents.rules)
2038702 - ET USER_AGENTS Suspicious User-Agent (RestoroMainExe) (user_agents.rules)
2826930 - ETPRO COINMINER XMR CoinMiner Usage (coinminer.rules)