Summary:
3 new OPEN, 7 new PRO (3 + 4) CoinMiner, SocGholish, Win32/StartPage.NOC, OneDrive Phish, Python Library Backdoor Domain
Also, an out-of-band SocGholish rule was published earlier today, see link for more details:
https://twitter.com/threatinsight/status/1587866753983389696
Please share issues, feedback, and requests at Feedback
Added rules:
Open:
2039621 - ET INFO OpenSea API Query NFT Discovery Details (GET) (info.rules)
2039622 - ET MALWARE Python Library Backdoor Domain (wasp .plague .fun) in DNS Lookup (malware.rules)
2039623 - ET MALWARE SocGholish Domain in DNS Lookup (podcasts .momsgrabcoffee .com) (malware.rules)
Pro:
2852767 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-11-01 1) (coinminer.rules)
2852768 - ETPRO MALWARE Win32/StartPage.NOC CnC Activity (malware.rules)
2852769 - ETPRO PHISHING Microsoft OneDrive Phishing Domain (mycourier .email) in DNS Lookup (phishing.rules)
2852770 - ETPRO PHISHING Observed Microsoft OneDrive Phishing Domain (mycourier .email) in TLS SNI (phishing.rules)
Modified active rules:
2852487 - ETPRO MALWARE Win32/XWorm CnC Command (PING?) (malware.rules)
2852488 - ETPRO MALWARE Win32/XWorm CnC Command (PING!) (malware.rules)
2852489 - ETPRO MALWARE Win32/XWorm CnC Command (DDosS) (malware.rules)
2852490 - ETPRO MALWARE Win32/XWorm CnC Command (DDosT) (malware.rules)
2852491 - ETPRO MALWARE Win32/XWorm CnC Command (Cilpper) (malware.rules)
2852492 - ETPRO MALWARE Win32/XWorm CnC Command (hidefolderfile) (malware.rules)
2852493 - ETPRO MALWARE Win32/XWorm CnC Command (showfolderfile) (malware.rules)
2852494 - ETPRO MALWARE Win32/XWorm CnC Command (creatnewfolder) (malware.rules)
2852495 - ETPRO MALWARE Win32/XWorm CnC Command (creatfile) (malware.rules)
2852496 - ETPRO MALWARE Win32/XWorm CnC Command (downloadfile) (malware.rules)
2852497 - ETPRO MALWARE Win32/XWorm CnC Command (sendfileto) (malware.rules)
2852498 - ETPRO MALWARE Win32/XWorm CnC Command (DW) (malware.rules)
2852499 - ETPRO MALWARE Win32/XWorm CnC Command (RD-) (malware.rules)
2852500 - ETPRO MALWARE Win32/XWorm CnC Command (RD+) (malware.rules)
2852501 - ETPRO MALWARE Win32/XWorm CnC Command (###) (malware.rules)
2852502 - ETPRO MALWARE Win32/XWorm CnC Command ($$$) (malware.rules)
2852503 - ETPRO MALWARE Win32/XWorm CnC Command (^^^g) (malware.rules)
2852504 - ETPRO MALWARE Win32/XWorm CnC Command (ENC) (malware.rules)
2852505 - ETPRO MALWARE Win32/XWorm CnC Command (HVNC) (malware.rules)
2852707 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SpyNote.ap Checkin 2 (mobile_malware.rules)