Summary:
59 new OPEN, 61 new PRO (59 + 2) Emotet, Ursnif, CoinMiner, Win32/FlyStudio.OJJ
Thanks @Mandiant @Thingzeye
Please share issues, feedback, and requests at Feedback
Added rules:
Open:
2039624 - ET MALWARE Emotet Style Request Activity (GET) (malware.rules)
2039625 - ET MALWARE Observed DNS Query to Ursnif Domain (lionnik .xyz) (malware.rules)
2039626 - ET MALWARE Observed DNS Query to Ursnif Domain (fishenddog .xyz) (malware.rules)
2039627 - ET MALWARE Observed DNS Query to Ursnif Domain (astope .xyz) (malware.rules)
2039628 - ET MALWARE Observed DNS Query to Ursnif Domain (mamount .cyou) (malware.rules)
2039629 - ET MALWARE Observed DNS Query to Ursnif Domain (pinki .cyou) (malware.rules)
2039630 - ET MALWARE Observed DNS Query to Ursnif Domain (daydayvin .xyz) (malware.rules)
2039631 - ET MALWARE Observed DNS Query to Ursnif Domain (kidup .xyz) (malware.rules)
2039632 - ET MALWARE Observed DNS Query to Ursnif Domain (damnater .com) (malware.rules)
2039633 - ET MALWARE Observed DNS Query to Ursnif Domain (minotos .xyz) (malware.rules)
2039634 - ET MALWARE Observed DNS Query to Ursnif Domain (isteros .com) (malware.rules)
2039635 - ET MALWARE Observed DNS Query to Ursnif Domain (dodstep .cyou) (malware.rules)
2039636 - ET MALWARE Observed DNS Query to Ursnif Domain (logotep .xyz) (malware.rules)
2039637 - ET MALWARE Observed DNS Query to Ursnif Domain (higmon .cyou) (malware.rules)
2039638 - ET MALWARE Observed DNS Query to Ursnif Domain (gigiman .xyz) (malware.rules)
2039639 - ET MALWARE Observed DNS Query to Ursnif Domain (fineg .xyz) (malware.rules)
2039640 - ET MALWARE Observed DNS Query to Ursnif Domain (pipap .xyz) (malware.rules)
2039641 - ET MALWARE Observed DNS Query to Ursnif Domain (prises .cyou) (malware.rules)
2039642 - ET MALWARE Observed DNS Query to Ursnif Domain (binchfog .xyz) (malware.rules)
2039643 - ET MALWARE Observed DNS Query to Ursnif Domain (gigeram .com) (malware.rules)
2039644 - ET MALWARE Observed DNS Query to Ursnif Domain (mainwog .xyz) (malware.rules)
2039645 - ET MALWARE Observed DNS Query to Ursnif Domain (gigimas .xyz) (malware.rules)
2039646 - ET MALWARE Observed DNS Query to Ursnif Domain (tornton .xyz) (malware.rules)
2039647 - ET MALWARE Observed DNS Query to Ursnif Domain (dodsman .com) (malware.rules)
2039648 - ET MALWARE Observed DNS Query to Ursnif Domain (rorfog .com) (malware.rules)
2039649 - ET MALWARE Observed DNS Query to Ursnif Domain (reaso .xyz) (malware.rules)
2039650 - ET MALWARE Observed DNS Query to Ursnif Domain (giantos .xyz) (malware.rules)
2039651 - ET MALWARE Observed Ursnif Domain in TLS SNI (lionnik .xyz) (malware.rules)
2039652 - ET MALWARE Observed Ursnif Domain in TLS SNI (fishenddog .xyz) (malware.rules)
2039653 - ET MALWARE Observed Ursnif Domain in TLS SNI (astope .xyz) (malware.rules)
2039654 - ET MALWARE Observed Ursnif Domain in TLS SNI (mamount .cyou) (malware.rules)
2039655 - ET MALWARE Observed Ursnif Domain in TLS SNI (pinki .cyou) (malware.rules)
2039656 - ET MALWARE Observed Ursnif Domain in TLS SNI (daydayvin .xyz) (malware.rules)
2039657 - ET MALWARE Observed Ursnif Domain in TLS SNI (kidup .xyz) (malware.rules)
2039658 - ET MALWARE Observed Ursnif Domain in TLS SNI (damnater .com) (malware.rules)
2039659 - ET MALWARE Observed Ursnif Domain in TLS SNI (minotos .xyz) (malware.rules)
2039660 - ET MALWARE Observed Ursnif Domain in TLS SNI (isteros .com) (malware.rules)
2039661 - ET MALWARE Observed Ursnif Domain in TLS SNI (dodstep .cyou) (malware.rules)
2039662 - ET MALWARE Observed Ursnif Domain in TLS SNI (logotep .xyz) (malware.rules)
2039663 - ET MALWARE Observed Ursnif Domain in TLS SNI (higmon .cyou) (malware.rules)
2039664 - ET MALWARE Observed Ursnif Domain in TLS SNI (vavilgo .xyz) (malware.rules)
2039665 - ET MALWARE Observed Ursnif Domain in TLS SNI (gigiman .xyz) (malware.rules)
2039666 - ET MALWARE Observed Ursnif Domain in TLS SNI (fineg .xyz) (malware.rules)
2039667 - ET MALWARE Observed Ursnif Domain in TLS SNI (pipap .xyz) (malware.rules)
2039668 - ET MALWARE Observed Ursnif Domain in TLS SNI (prises .cyou) (malware.rules)
2039669 - ET MALWARE Observed Ursnif Domain in TLS SNI (binchfog .xyz) (malware.rules)
2039670 - ET MALWARE Observed Ursnif Domain in TLS SNI (gigeram .com) (malware.rules)
2039671 - ET MALWARE Observed Ursnif Domain in TLS SNI (mainwog .xyz) (malware.rules)
2039672 - ET MALWARE Observed Ursnif Domain in TLS SNI (gigimas .xyz) (malware.rules)
2039673 - ET MALWARE Observed Ursnif Domain in TLS SNI (fingerpin .cyou) (malware.rules)
2039674 - ET MALWARE Observed Ursnif Domain in TLS SNI (tornton .xyz) (malware.rules)
2039675 - ET MALWARE Observed Ursnif Domain in TLS SNI (dodsman .com) (malware.rules)
2039676 - ET MALWARE Observed Ursnif Domain in TLS SNI (rorfog .com) (malware.rules)
2039677 - ET MALWARE Observed Ursnif Domain in TLS SNI (reaso .xyz) (malware.rules)
2039678 - ET MALWARE Observed Ursnif Domain in TLS SNI (giantos .xyz) (malware.rules)
2039679 - ET MALWARE Win32/Ursnif LDR4 Beacon (POST) (malware.rules)
2039680 - ET MALWARE EICAR File Sent With X-Powered By Kaspersky Labs 2022-11-03 (malware.rules)
2039681 - ET MALWARE Win32/FlyStudio.OJJ CnC Checkin (malware.rules)
2039682 - ET INFO External IP Lookup Domain (peoplesearch .real .com) in DNS Lookup (info.rules)
Pro:
2852771 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-11-03 1) (coinminer.rules)
2852772 - ETPRO PHISHING Successful Credem Banking Phish 2022-11-03 (phishing.rules)
Modified active rules:
2839423 - ETPRO EXPLOIT_KIT PurpleFox EK Framework Certificate Observed (exploit_kit.rules)
Disabled and modified rules:
2009986 - ET P2P Octoshape UDP Session (p2p.rules)
2014703 - ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set (dns.rules)
2850028 - ETPRO EXPLOIT VMware vCenter Vulnerable Path M1 flowbit set (CVE-2021-22005) (exploit.rules)
2850029 - ETPRO EXPLOIT VMware vCenter Vulnerable Path M2 flowbit set (CVE-2021-22005) (exploit.rules)
2850030 - ETPRO EXPLOIT VMware vCenter Vulnerable Path M3 flowbit set (CVE-2021-22005) (exploit.rules)
2850031 - ETPRO EXPLOIT VMWare vCenter - Server Responded to Request For Path Vulnerable to RCE (CVE-2021-22005) (exploit.rules)
2850055 - ETPRO EXPLOIT VMware vCenter RCE Exploitation Attempt M1 (CVE-2021-22005) (exploit.rules)