Summary:
61 new OPEN, 83 new PRO (61 + 22) Ursnif, Win32\Cryptbot, ROMCOM RAT, Kutaki Stealer, Tons of Mobile Malware, CoinMiner, and Various Phish
Thanks @James_inthe_box @500mk500 @BlackBerry @Unit42_Intel @JAMESWT_MHT @cyb3rops
Happy Free Sig Friday!
Please share issues, feedback, and requests at Feedback
Added rules:
Open:
2039683 - ET ATTACK_RESPONSE Possible PowerShell AMSI Bypass Inbound (attack_response.rules)
2039684 - ET INFO localhost .run Domain in DNS Lookup DNS Lookup (.lhr .life) (info.rules)
2039685 - ET INFO localhost .run Domain in DNS Lookup DNS Lookup (.lhr .rocks) (info.rules)
2039686 - ET INFO localhost .run Domain in DNS Lookup DNS Lookup (.lhrtunnel .link) (info.rules)
2039687 - ET INFO localhost .run TLS Certification Observed (info.rules)
2039688 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039689 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039690 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039691 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039692 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039693 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039694 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039695 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039696 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039697 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039698 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039699 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039700 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039701 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039702 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039703 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039704 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039705 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039706 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039707 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039708 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039709 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039710 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039711 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039712 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039713 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039714 - ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
2039715 - ET MALWARE Observed DNS Query to Hyperion Obfuscator Domain (plague .fun) (malware.rules)
2039716 - ET MALWARE Hyperion Obfuscator Payload Inbound (malware.rules)
2039717 - ET PHISHING Twitter Credential Phish Landing Page 2022-11-04 (phishing.rules)
2039718 - ET MALWARE Win32/DataStealer.P CnC Checkin (malware.rules)
2039719 - ET MALWARE Win32/Delf.UUW CnC Keep-Alive (malware.rules)
2039720 - ET MALWARE Win32\Cryptbot CnC Domain (kyrsti44 .top) in DNS Lookup (malware.rules)
2039721 - ET MALWARE Win32\Cryptbot CnC Domain (okwnyw02 .top) in DNS Lookup (malware.rules)
2039722 - ET MALWARE Win32\Cryptbot CnC Domain (okwydg05 .top) in DNS Lookup (malware.rules)
2039723 - ET MALWARE Win32\Cryptbot CnC Domain (towcqx32 .top) in DNS Lookup (malware.rules)
2039724 - ET MALWARE Win32\Cryptbot CnC Domain (okwerh01 .top) in DNS Lookup (malware.rules)
2039725 - ET MALWARE Win32\Cryptbot CnC Domain (suqzyt03 .top) in DNS Lookup (malware.rules)
2039726 - ET MALWARE Win32\Cryptbot CnC Domain (suqyjb01 .top) in DNS Lookup (malware.rules)
2039727 - ET MALWARE Win32\Cryptbot CnC Domain (okwyeg04 .top) in DNS Lookup (malware.rules)
2039728 - ET MALWARE Win32\Cryptbot CnC Domain (pefjfw62 .top) in DNS Lookup (malware.rules)
2039729 - ET MALWARE Win32\Cryptbot CnC Domain (suqpvu08 .top) in DNS Lookup (malware.rules)
2039730 - ET MALWARE Win32\Cryptbot CnC Domain (towhfs22 .top) in DNS Lookup (malware.rules)
2039731 - ET MALWARE Win32\Cryptbot CnC Domain (suqosk04 .top) in DNS Lookup (malware.rules)
2039732 - ET MALWARE Win32\Cryptbot CnC Domain (suqyqu10 .top) in DNS Lookup (malware.rules)
2039733 - ET MALWARE Win32\Cryptbot CnC Domain (kyrjwt45 .top) in DNS Lookup (malware.rules)
2039734 - ET MALWARE Win32\Cryptbot CnC Domain (suqzpe02 .top) in DNS Lookup (malware.rules)
2039735 - ET MALWARE Win32\Cryptbot CnC Domain (suqycd05 .top) in DNS Lookup (malware.rules)
2039736 - ET MALWARE Win32\Cryptbot CnC Domain (suqoyw07 .top) in DNS Lookup (malware.rules)
2039737 - ET MALWARE Win32\Cryptbot CnC Domain (towspd42 .top) in DNS Lookup (malware.rules)
2039738 - ET MALWARE ROMCOM RAT CnC Domain (you-supported .com) in DNS Lookup (malware.rules)
2039739 - ET MALWARE ROMCOM RAT Campaign Domain (wveeam .com) in DNS Lookup (malware.rules)
2039740 - ET MALWARE ROMCOM RAT Campaign Domain (keepas .org) in DNS Lookup (malware.rules)
2039741 - ET MALWARE Kutaki Stealer CnC Domain (terebinnahicc .club) in DNS Lookup (malware.rules)
2039742 - ET MALWARE Kutaki Stealer CnC Domain (treysbeatend .com) in DNS Lookup (malware.rules)
2039743 - ET PHISHING Successful Nordea Netbank Credential Phish 2022-11-04 (phishing.rules)
Pro:
2852773 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.JFU CnC Domain in DNS Lookup (mobile_malware.rules)
2852774 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.JFU CnC Domain in DNS Lookup (mobile_malware.rules)
2852775 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.JFU CnC Domain in DNS Lookup (mobile_malware.rules)
2852776 - ETPRO MOBILE_MALWARE Observed Android/TrojanDownloader.Agent.AEH Domain in TLS SNI (mobile_malware.rules)
2852777 - ETPRO MOBILE_MALWARE Android/Spy.Facestealer.EF Checkin (mobile_malware.rules)
2852778 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.XC CnC Domain in DNS Lookup (mobile_malware.rules)
2852779 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Piom.aroh CnC Domain in DNS Lookup (mobile_malware.rules)
2852780 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Agent.ss CnC Beacon (mobile_malware.rules)
2852781 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.HDA Checkin (mobile_malware.rules)
2852782 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Fakecalls.at CnC Domain in DNS Lookup (mobile_malware.rules)
2852783 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.o CnC Domain in DNS Lookup (mobile_malware.rules)
2852784 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.o CnC Domain in DNS Lookup (mobile_malware.rules)
2852785 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Piom.arpb CnC Domain in DNS Lookup (mobile_malware.rules)
2852786 - ETPRO MOBILE_MALWARE Android.Backdoor.685 CnC Domain in DNS Lookup (mobile_malware.rules)
2852787 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.o CnC Domain in DNS Lookup (mobile_malware.rules)
2852788 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.o CnC Domain in DNS Lookup (mobile_malware.rules)
2852789 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Hiddapp.ch CnC Domain in DNS Lookup (mobile_malware.rules)
2852790 - ETPRO MOBILE_MALWARE Android/Spy.Banker.BOF CnC Domain in DNS Lookup (mobile_malware.rules)
2852791 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Jocker.ei CnC Domain in DNS Lookup (mobile_malware.rules)
2852792 - ETPRO MOBILE_MALWARE Android/Spy.Agent.ACD Checkin (mobile_malware.rules)
2852793 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Fakecalls.at Checkin 2 (mobile_malware.rules)
2852794 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-11-04 1) (coinminer.rules)