Ruleset Update Summary - 2022/11/23 - v10180

Summary:

8 new OPEN, 18 new PRO (8 + 10)

Thanks @Thingzeye

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

Due to US holidays, rule updates and releases for the remainder of the week may be lighter than usual. Full releases will continue from Monday (28th) next week.

Added rules:

Open:

• 2039832 - ET USER_AGENTS Observed Malicious VBS Related UA (user_agents.rules)
• 2039833 - ET EXPLOIT D-Link Related Command Injection Attempt Inbound (CVE-2013-7471) (exploit.rules)
• 2039834 - ET MALWARE Win32/Gh0st RAT Variant CnC Checkin response (malware.rules)
• 2039835 - ET PHISHING Successful Credit Agricole Credential Phish 2022-11-23 (phishing.rules)
• 2039836 - ET PHISHING Successful BT GROUP Credential Phish 2022-11-23 (phishing.rules)
• 2039837 - ET PHISHING WalletConnect Stealer Landing Page 2022-11-23 (phishing.rules)
• 2039838 - ET MALWARE SocGholish Domain in DNS Lookup (hook .adieh .com) (malware.rules)
• 2039839 - ET MALWARE SocGholish Domain in DNS Lookup (subscribe .3gbling .com) (malware.rules)

Pro:

• 2852848 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-11-21 1) (coinminer.rules)
• 2852849 - ETPRO MALWARE Win32/XWorm CnC Command (rec) (malware.rules)
• 2852850 - ETPRO MALWARE Win32/XWorm CnC Command (CLOSE) (malware.rules)
• 2852851 - ETPRO MALWARE Win32/XWorm CnC Command (uninstall) (malware.rules)
• 2852852 - ETPRO MALWARE Win32/XWorm CnC Command (getinfo) M1 (malware.rules)
• 2852853 - ETPRO MALWARE Win32/XWorm CnC Command (getinfo) M2 (malware.rules)
• 2852854 - ETPRO MALWARE Win32/XWorm CnC Command (openhide) (malware.rules)
• 2852855 - ETPRO MALWARE Win32/XWorm CnC Command (shellfuc) (malware.rules)
• 2852856 - ETPRO MALWARE TA406 FatBoy CnC POST Request (malware.rules)
• 2852857 - ETPRO MALWARE TA406 FatBoy CnC GET Request (malware.rules)

Modified active rules:

• 2039825 - ET MALWARE Observed TA444 Domain (sharedrive .ink in TLS SNI) (malware.rules)
• 2039826 - ET MALWARE Observed TA444 Domain (dnx .capital in TLS SNI) (malware.rules)
• 2852487 - ETPRO MALWARE Win32/XWorm CnC Command (PING?) (malware.rules)
• 2852488 - ETPRO MALWARE Win32/XWorm CnC Command (PING!) (malware.rules)
• 2852499 - ETPRO MALWARE Win32/XWorm CnC Command (RD-) (malware.rules)
• 2852500 - ETPRO MALWARE Win32/XWorm CnC Command (RD+) (malware.rules)

Disabled and modified rules:

• 2019256 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 13 (web_server.rules)
• 2019257 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 14 (web_server.rules)
• 2019258 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 15 (web_server.rules)
• 2019259 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 16 (web_server.rules)
• 2019260 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 17 (web_server.rules)
• 2019261 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 18 (web_server.rules)
• 2019262 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 19 (web_server.rules)
• 2019263 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 20 (web_server.rules)
• 2019264 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 21 (web_server.rules)
• 2019265 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 22 (web_server.rules)
• 2019266 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 23 (web_server.rules)
• 2019267 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 24 (web_server.rules)
• 2019268 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 25 (web_server.rules)
• 2019269 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 26 (web_server.rules)
• 2019270 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 27 (web_server.rules)
• 2019271 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 28 (web_server.rules)
• 2019272 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 29 (web_server.rules)
• 2019273 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 30 (web_server.rules)
• 2019415 - ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack (policy.rules)
• 2019416 - ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack (policy.rules)
• 2039752 - ET MALWARE SocGholish CnC Domain in DNS Lookup (campaign .tworiversboat .com) (malware.rules)
• 2808987 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free CVE-2014-4126 (web_client.rules)
• 2808990 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free CVE-2014-4129 (web_client.rules)
• 2808996 - ETPRO WEB_CLIENT Internet Explorer 11 Sandbox Escapes vulnerable ActiveX control in executable (CVE-2014-4123) (web_client.rules)
• 2809000 - ETPRO WEB_CLIENT Possible Internet Explorer Memory Corruption Vulnerability CVE-2014-4141 (web_client.rules)
• 2809143 - ETPRO WEB_CLIENT Possible Internet Explorer CSecurityContext Use-After-Free CVE-2014-4143 (web_client.rules)
• 2809144 - ETPRO WEB_CLIENT Possible Internet Explorer IE_AudioSrv_SandboxEscape (CVE-2014-6322) (web_client.rules)

Removed rules:

• 2019369 - ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M2 (exploit_kit.rules)
• 2019370 - ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M3 (exploit_kit.rules)
• 2019372 - ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-1347 M2 (exploit_kit.rules)
• 2019374 - ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-3897 M1 (exploit_kit.rules)