Ruleset Update Summary - 2023/01/11 - v10217

Summary:

16 new OPEN, 25 new PRO (16 + 9)

Thanks @Intrinsec, @ASEC_Analysis, @malwareforme

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

Added rules:

Open:

• 2043272 - ET EXPLOIT SugarCRM Auth Bypass Attempt 2022-12-31 (exploit.rules)
• 2043273 - ET EXPLOIT SugarCRM PHP Shell Upload Attempt (exploit.rules)
• 2043274 - ET INFO Observed certreq User-Agent (NDES client) (info.rules)
• 2043275 - ET MALWARE Observed IcedID Domain in DNS Lookup (spkdeutshnewsupp .com) (malware.rules)
• 2043276 - ET MALWARE Observed IcedID Domain in DNS Lookup (bayernbadabum .com) (malware.rules)
• 2043277 - ET MALWARE Win32/Nitol.A CnC Checkin M3 (malware.rules)
• 2043278 - ET MALWARE Observered DNS Query to TA444/Lazarus Domain (concrecapital .com) (malware.rules)
• 2043279 - ET MALWARE TA444 Related Domain (updatezone .org) in DNS Lookup (malware.rules)
• 2043280 - ET MALWARE TA444 Related Domain (autoprotect .com .de) in DNS Lookup (malware.rules)
• 2043281 - ET MALWARE TA444 Related Domain (autoprotect .gb .net) in DNS Lookup (malware.rules)
• 2043282 - ET MALWARE TA444 Related Domain (azure-security .online) in DNS Lookup (malware.rules)
• 2043283 - ET MALWARE TA444 Related Domain (azure-security .site) in DNS Lookup (malware.rules)
• 2043284 - ET MALWARE TA444 Related Domain (hoststudio .org) in DNS Lookup (malware.rules)
• 2043285 - ET MALWARE TA444 Related Domain (thecloudnet .org) in DNS Lookup (malware.rules)
• 2043286 - ET PHISHING Manhattan College Phish Landing Page 2022-01-10 (phishing.rules)
• 2043287 - ET PHISHING Successful Manhattan College Credential Phish 2022-01-10 (phishing.rules)

Pro:

• 2853029 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2023-01-11 1) (coinminer.rules)
• 2853030 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2023-01-10 2) (coinminer.rules)
• 2853031 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2023-01-10 3) (coinminer.rules)
• 2853032 - ETPRO HUNTING HTTP POST with PHP Code Header in PNG file - Inbound (hunting.rules)
• 2853033 - ETPRO MALWARE Win32/AsyncRAT CnC Request (GET) (malware.rules)
• 2853034 - ETPRO MALWARE Observed DNS Query to AsyncRAT Domain (malware.rules)
• 2853035 - ETPRO MALWARE Observed DNS Query to AsyncRAT Domain (malware.rules)
• 2853036 - ETPRO PHISHING Security Awareness Campaign Domain in DNS Lookup (phishing.rules)
• 2853037 - ETPRO PHISHING Security Awareness Campaign Domain in DNS Lookup (phishing.rules)

Modified active rules:

• 2026921 - ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (ctT2J) in DNS TXT Response (attack_response.rules)

Modified inactive rules:

• 2020222 - ET MALWARE Win32/Nitol.A Checkin M2 (malware.rules)