Today's release contains 42 new rules, 13 new shared object rules and five modified rules.
Thursday's release provides updated protections against the Emotet botnet. While Emotet has been around for years, the attackers behind it are still updating it and releasing new variants on victims. There is also coverage for new malware variants used by the OceanLotus APT.
Talos has added and modified multiple rules in the browser-webkit, file-identify, file-image, file-other, malware-cnc, malware-tools, policy-other, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.
There is one group of rules we which to highlight:
- 51967 - 51971: These rules provide protection against the latest wave of Emotet infections. The infamous botnet, after going quiet for several months, is back with a new set of tactics to infect users. It even has gone after several city governments this year. Rule 51971 prevents Emotet from making an outbound connection to its command and control (C2), while the others fires when Emotet attempts to download its final payload. Alex Chui wrote these rules.