Daily Ruleset Update Summary
Daily Ruleset Update Summary 2021/03/11

[***] Summary: [***]

20 new OPEN, 34 new PRO (20 + 14). ELF/RedXOR, Various Netgear
CVEs, Raccoon Stealer, Various Phish, Others.

Thanks: @travisbgreen.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2031932 - ET POLICY Observed Suspicious SSL Cert (Metasploit Self
Signed CA) (policy.rules)
2031933 - ET POLICY Observed Suspicious SSL Cert (Metasploit in TLS
Subject) (policy.rules)
2031934 - ET TROJAN ELF/RedXOR CnC Checkin (trojan.rules)
2031935 - ET TROJAN ELF/RedXOR CnC Response (trojan.rules)
2031936 - ET EXPLOIT Netgear ProSAFE Plus Unauthenticated RCE
Inbound (CVE-2020-26919) (exploit.rules)
2031937 - ET EXPLOIT Possible NSDP (Netgear) Remote Authentication
Bypass with Factory Reset (CVE-2020-35231) (exploit.rules)
2031938 - ET EXPLOIT Possible NSDP (Netgear) Unauthenticated Buffer
Overflow (CVE-2020-35232) (exploit.rules)
2031939 - ET EXPLOIT Netgear ProSAFE Plus Stored XSS Inbound
(CVE-2020-35228) (exploit.rules)
2031940 - ET EXPLOIT Possible NSDP (Netgear) Unauthenticated Write
Access to DHCP Config (CVE-2020-35226) (exploit.rules)
2031941 - ET EXPLOIT Netgear ProSAFE Plus Possible Integer Overflow
Attempt Inbound M1 (CVE-2020-35230) (exploit.rules)
2031942 - ET EXPLOIT Netgear ProSAFE Plus Possible Integer Overflow
Attempt Inbound M2 (CVE-2020-35230) (exploit.rules)
2031943 - ET EXPLOIT Possible NSDP (Netgear) Write Command Buffer
Overflow Attempt - 0x0003 (CVE-2020-35225) (exploit.rules)
2031944 - ET EXPLOIT Possible NSDP (Netgear) Write Command Buffer
Overflow Attempt - 0x0005 (CVE-2020-35225) (exploit.rules)
2031945 - ET EXPLOIT Possible NSDP (Netgear) Write Command Buffer
Overflow Attempt - 0x000a (CVE-2020-35225) (exploit.rules)
2031946 - ET TROJAN Win32.Raccoon Stealer CnC Domain in TLS SNI
(mynameisgarfield .top) (trojan.rules)
2031947 - ET TROJAN Win32.Raccoon Stealer CnC Domain in TLS SNI
(mansizeprofile .top) (trojan.rules)
2031948 - ET TROJAN Win32.Raccoon Stealer CnC Domain in TLS SNI
(letsmakesome .fun) (trojan.rules)
2031949 - ET TROJAN Win32.Raccoon Stealer CnC Domain in TLS SNI
(gogowormdealer .top) (trojan.rules)
2031950 - ET TROJAN Win32.Raccoon Stealer CnC Domain in TLS SNI
(seattlecarwash .fun) (trojan.rules)
2031951 - ET MALWARE Lazarus Maldoc CnC (malware.rules)

Pro:

2847540 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-11 1) (trojan.rules)
2847541 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-11 2) (trojan.rules)
2847542 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-11 3) (trojan.rules)
2847543 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-11 4) (trojan.rules)
2847544 - ETPRO CURRENT_EVENTS Successful Fidelity Phish 2021-03-11
(current_events.rules)
2847545 - ETPRO CURRENT_EVENTS Successful Tmobile Teleom Phish
2021-03-11 (current_events.rules)
2847546 - ETPRO CURRENT_EVENTS Successful Banco Itau Phish
2021-03-11 (current_events.rules)
2847547 - ETPRO CURRENT_EVENTS Successful Salesforce Phish
2021-03-11 (current_events.rules)
2847548 - ETPRO CURRENT_EVENTS Successful Scotiabank Phish
2021-03-11 (current_events.rules)
2847549 - ETPRO TROJAN MSIL/Agensla Variant CnC Activity (trojan.rules)
2847550 - ETPRO CURRENT_EVENTS Successful NAB Bank Phish 2021-03-11
(current_events.rules)
2847551 - ETPRO TROJAN Win32/Cobalt.cja Variant CnC Activity (trojan.rules)
2847552 - ETPRO INFO Suspicious Request for BAT file (info.rules)
2847553 - ETPRO TROJAN Win32/GenCBL.AAR Variant CnC Activity (trojan.rules)

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
20 new OPEN, 34 new PRO (20 + 14). ELF/RedXOR, Various Netgear CVEs, Raccoon Stealer, Various Phish, Others.