Daily Ruleset Update Summary
Daily Ruleset Update Summary 2021/04/15

[***] Summary: [***]

8 new OPEN, 26 new PRO (8 + 18). IFFM Stealer, RedLine, VJworm,
Various Phish, Others.

Thanks @rootprivilege and Habiba Akram.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2032763 - ET CURRENT_EVENTS Observed Phish Domain in DNS Query
(daviviendapersonalingresos .live) 2021-04-15 (current_events.rules)
2032764 - ET CURRENT_EVENTS Observed BottleEK Domain in DNS Lookup
2021-04-15 (current_events.rules)
2032765 - ET CURRENT_EVENTS Observed Phish Domain in DNS Query
(daviviendapersonalingresos .xyz) 2021-04-15 (current_events.rules)
2032766 - ET EXPLOIT ScadaBR RCE with JSP Shell Inbound
(CVE-2021-26828) (exploit.rules)
2032767 - ET EXPLOIT Advantech iView RCE Setup via Config Overwrite
Inbound (CVE-2021-22652) (exploit.rules)
2032768 - ET TROJAN Observed Win32.Raccoon Stealer CnC Domain
(annafraudy .top in TLS SNI) (trojan.rules)
2032769 - ET TROJAN Magecart/Skimmer - AngryBeaver Exfil Attempt
(trojan.rules)
2032770 - ET TROJAN Kimsuky Maldoc Activity (GET) (trojan.rules)

Pro:

2848198 - ETPRO TROJAN Win32/UnkWW.TelegramBot Reporting Infection
(trojan.rules)
2848199 - ETPRO TROJAN RedLine - VerifyScanRequest Request (trojan.rules)
2848200 - ETPRO TROJAN RedLine - GetUpdates Request (trojan.rules)
2848201 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-15 1) (trojan.rules)
2848202 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-15 2) (trojan.rules)
2848203 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-15 3) (trojan.rules)
2848204 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-15 4) (trojan.rules)
2848205 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2021-04-15 (current_events.rules)
2848206 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2021-04-15 (current_events.rules)
2848207 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2021-04-15 (current_events.rules)
2848208 - ETPRO CURRENT_EVENTS Successful ING Phish 2021-04-15
(current_events.rules)
2848209 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2021-04-15 (current_events.rules)
2848210 - ETPRO CURRENT_EVENTS Successful Generic MultiBank Phish
2021-04-15 (current_events.rules)
2848211 - ETPRO TROJAN IFFM Stealer Exfil (POST) (trojan.rules)
2848212 - ETPRO TROJAN Observed IFFM Stealer Domain in TLS SNI (trojan.rules)
2848213 - ETPRO TROJAN IFFM Stealer Activity (GET) (trojan.rules)
2848214 - ETPRO TROJAN VJworm Checkin M2 (trojan.rules)
2848215 - ETPRO TROJAN Win32/Zpevdo Activity (GET) (trojan.rules)

[///] Modified active rules: [///]

2847303 - ETPRO TROJAN Observed THRALL Keylogger HTTP Boundary via
Telegram (trojan.rules)

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
8 new OPEN, 26 new PRO (8 + 18). IFFM Stealer, RedLine, VJworm, Various Phish, Others.