[***] Summary: [***]
8 new OPEN, 37 new PRO (8 + 29). Microsoft Exchange RCE, Exim
Exploits, SaintLoader, Phish.
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2032896 - ET INFO DYNAMIC_DNS Query to a *.addns .org Domain (info.rules)
2032897 - ET EXPLOIT Microsoft Exchange RCE Setup Inbound
(CVE-2021-28482) (exploit.rules)
2032898 - ET EXPLOIT Exim receive_msg Integer Overflow Attempt
Inbound M1 (CVE-2020-28020) (exploit.rules)
2032899 - ET EXPLOIT Exim receive_msg Integer Overflow Attempt
Inbound M2 (CVE-2020-28020) (exploit.rules)
2032900 - ET EXPLOIT Exim New-Line Injection into Spool Header File
Inbound M1 (CVE-2020-28021) (exploit.rules)
2032901 - ET EXPLOIT Exim New-Line Injection into Spool Header File
Inbound M2 (CVE-2020-28021) (exploit.rules)
2032902 - ET EXPLOIT Exim New-Line Injection into Spool Header File
Inbound - Information Disclosure Attempt (CVE-2020-28021)
(exploit.rules)
2032903 - ET EXPLOIT Exim Stack Exhaustion via BDAT Error Inbound
(CVE-2020-28019) (exploit.rules)
Pro:
2848382 - ETPRO MOBILE_MALWARE Android Finspy Activity - SET
(mobile_malware.rules)
2848383 - ETPRO MOBILE_MALWARE Android Finspy Activity (mobile_malware.rules)
2848384 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2848385 - ETPRO INFO Long String of Equals - Possible Exfil in URI
(info.rules)
2848386 - ETPRO INFO Suspicious HTTP Header (USER) (info.rules)
2848387 - ETPRO INFO Suspicious HTTP Header (COUNTRY) (info.rules)
2848388 - ETPRO TROJAN SaintLoader CnC Checkin (trojan.rules)
2848389 - ETPRO TROJAN SaintLoader CnC Activity (trojan.rules)
2848390 - ETPRO INFO Suspicious HTTP Header (FIN) (info.rules)
2848391 - ETPRO INFO Suspicious HTTP Header (URL) (info.rules)
2848392 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-03 1) (trojan.rules)
2848393 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-03 2) (trojan.rules)
2848394 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-03 3) (trojan.rules)
2848395 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-03 4) (trojan.rules)
2848396 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-03 5) (trojan.rules)
2848397 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-03 6) (trojan.rules)
2848398 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-03 7) (trojan.rules)
2848399 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-03 8) (trojan.rules)
2848400 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-03 9) (trojan.rules)
2848401 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-03 10) (trojan.rules)
2848402 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-03 11) (trojan.rules)
2848403 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-03 12) (trojan.rules)
2848404 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-03 13) (trojan.rules)
2848405 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-03 14) (trojan.rules)
2848406 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-03 15) (trojan.rules)
2848407 - ETPRO TROJAN RatraDownloader Activity (trojan.rules)
2848408 - ETPRO CURRENT_EVENTS Successful US Bank Phish 2021-05-04
(current_events.rules)
2848409 - ETPRO CURRENT_EVENTS Successful SMBC Phish 2021-05-04
(current_events.rules)
2848410 - ETPRO CURRENT_EVENTS Successful Generic Credential Phish
2021-05-04 (current_events.rules)
[///] Modified active rules: [///]
2024425 - ET TROJAN OSX/OceanLotus / ELF/RotaJakario CnC Checkin
(trojan.rules)
2845657 - ETPRO INFO Suspicious Binary Encoded String (powershell)
(info.rules)
2845658 - ETPRO INFO Suspicious Binary Encoded String
(-ExecutionPolicy) (info.rules)
2845659 - ETPRO INFO Suspicious Binary Encoded String
([Net.WebRequest]) (info.rules)
2845660 - ETPRO INFO Suspicious Binary Encoded String (Powershell)
(info.rules)
2848352 - ETPRO INFO Suspicious HTTP Header (HWID) (info.rules)