Daily Ruleset Update Summary
Daily Ruleset Update Summary 2021/05/05

[***] Summary: [***]

16 new OPEN, 34 new PRO (16 + 18). Multiple Android, PULSECHECK,
SLIGHTPULSE, Pingback, Avalon Stealer, AsyncRAT, Phish.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2032904 - ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request
(CVE-2021-22893) M1 (exploit.rules)
2032905 - ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request
(CVE-2021-22893) M2 (exploit.rules)
2032906 - ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request
(CVE-2021-22893) M3 (exploit.rules)
2032907 - ET TROJAN [FIREEYE] PULSECHECK Webshell Access Outbound
(trojan.rules)
2032908 - ET TROJAN [FIREEYE] SLIGHTPULSE Webshell Activity M1 (set)
M1 (trojan.rules)
2032909 - ET TROJAN [FIREEYE] SLIGHTPULSE Webshell Activity M1 (set)
M2 (trojan.rules)
2032910 - ET TROJAN [FIREEYE] SLIGHTPULSE Webshell Activity M2 (set)
M1 (trojan.rules)
2032911 - ET TROJAN [FIREEYE] SLIGHTPULSE Webshell Activity M2 (set)
M2 (trojan.rules)
2032912 - ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M2
(malware.rules)
2032913 - ET TROJAN [FIREEYE] SLIGHTPULSE Webshell Activity M3 (trojan.rules)
2032914 - ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M1
(malware.rules)
2032915 - ET TROJAN Suspected HARDPULSE Request (trojan.rules)
2032916 - ET TROJAN Pingback Shell Command Issued (trojan.rules)
2032917 - ET TROJAN Pingback Download Command Issued (trojan.rules)
2032918 - ET TROJAN Pingback Upload Command Issued (trojan.rules)
2032919 - ET TROJAN Pingback Exec Command Issued (trojan.rules)

Pro:

2848411 - ETPRO MOBILE_MALWARE Android CleanCaco Reporting Device
Details/Location (mobile_malware.rules)
2848412 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Hiddad.fw Checkin
(mobile_malware.rules)
2848413 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Triada.el Checkin
(mobile_malware.rules)
2848414 - ETPRO TROJAN Observed Malicious SSL Cert (OrcusRAT) (trojan.rules)
2848415 - ETPRO POLICY Observed External IP Lookup Domain in TLS SNI
(ipstack .com) (policy.rules)
2848416 - ETPRO TROJAN Avalon Stealer Variant CnC Exfil (trojan.rules)
2848417 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-05 1) (trojan.rules)
2848418 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-05 2) (trojan.rules)
2848419 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-05 3) (trojan.rules)
2848420 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-05 4) (trojan.rules)
2848421 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-05 5) (trojan.rules)
2848422 - ETPRO INFO Google Translate Redirect (info.rules)
2848423 - ETPRO POLICY External Domain Lookup to ipapi .co (policy.rules)
2848424 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2848425 - ETPRO TROJAN zgRAT Activity (trojan.rules)
2848426 - ETPRO TROJAN PCAccelerate Pro Checkin (trojan.rules)
2848427 - ETPRO CURRENT_EVENTS Successful Standard Bank Phish
2021-05-05 (current_events.rules)
2848428 - ETPRO CURRENT_EVENTS Successful RBC Royal Bank Phish
2021-05-05 (current_events.rules)

[///] Modified active rules: [///]

2032786 - ET TROJAN Suspected PULSECHECK Webshell Access Inbound
(trojan.rules)
2836270 - ETPRO TROJAN QuasarRAT/zgRAT C2 Activity (trojan.rules)
2847714 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-03-20 1) (trojan.rules)

[---] Removed rules: [---]

2848379 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-01 5) (trojan.rules)

Date:
Summary title:
16 new OPEN, 34 new PRO (16 + 18). Multiple Android, PULSECHECK, SLIGHTPULSE, Pingback, Avalon Stealer, AsyncRAT, Phish.