Daily Ruleset Update Summary 2021/05/10

Daily Ruleset Update Summary

[***] Summary: [***]

13 new OPEN, 28 new PRO (13 + 15) lolzilla WebSkimmer, AsyncRAT,
Ceta/LokiRAT, Others.

Thanks @rootprivilege.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2032924 - ET INFO Suspicious GET Request for .x86 (info.rules)
2032925 - ET INFO Suspicious GET Request for .x64 (info.rules)
2032926 - ET INFO Possible Overflow Attempt - Abnormally Large SMTP
EHLO Inbound (info.rules)
2032927 - ET MALWARE lolzilla JS/PHP WebSkimmer - Data Exfil (malware.rules)
2032928 - ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution
Attempt M1 (web_server.rules)
2032929 - ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution
Attempt M2 (web_server.rules)
2032930 - ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution
Attempt M3 (web_server.rules)
2032931 - ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution
Attempt M4 (web_server.rules)
2032932 - ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution
Attempt M5 (web_server.rules)
2032933 - ET TROJAN Observed Win32.Raccoon Stealer CnC Domain
(number1g .top in TLS SNI) (trojan.rules)
2032934 - ET TROJAN Pingback Exep Command Issued (trojan.rules)
2032935 - ET TROJAN Pingback OK Issued (trojan.rules)
2032936 - ET TROJAN Suspected Sliver DNS CnC (trojan.rules)

Pro:

2848458 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2848459 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2848460 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2848461 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2848462 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2848463 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2848464 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2848465 - ETPRO TROJAN MSIL/PSW.Agent.SGP CnC Exfil (trojan.rules)
2848466 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-06 1) (trojan.rules)
2848467 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-06 2) (trojan.rules)
2848468 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-06 3) (trojan.rules)
2848469 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-06 4) (trojan.rules)
2848470 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-06 5) (trojan.rules)
2848471 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-06 6) (trojan.rules)
2848473 - ETPRO TROJAN Ceta/LokiRAT Activity (POST) (trojan.rules)

[///] Modified active rules: [///]

2032886 - ET MALWARE TA471 Malicious AutoIT File Upload (malware.rules)
2032916 - ET TROJAN Pingback Shell Command Issued (trojan.rules)
2032917 - ET TROJAN Pingback Download Command Issued (trojan.rules)
2032918 - ET TROJAN Pingback Upload Command Issued (trojan.rules)
2032919 - ET TROJAN Pingback Exec Command Issued (trojan.rules)
2836270 - ETPRO TROJAN QuasarRAT/zgRAT C2 Activity (trojan.rules)
2848425 - ETPRO TROJAN zgRAT Activity (trojan.rules)

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Monday, May 10, 2021

Summary title:

13 new OPEN, 28 new PRO (13 + 15) lolzilla WebSkimmer, AsyncRAT, Ceta/LokiRAT, Others.