Daily Ruleset Update Summary
Daily Ruleset Update Summary 2021/05/24

[***] Summary: [***]

10 new OPEN, 13 new PRO (10 + 3). Lemon_Duck, Raccoon Stealer,
Cobalt Strike, Others.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033013 - ET EXPLOIT QNAP MusicStation Pre-Auth RCE Inbound
(CVE-2020-36197) (exploit.rules)
2033014 - ET TROJAN Observed Win32.Raccoon Stealer CnC Domain
(number2g .top in TLS SNI) (trojan.rules)
2033015 - ET TROJAN Observed Win32.Raccoon Stealer CnC Domain
(genericalphabet .top in TLS SNI) (trojan.rules)
2033016 - ET TROJAN Teslarvng Ransomware CnC Activity M1 (trojan.rules)
2033017 - ET TELNET Teslarvng Ransomware CnC Activity M2 (telnet.rules)
2033018 - ET TROJAN Teslarvng Ransomware CnC Activity M3 (trojan.rules)
2033019 - ET TROJAN Lemon_Duck Powershell CnC Activity M14 (trojan.rules)
2033020 - ET TROJAN Lemon_Duck Powershell CnC Checkin M6 (trojan.rules)
2033021 - ET TROJAN Lemon_Duck Powershell CnC Activity M15 (trojan.rules)
2033022 - ET TROJAN Suspected Gootkit Activity (trojan.rules)

Pro:

2848645 - ETPRO TROJAN Win32/Remcos RAT Checkin 721 (trojan.rules)
2848646 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2021-05-24 (current_events.rules)
2848647 - ETPRO CURRENT_EVENTS Successful Generic Credential Phish
2021-05-24 (current_events.rules)

[///] Modified active rules: [///]

2016476 - ET TROJAN CommentCrew Possible APT c2 communications get
system (trojan.rules)
2016477 - ET TROJAN CommentCrew Possible APT c2 communications html
return 1 (trojan.rules)
2016478 - ET TROJAN CommentCrew Possible APT c2 communications sleep
(trojan.rules)
2016479 - ET TROJAN CommentCrew Possible APT c2 communications
sleep2 (trojan.rules)
2016480 - ET TROJAN CommentCrew Possible APT c2 communications
sleep3 (trojan.rules)
2016482 - ET TROJAN CommentCrew Possible APT c2 communications
sleep5 (trojan.rules)
2016483 - ET TROJAN CommentCrew Possible APT c2 communications
download client.png (trojan.rules)
2016488 - ET TROJAN CommentCrew Possible APT c2 communications get
command client key (trojan.rules)
2027147 - ET TROJAN Win32/Beapy/Lemon_Duck CnC Checkin (trojan.rules)
2028589 - ET TROJAN [TGI] Cobalt Strike Malleable C2 Response (O365
Profile) M2 (trojan.rules)
2028590 - ET TROJAN [TGI] Cobalt Strike Malleable C2 Response
(YouTube Profile) (trojan.rules)
2029740 - ET TROJAN Cobalt Strike Malleable C2 (Havex APT) (trojan.rules)
2029741 - ET TROJAN Cobalt Strike Malleable C2 (Magnitude EK) (trojan.rules)
2030344 - ET TROJAN Cobalt Strike Malleable C2 (Safebrowse Profile)
POST (trojan.rules)
2030347 - ET TROJAN Cobalt Strike Malleable C2 (Safebrowse Profile)
GET (trojan.rules)
2031084 - ET TROJAN Bazaloader Variant Activity (trojan.rules)
2031085 - ET TROJAN Bazaloader Variant Activity (trojan.rules)
2032746 - ET TROJAN Cobalt Strike Malleable C2 (QiHoo Profile) (trojan.rules)
2032747 - ET TROJAN Cobalt Strike Malleable C2 (MSDN Query Profile)
(trojan.rules)
2032748 - ET TROJAN Cobalt Strike Malleable C2 Webbug Profile (trojan.rules)
2032749 - ET TROJAN Cobalt Strike Malleable C2 Amazon Profile (trojan.rules)
2032750 - ET TROJAN Cobalt Strike Malleable C2 OCSP Profile (trojan.rules)
2827560 - ETPRO TROJAN Cobalt Strike Malleable C2 Custom Profile
(trojan.rules)
2833643 - ETPRO TROJAN Cobalt Strike Malleable C2 JQuery Custom
Profile (trojan.rules)
2838832 - ETPRO TROJAN Win32/Cobalt Strike Malleable C2 CnC Activity
(trojan.rules)
2839361 - ETPRO TROJAN Buran Ransomware Activity M3 (trojan.rules)
2842090 - ETPRO TROJAN BazaLoader CnC (Download Request) (trojan.rules)
2843033 - ETPRO TROJAN BazaLoader Variant CnC Activity M1 (trojan.rules)
2843978 - ETPRO TROJAN CobaltStrike Malleable C2 Activity (OCSP
Profile) (trojan.rules)
2844588 - ETPRO TROJAN Cobalt Strike Malleable C2 JQuery Custom
Profile M2 (trojan.rules)
2844618 - ETPRO TROJAN Cobalt Strike Malleable C2 (Unknown/Custom
Profile) (trojan.rules)
2844765 - ETPRO TROJAN Possible Bazaloader CnC Activity M1 (trojan.rules)
2844766 - ETPRO TROJAN Bazaloader CnC Activity M2 (trojan.rules)
2844961 - ETPRO TROJAN Cobalt Strike Malleable C2 (MS Azure Backup
Profile) (trojan.rules)
2844991 - ETPRO TROJAN Bazaloader Variant CnC Activity (trojan.rules)
2844992 - ETPRO TROJAN Bazaloader Variant CnC Activity (trojan.rules)
2844993 - ETPRO TROJAN Bazaloader Variant CnC Activity (trojan.rules)
2845090 - ETPRO TROJAN Cobalt Strike Malleable C2 (Microsoft CDN
Profile) (trojan.rules)
2845138 - ETPRO TROJAN Cobalt Strike Malleable C2 (Pingan Profile)
(trojan.rules)
2845139 - ETPRO TROJAN Cobalt Strike Malleable C2 (Unknown Profile)
(trojan.rules)
2845168 - ETPRO TROJAN Cobalt Strike Malleable C2 (JQuery Profile)
M3 (trojan.rules)
2845245 - ETPRO TROJAN Bazaloader CnC Activity M4 (trojan.rules)
2845963 - ETPRO TROJAN Cobalt Strike Malleable C2 (Custom Webex
Profile) (trojan.rules)
2846236 - ETPRO TROJAN Observed BazaLoader Domain in TLS SNI (trojan.rules)
2846237 - ETPRO TROJAN Observed BazaLoader Domain in TLS SNI (trojan.rules)
2846238 - ETPRO TROJAN Observed BazaLoader Domain in TLS SNI (trojan.rules)
2846239 - ETPRO TROJAN BazaLoader CnC Activity (trojan.rules)
2847954 - ETPRO TROJAN Cobalt Strike Malleable C2 (Unknown Profile)
(trojan.rules)
2848148 - ETPRO TROJAN Possible BazaLoader OpenNIC Request (trojan.rules)
2848521 - ETPRO TROJAN Cobalt Strike Malleable C2 (Unknown Profile)
(trojan.rules)

[///] Modified inactive rules: [///]

2826029 - ETPRO TROJAN Malicious SSL Certificate Observed
(IcedID/BokBot CnC) (trojan.rules)

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
10 new OPEN, 13 new PRO (10 + 3). Lemon_Duck, Raccoon Stealer, Cobalt Strike, Others.