Daily Ruleset Update Summary
Daily Ruleset Update Summary 2021/05/27

[***] Summary: [***]

9 new OPEN, 28 new PRO (9 + 19). SolarWinds Orion RCE (CVE-2021-31474),
PerSwaysion, Proverkalogov Stealer, CotX - APT, CoinMiners, Various
Suspicious CharCode PowerShell Snippets.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033035 - ET EXPLOIT Possible SolarWinds Orion RCE Inbound
(CVE-2021-31474) (exploit.rules)
2033036 - ET CURRENT_EVENTS PerSwaysion Landing Page
(current_events.rules)
2033037 - ET CURRENT_EVENTS PerSwaysion Javascript Response
(current_events.rules)
2033038 - ET TROJAN Unknown Actor Targeting Minority Groups Activity
(GET) (trojan.rules)
2033039 - ET TROJAN Observed Malicious Domain Targeting Minority Groups
(officemodel .org in TLS SNI) (trojan.rules)
2033040 - ET TROJAN Unknown Actor Targeting Minority Groups Activity
(POST) (trojan.rules)
2033041 - ET TROJAN Observed Malicious Domain Targeting Minority Groups
(tcahf .org in TLS SNI) (trojan.rules)
2033042 - ET TROJAN Observed Malicious Domain Targeting Minority Groups
Domain (unohcr .org in TLS SNI) (trojan.rules)
2033043 - ET TROJAN Unknown Actor Targeting Minority Groups CnC Activity
(trojan.rules)

Pro:

2848735 - ETPRO TROJAN Proverkalogov Stealer CnC Checkin (trojan.rules)
2848736 - ETPRO TROJAN Proverkalogov Stealer CnC Exfil (trojan.rules)
2848737 - ETPRO TROJAN Malicious SSL/TLS Certificate Observed (CotX - APT
Activity) (trojan.rules)
2848738 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-27 1) (trojan.rules)
2848739 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-27 2) (trojan.rules)
2848740 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-27 3) (trojan.rules)
2848741 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-27 4) (trojan.rules)
2848742 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-27 5) (trojan.rules)
2848743 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-27 6) (trojan.rules)
2848744 - ETPRO POLICY Suspicious CharCode PowerShell Snippet Inbound
(function) (policy.rules)
2848745 - ETPRO POLICY Suspicious CharCode PowerShell Snippet Inbound
(reverse function) (policy.rules)
2848746 - ETPRO POLICY Suspicious CharCode PowerShell Snippet Inbound
(FromBase64String) (policy.rules)
2848747 - ETPRO POLICY Suspicious CharCode PowerShell Snippet Inbound
(reverse FromBase64String) (policy.rules)
2848748 - ETPRO POLICY Suspicious CharCode PowerShell Snippet Inbound
(DownloadString) (policy.rules)
2848749 - ETPRO POLICY Suspicious CharCode PowerShell Snippet Inbound
(reverse DownloadString) (policy.rules)
2848750 - ETPRO POLICY Suspicious CharCode PowerShell Snippet Inbound
(Array Reverse) (policy.rules)
2848751 - ETPRO POLICY Suspicious CharCode PowerShell Snippet Inbound
(reverse Array Reverse) (policy.rules)
2848752 - ETPRO POLICY Suspicious CharCode PowerShell Snippet Inbound
(EntryPoint Invoke) (policy.rules)
2848753 - ETPRO POLICY Suspicious CharCode PowerShell Snippet Inbound
(reverse EntryPoint Invoke) (policy.rules)

Date:
Summary title:
9 new OPEN, 28 new PRO (9 + 19). SolarWinds Orion RCE (CVE-2021-31474), PerSwaysion, Proverkalogov Stealer, CotX - APT, CoinMiners, Various Suspicious CharCode PowerShell Snippets.