Daily Ruleset Update Summary
Daily Ruleset Update Summary 2021/06/09

[***] Summary: [***]

14 new OPEN, 31 new PRO (14 + 17). Gelsemium, JBoss RCE, Puzzlemaker, Others.

Thanks @ShadowChasing1.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033118 - ET EXPLOIT Jboss RCE (CVE-2017-12149) (exploit.rules)
2033119 - ET INFO Observed DNS Query to DDNS Domain .dns1 .us (info.rules)
2033120 - ET INFO Observed DNS Query to DDNS Domain .otzo .com (info.rules)
2033121 - ET INFO Observed DNS Query to DDNS Domain .zyns .com (info.rules)
2033122 - ET INFO Observed DNS Query to DDNS Domain .zzux .com (info.rules)
2033123 - ET TROJAN Observed DNS Query to Known Gelsemium CnC (trojan.rules)
2033124 - ET TROJAN Observed DNS Query to Known Gelsemium CnC (trojan.rules)
2033125 - ET TROJAN Observed DNS Query to Known Gelsemium CnC (trojan.rules)
2033126 - ET TROJAN Observed DNS Query to Known Gelsemium CnC (trojan.rules)
2033127 - ET TROJAN Observed Puzzlemaker Remote Shell Domain
(media-seoengine .com in TLS SNI) (trojan.rules)
2033128 - ET TROJAN Possible Puzzlemaker Remote Shell Activity (GET)
(trojan.rules)
2033129 - ET TROJAN DonotGroup Maldoc Activity (GET) (trojan.rules)
2033130 - ET MALWARE Win32/Spy.Agent.QCL Variant Activity (POST)
(malware.rules)
2033131 - ET MALWARE Win32/Spy.Agent.QCL Variant Activity (POST) M2
(malware.rules)

Pro:

2848880 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.CX CnC
Beacon (mobile_malware.rules)
2848881 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2848882 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2848883 - ETPRO TROJAN Win32/PSW.WOW.NVY CnC Checkin (trojan.rules)
2848884 - ETPRO USER_AGENTS Observed MalDoc Downloader User-Agent
(user_agents.rules)
2848885 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-06-09 1) (trojan.rules)
2848886 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-06-09 2) (trojan.rules)
2848887 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-06-09 3) (trojan.rules)
2848888 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-06-09 4) (trojan.rules)
2848889 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-06-09 5) (trojan.rules)
2848890 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-06-09 6) (trojan.rules)
2848891 - ETPRO TROJAN ELF/Mirai Outbound Scanning for Netlink GPON
Routers (trojan.rules)
2848892 - ETPRO TROJAN ELF/Mirai Inbound Scanning for Netlink GPON
Routers (trojan.rules)
2848893 - ETPRO TROJAN Gelsemium Payload CnC Checkin (trojan.rules)
2848894 - ETPRO POLICY Outbound H.323 Q.931 FACILITY Packet -
Possible Low Port Slipstreaming Attempt (policy.rules)
2848895 - ETPRO POLICY Inbound H.323 Q.931 FACILITY Packet -
Possible Low Port Slipstreaming Attempt (policy.rules)

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
14 new OPEN, 31 new PRO (14 + 17). Gelsemium, JBoss RCE, Puzzlemaker, Others.