[***] Summary: [***]

23 new OPEN, 50 new PRO (23 + 27). MS-RPRN Sig Set, Diavol, xCaon,
Mirai, Others.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033223 - ET TROJAN Diavol CnC Checkin (trojan.rules)
2033224 - ET TROJAN Diavol Communicating with CnC - Register M1 (trojan.rules)
2033225 - ET TROJAN Diavol Communicating with CnC - Register M2 (trojan.rules)
2033226 - ET TROJAN Diavol Communicating with CnC - Key Request (trojan.rules)
2033227 - ET TROJAN Diavol Communicating with CnC - Services Request
(trojan.rules)
2033228 - ET TROJAN Diavol Communicating with CnC - Priority Request
(trojan.rules)
2033229 - ET TROJAN Diavol Communicating with CnC - Ignore Request
(trojan.rules)
2033230 - ET TROJAN Diavol Communicating with CnC - Ext Request (trojan.rules)
2033231 - ET TROJAN Diavol Communicating with CnC - Wipe Request
(trojan.rules)
2033232 - ET TROJAN Diavol Communicating with CnC - Landing Request
(trojan.rules)
2033233 - ET TROJAN Diavol HTTP Cookie Observed (trojan.rules)
2033234 - ET TROJAN Observed DNS Query to Known Indexsinas CnC
Domain (trojan.rules)
2033235 - ET TROJAN Observed DNS Query to Known Indexsinas CnC
Domain (trojan.rules)
2033236 - ET EXPLOIT Possible REvil 0day Exploitation Activity
Inbound (exploit.rules)
2033237 - ET TROJAN Mirai pTea Variant - Initial CnC Checkin
Outbound (trojan.rules)
2033238 - ET TROJAN Mirai pTea Variant - Initial CnC Checkin Inbound
(trojan.rules)
2033239 - ET TROJAN Mirai pTea Variant - Bot Upload Command Outbound
(trojan.rules)
2033240 - ET TROJAN Mirai pTea Variant - Info Submission Outbound
(trojan.rules)
2033241 - ET TROJAN Mirai pTea Variant - Info Submission Inbound
(trojan.rules)
2033242 - ET TROJAN Mirai pTea Variant - Attack Command Outbound
(trojan.rules)
2033243 - ET TROJAN Mirai pTea Variant - Attack Command Inbound (trojan.rules)
2033244 - ET TROJAN Mirai pTea Variant - Bot Upload Command Inbound
(trojan.rules)
2033245 - ET TROJAN xCaon Embedded Encrypted Command in Webpage (trojan.rules)

Pro:

2849173 - ETPRO POLICY Observed Windows Printer Spooler Activity -
AddPrinterDriver (policy.rules)
2849174 - ETPRO POLICY Observed Windows Printer Spooler Activity -
EnumPrinterDrivers (policy.rules)
2849175 - ETPRO POLICY Observed Windows Printer Spooler Activity -
GetPrinterDriver (policy.rules)
2849176 - ETPRO POLICY Observed Windows Printer Spooler Activity -
GetPrinterDriverDirectory (policy.rules)
2849177 - ETPRO POLICY Observed Windows Printer Spooler Activity -
DeletePrinterDriver (policy.rules)
2849178 - ETPRO POLICY Observed Windows Printer Spooler Activity -
GetPrinterDriver2 (policy.rules)
2849179 - ETPRO POLICY Observed Windows Printer Spooler Activity -
DeletePrinterDriverEx (policy.rules)
2849180 - ETPRO POLICY Observed Windows Printer Spooler Activity -
GetCorePrinterDrivers (policy.rules)
2849181 - ETPRO POLICY Observed Windows Printer Spooler Activity -
GetPrinterDriverPackagePath (policy.rules)
2849182 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-02 1) (trojan.rules)
2849183 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-02 2) (trojan.rules)
2849184 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-02 3) (trojan.rules)
2849185 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-02 4) (trojan.rules)
2849186 - ETPRO TROJAN MSIL/NegaSteal.DYSHPID CnC Checkin (trojan.rules)
2849187 - ETPRO MALWARE Win32/BrowserPassView Data Exfil via HTTP
(malware.rules)
2849188 - ETPRO TROJAN Win32/VB.NBI Data Exfil via HTTP (trojan.rules)
2849189 - ETPRO POLICY ELF64/SystemPatrol Submitting System Info to
CnC (policy.rules)
2849190 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-04 1) (trojan.rules)
2849191 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-04 2) (trojan.rules)
2849192 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-04 3) (trojan.rules)
2849193 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-04 4) (trojan.rules)
2849194 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-04 5) (trojan.rules)
2849195 - ETPRO POLICY Observed SSL Cert (Link Shortening Service -
Vsit) (policy.rules)
2849196 - ETPRO POLICY Inbound Batch Script Deleting IIS Log
Directory (policy.rules)
2849197 - ETPRO POLICY Inbound Batch Script Deleting Log Files (policy.rules)
2849198 - ETPRO TROJAN Win32/Remcos RAT Checkin 728 (trojan.rules)
2849199 - ETPRO USER_AGENTS Win32/Downloader.Agent.BXB UA Observed
(user_agents.rules)

[---] Disabled and modified rules: [---]

2849129 - ETPRO POLICY Observed Windows Printer Spooler Activity -
AddPrinterDriverEx (policy.rules)

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
23 new OPEN, 50 new PRO (23 + 27). MS-RPRN Sig Set, Diavol, xCaon, Mirai, Others.