[***] Summary: [***]

8 new OPEN, 16 new PRO (8 + 8). WaterDropX PRISM, PCShare, Ryuk,
Various CVEs, Others.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033266 - ET TROJAN Possible Siloscape IRC CnC JOIN Command Observed
(trojan.rules)
2033267 - ET INFO URL Shortening Service Domain in TLS SNI (coki
.me) (info.rules)
2033268 - ET POLICY Observed DNS Query to Coin Mining Domain
(nanopool .org) (policy.rules)
2033269 - ET USER_AGENTS WaterDropX PRISM UA Observed (user_agents.rules)
2033270 - ET TROJAN WaterDropX PRISM CnC Checkin (trojan.rules)
2033271 - ET TROJAN WaterDropX PRISM CnC Response (trojan.rules)
2033272 - ET EXPLOIT Unknown Command Injection Attempt Inbound
(Possible Mirai Activity) (exploit.rules)
2033273 - ET EXPLOIT Unknown Vulnerability Exploit Attempt (Possible
Mirai Activity) (exploit.rules)

Pro:

2849215 - ETPRO TROJAN Possible Ryuk SMB Activity (trojan.rules)
2849216 - ETPRO EXPLOIT D-Link DNS-320 FW Command Injection Inbound
(CVE-2020-25506) (exploit.rules)
2849217 - ETPRO EXPLOIT Micro Focus OBR Command Injection Inbound
(CVE-2021-22502) (exploit.rules)
2849218 - ETPRO POLICY External IP Lookup via ip. 360 .cn (policy.rules)
2849219 - ETPRO TROJAN PCShare RAT Heartbeat from CnC (trojan.rules)
2849220 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-06 1) (trojan.rules)
2849221 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-06 2) (trojan.rules)
2849222 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-06 3) (trojan.rules)

[///] Modified active rules: [///]

2000351 - ET TROJAN IRC Channel join on non-standard port (trojan.rules)
2001493 - ET MALWARE ISearchTech.com XXXPornToolbar Activity (IST)
(malware.rules)
2014439 - ET TROJAN IRC Bot Download http Command (trojan.rules)
2101729 - GPL CHAT IRC Channel join (chat.rules)
2803993 - ETPRO TROJAN not-a-virus.Hacktool.XBins Joining IRC
channel (trojan.rules)

[///] Modified inactive rules: [///]

2033246 - ET POLICY [MS-RPRN] Windows Printer Spooler Activity -
AddPrinterDriverEx with Suspicious Filepath (policy.rules)

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
8 new OPEN, 16 new PRO (8 + 8). WaterDropX PRISM, PCShare, Ryuk, Various CVEs, Others.