Daily Ruleset Update Summary 2021/07/08

Daily Ruleset Update Summary

[***] Summary: [***]

10 new OPEN, 25 new PRO (10 + 15). DonotGroup, CryptoMimic,
BazaLoader, Various CVEs, Others.

Thanks: @malware_traffic, @cyberoverdrive

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033277 - ET TROJAN Observed Malicious SSL Cert (CryptoMimic Staging
CnC) (trojan.rules)
2033278 - ET TROJAN Observed Malicious SSL Cert (CryptoMimic Staging
CnC) (trojan.rules)
2033279 - ET TROJAN BazaLoader Activity (GET) (trojan.rules)
2033280 - ET EXPLOIT OptiLink ONT1GEW GPON RCE Inbound (exploit.rules)
2033281 - ET EXPLOIT OptiLink ONT1GEW GPON RCE Outbound (exploit.rules)
2033282 - ET EXPLOIT Cisco HyperFlex HX RCE Inbound (CVE-2021-1498)
(exploit.rules)
2033283 - ET EXPLOIT Cisco HyperFlex HX RCE Outbound (CVE-2021-1498)
(exploit.rules)
2033284 - ET EXPLOIT Trenda Router AC11 RCE Inbound (CVE-2021-31755)
(exploit.rules)
2033285 - ET EXPLOIT Trenda Router AC11 RCE Outbound
(CVE-2021-31755) (exploit.rules)
2033286 - ET CURRENT_EVENTS Observed Malicious SSL Cert (NHS UK
Covid Passport Phish) (current_events.rules)

Pro:

2849223 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-07 1) (trojan.rules)
2849224 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-07 2) (trojan.rules)
2849225 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-07 3) (trojan.rules)
2849226 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-07 4) (trojan.rules)
2849227 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-07 5) (trojan.rules)
2849228 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-07 6) (trojan.rules)
2849229 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-07 7) (trojan.rules)
2849230 - ETPRO TROJAN DonotGroup Kaspov Stage1 Activity (GET) (trojan.rules)
2849231 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 154
(mobile_malware.rules)
2849232 - ETPRO TROJAN DonotGroup Kaspov Stage2 Activity (GET) (trojan.rules)
2849235 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 155
(mobile_malware.rules)
2849236 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 156
(mobile_malware.rules)
2849237 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 157
(mobile_malware.rules)

[///] Modified inactive rules: [///]

2033246 - ET POLICY [MS-RPRN] Windows Printer Spooler Activity -
AddPrinterDriverEx with Suspicious Filepath (policy.rules)
2849129 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcAddPrinterDriverEx (policy.rules)
2849173 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcAddPrinterDriver (policy.rules)
2849174 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcEnumPrinterDrivers (policy.rules)
2849175 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcGetPrinterDriver (policy.rules)
2849176 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcGetPrinterDriverDirectory (policy.rules)
2849177 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcDeletePrinterDriver (policy.rules)
2849178 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcGetPrinterDriver2 (policy.rules)
2849179 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcDeletePrinterDriverEx (policy.rules)
2849180 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcGetCorePrinterDrivers (policy.rules)
2849181 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcGetPrinterDriverPackagePath (policy.rules)

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Thursday, July 8, 2021

Summary title:

10 new OPEN, 25 new PRO (10 + 15). DonotGroup, CryptoMimic, BazaLoader, Various CVEs, Others.