Daily Ruleset Update Summary
Daily Ruleset Update Summary 2021/07/09

[***] Summary: [***]

26 new OPEN, 40 new PRO (26 + 14). UDP Technology Firemware CVEs,
Cobalt Strike, BIOPASS RAT, Android/Agent.BQX, Others.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033287 - ET INFO jpg download from fileupload .site (info.rules)
2033288 - ET INFO URL Shortening Service Domain in TLS SNI (hyp .ae)
(info.rules)
2033289 - ET TROJAN Malicious Dropper Activity (GET) (trojan.rules)
2033290 - ET TROJAN Cobalt Strike Beacon Activity (GET) (trojan.rules)
2033291 - ET TROJAN Cobalt Strike Beacon Activity (GET) (trojan.rules)
2033292 - ET TROJAN BIOPASS RAT Related Domain in DNS Lookup (0x3s
.com) (trojan.rules)
2033293 - ET TROJAN BIOPASS RAT Python Activity (GET) (trojan.rules)
2033294 - ET EXPLOIT UDP Technology Firmware (IP Cam) - certmngr.cgi
RCE via Command Injection Attempt Outbound (CVE-2021-33544)
(exploit.rules)
2033295 - ET EXPLOIT UDP Technology Firmware (IP Cam) - certmngr.cgi
RCE via Command Injection Attempt Inbound (CVE-2021-33544)
(exploit.rules)
2033296 - ET EXPLOIT UDP Technology Firmware (IP Cam) - factory.cgi
RCE via Command Injection Attempt Outbound (CVE-2021-33544)
(exploit.rules)
2033297 - ET EXPLOIT UDP Technology Firmware (IP Cam) - factory.cgi
RCE via Command Injection Attempt Inbound (CVE-2021-33544)
(exploit.rules)
2033298 - ET EXPLOIT UDP Technology Firmware (IP Cam) - language.cgi
RCE via Command Injection Attempt Outbound (CVE-2021-33544)
(exploit.rules)
2033299 - ET EXPLOIT UDP Technology Firmware (IP Cam) - language.cgi
RCE via Command Injection Attempt Inbound (CVE-2021-33544)
(exploit.rules)
2033300 - ET EXPLOIT UDP Technology Firmware (IP Cam) - oem.cgi RCE
via Command Injection Attempt Outbound (CVE-2021-33544)
(exploit.rules)
2033301 - ET EXPLOIT UDP Technology Firmware (IP Cam) - oem.cgi RCE
via Command Injection Attempt Inbound (CVE-2021-33544) (exploit.rules)
2033302 - ET EXPLOIT UDP Technology Firmware (IP Cam) -
simple_reclistjs.cgi RCE via Command Injection Attempt Outbound
(CVE-2021-33544) (exploit.rules)
2033303 - ET EXPLOIT UDP Technology Firmware (IP Cam) -
simple_reclistjs.cgi RCE via Command Injection Attempt Inbound
(CVE-2021-33544) (exploit.rules)
2033304 - ET EXPLOIT UDP Technology Firmware (IP Cam) - testcmd.cgi
RCE via Command Injection Attempt Outbound (CVE-2021-33544)
(exploit.rules)
2033305 - ET EXPLOIT UDP Technology Firmware (IP Cam) - testcmd.cgi
RCE via Command Injection Attempt Inbound (CVE-2021-33544)
(exploit.rules)
2033306 - ET EXPLOIT UDP Technology Firmware (IP Cam) - tmpapp.cgi
RCE via Command Injection Attempt Outbound (CVE-2021-33544)
(exploit.rules)
2033307 - ET EXPLOIT UDP Technology Firmware (IP Cam) - tmpapp.cgi
RCE via Command Injection Attempt Inbound (CVE-2021-33544)
(exploit.rules)
2033308 - ET EXPLOIT UDP Technology Firmware (IP Cam) - Auth Bypass
Attempt Outbound (CVE-2021-33543) (exploit.rules)
2033309 - ET EXPLOIT UDP Technology Firmware (IP Cam) - Auth Bypass
Attempt Inbound (CVE-2021-33543) (exploit.rules)
2033310 - ET TROJAN BIOPASS RAT Go Activity (GET) (trojan.rules)
2033311 - ET EXPLOIT UDP Technology Firmware (IP Cam) - Possible
Stack Buffer Overflow Attempt Outbound (Multiple CVE IDs)
(exploit.rules)
2033312 - ET EXPLOIT UDP Technology Firmware (IP Cam) - Possible
Stack Buffer Overflow Attempt Inbound (Multiple CVE IDs)
(exploit.rules)

Pro:

2849238 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish
2021-07-09 (current_events.rules)
2849239 - ETPRO CURRENT_EVENTS Successful Huntington Bank Phish
2021-07-09 (current_events.rules)
2849240 - ETPRO CURRENT_EVENTS Successful Desert Financial Credit
Union 2021-07-09 (current_events.rules)
2849241 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-09 1) (trojan.rules)
2849242 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-09 2) (trojan.rules)
2849243 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-09 3) (trojan.rules)
2849244 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-09 4) (trojan.rules)
2849245 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 158
(mobile_malware.rules)
2849246 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 159
(mobile_malware.rules)
2849247 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 160
(mobile_malware.rules)
2849248 - ETPRO INFO Suspicious Zipped Filename in Outbound POST
Request (Clipboard.txt) M2 (info.rules)
2849249 - ETPRO INFO Suspicious Zipped Filename in Outbound POST
Request (Cookies [Chrome]#) (info.rules)
2849250 - ETPRO INFO Suspicious Zipped Filename in Outbound POST
Request (Cookies [Firefox]#) (info.rules)
2849251 - ETPRO INFO Suspicious Zipped Filename in Outbound POST
Request (Discord Token(s).txt) (info.rules)

[+++] Enabled rules: [+++]

2033246 - ET POLICY [MS-RPRN] Windows Printer Spooler Activity -
AddPrinterDriverEx with Suspicious Filepath (policy.rules)

[+++] Enabled and modified rules: [+++]

2033255 - ET POLICY [MS-PAR] Windows Printer Spooler Activity -
RpcAsyncAddPrinterDriver (policy.rules)

[///] Modified active rules: [///]

2033087 - ET TROJAN Win32/DCRat CnC Exfil (trojan.rules)

[///] Modified inactive rules: [///]

2033254 - ET POLICY [MS-PAR] Windows Printer Spooler Activity -
RpcAsyncEnumPrinterDrivers (policy.rules)
2033256 - ET POLICY [MS-PAR] Windows Printer Spooler Activity -
RpcAsyncGetPrinterDriver (policy.rules)
2033257 - ET POLICY [MS-PAR] Windows Printer Spooler Activity -
RpcAsyncGetPrinterDriverDirectory (policy.rules)
2033258 - ET POLICY [MS-PAR] Windows Printer Spooler Activity -
RpcAsyncDeletePrinterDriver (policy.rules)
2033259 - ET POLICY [MS-PAR] Windows Printer Spooler Activity -
RpcAsyncDeletePrinterDriverEx (policy.rules)
2033262 - ET POLICY [MS-PAR] Windows Printer Spooler Activity -
RpcAsyncGetCorePrinterDrivers (policy.rules)
2033263 - ET POLICY [MS-PAR] Windows Printer Spooler Activity -
RpcAsyncCorePrinterDriverInstalled (policy.rules)
2033264 - ET POLICY [MS-PAR] Windows Printer Spooler Activity -
RpcAsyncGetPrinterDriverPackagePath (policy.rules)
2033265 - ET POLICY [MS-PAR] Windows Printer Spooler Activity -
RpcAsyncDeletePrinterDriverPackage (policy.rules)

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
26 new OPEN, 40 new PRO (26 + 14). UDP Technology Firemware CVEs, Cobalt Strike, BIOPASS RAT, Android/Agent.BQX, Others.