Daily Ruleset Update Summary 2021/07/13

[***] Summary: [***]

3 new OPEN, 20 new PRO (3 + 17) JobRat, Adobe Acrobat Reader
CVE-2021-28635 and CVE-2021-28640, AsyncRAT, and Android Joker.FF.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033318 - ET TROJAN Observed Malicious SSL Cert (Maldoc/Zloader CnC)
(trojan.rules)
2033319 - ET MOBILE_MALWARE PJobRat System Exfil to CnC (mobile_malware.rules)
2033320 - ET MOBILE_MALWARE PJobRat CnC Checkin (mobile_malware.rules)

Pro:

2849259 - ETPRO EXPLOIT Adobe Acrobat/Acrobat Reader DC AcroForm
Use-After-Free Inbound (CVE-2021-28635) (exploit.rules)
2849260 - ETPRO EXPLOIT Adobe Acrobat Reader EScript.api
Use-After-Free Inbound (CVE-2021-28640) (exploit.rules)
2849261 - ETPRO CURRENT_EVENTS Successful Huntington Bank Phish
2021-07-13 (current_events.rules)
2849262 - ETPRO CURRENT_EVENTS Successful Chase Bank Phish
2021-07-13 (current_events.rules)
2849263 - ETPRO INFO Suspicious Powershell String Observed Inbound
(netsh Usage) (info.rules)
2849264 - ETPRO INFO Suspicious Powershell String Observed Inbound
(DownloadFile to Extension Usage) (info.rules)
2849265 - ETPRO INFO Suspicious Powershell String Observed Inbound
(reg add Run Usage) (info.rules)
2849266 - ETPRO INFO Suspicious Powershell String Observed Inbound
(schtasks Usage) (info.rules)
2849267 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2849268 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2849269 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2849270 - ETPRO MOBILE_MALWARE Android Joker.FF CnC Beacon
(mobile_malware.rules)
2849271 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 161
(mobile_malware.rules)
2849272 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 162
(mobile_malware.rules)
2849273 - ETPRO CURRENT_EVENTS Successful Netflix Phish 2021-07-13
(current_events.rules)
2849274 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 163
(mobile_malware.rules)
2849275 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 164
(mobile_malware.rules)

[///] Modified active rules: [///]

2021013 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dridex/Trickbot CnC) (trojan.rules)
2024901 - ET TROJAN Trickbot Payload Request (trojan.rules)
2026738 - ET TROJAN [PTsecurity] Trickbot Data Exfiltration (trojan.rules)
2029077 - ET TROJAN Buer Loader Update Request (trojan.rules)
2029078 - ET TROJAN Buer Loader Download Request (trojan.rules)
2029079 - ET TROJAN Buer Loader Successful Payload Download (trojan.rules)
2029080 - ET TROJAN SSL/TLS Certificate Observed (Buer Loader) (trojan.rules)
2029729 - ET TROJAN Observed Buer Loader CnC Domain (kkjjhhdff .site
in TLS SNI) (trojan.rules)
2029768 - ET TROJAN Buer Loader Update Request (trojan.rules)
2031610 - ET TROJAN Observed Buer Loader Domain (officewestunionbank
.com in TLS SNI) (trojan.rules)
2032892 - ET MALWARE Buer - DomainInfo User-Agent (malware.rules)
2032893 - ET TROJAN Observed DNS Query to Buer - DomainInfo Domain
(trojan.rules)
2827992 - ETPRO TROJAN TrickBot IP Check (trojan.rules)
2830099 - ETPRO TROJAN W32/Trickbot IP check (trojan.rules)
2830188 - ETPRO TROJAN Trickbot SSL Certificate Detected (trojan.rules)
2830259 - ETPRO TROJAN W32/Trickbot IP check M2 (trojan.rules)
2830978 - ETPRO TROJAN Trickbot Base64 Encoded strings -
VirtualAllocEx ReadProcessMemory (trojan.rules)
2834883 - ETPRO TROJAN Trickbot Requesting networkDll Module (trojan.rules)
2837550 - ETPRO TROJAN Observed Trickbot Style SSL Cert (Internet
Widgets Pty Ltd) (trojan.rules)
2837551 - ETPRO TROJAN Observed Trickbot Style SSL Cert (Default
Company LTD) (trojan.rules)
2837581 - ETPRO TROJAN Trickbot Webinject Activity M1 (swap) (trojan.rules)
2837582 - ETPRO TROJAN Trickbot Webinject Activity M1 (getinj) (trojan.rules)
2837583 - ETPRO TROJAN Trickbot Webinject Activity M1 (final) (trojan.rules)
2837584 - ETPRO TROJAN Trickbot Webinject Activity M1 (aggregator)
(trojan.rules)
2837585 - ETPRO TROJAN Trickbot Webinject Activity M1 (accounts)
(trojan.rules)
2837586 - ETPRO TROJAN Trickbot Webinject Activity M2 (response)
(trojan.rules)
2837587 - ETPRO TROJAN Trickbot Webinject Activity M2 (rcrd) (trojan.rules)
2839684 - ETPRO TROJAN Buer Loader Response (trojan.rules)
2843007 - ETPRO TROJAN Buer Loader CnC Activity (trojan.rules)
2848365 - ETPRO TROJAN RustyBuer Checkin (trojan.rules)

[///] Modified inactive rules: [///]

2025156 - ET TROJAN Possible Trickbot/Dyre Serial Number in SSL Cert
(trojan.rules)

Date:

Tuesday, July 13, 2021

Summary title:

3 new OPEN, 20 new PRO (3 + 17) JobRat, Adobe Acrobat Reader CVE-2021-28635 and CVE-2021-28640, AsyncRAT, and Android Joker.FF.