[***] Summary: [***]
3 new OPEN, 24 new PRO (3 + 21) Serv-U Backdoor, Win32/Fareit,
AZORult, Pegasus Stealer, Remcos, BazaLoader and Various Android
Malware.
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2033321 - ET TROJAN Suspected Solarwinds Serv-U Backdoor (Incoming)
(trojan.rules)
2033322 - ET TROJAN Win32/Fareit Variant Activity (POST) (trojan.rules)
2033323 - ET TROJAN Observed AZORult CnC Domain (miscrosoftworrd
.000webhostapp .com in TLS SNI) (trojan.rules)
Pro:
2809267 - ETPRO INFO Terse Connectivity Check to Microsoft (info.rules)
2849276 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-14 1) (trojan.rules)
2849277 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-14 2) (trojan.rules)
2849278 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-14 3) (trojan.rules)
2849279 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-14 4) (trojan.rules)
2849280 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-14 5) (trojan.rules)
2849281 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-14 6) (trojan.rules)
2849282 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-14 7) (trojan.rules)
2849283 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-14 8) (trojan.rules)
2849284 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2849285 - ETPRO TROJAN MSIL/Pegasus Stealer CnC Exfil (trojan.rules)
2849286 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.t
Checkin (mobile_malware.rules)
2849287 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Piom.ajqd Checkin
(mobile_malware.rules)
2849288 - ETPRO TROJAN Win32/Remcos RAT Checkin 729 (trojan.rules)
2849289 - ETPRO TROJAN Win32/Remcos RAT Checkin 730 (trojan.rules)
2849290 - ETPRO TROJAN Win32/Remcos RAT Checkin 731 (trojan.rules)
2849291 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.t
Checkin 2 (mobile_malware.rules)
2849292 - ETPRO CURRENT_EVENTS Successful Union Bank Phish
2021-07-14 (current_events.rules)
2849293 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.t
Checkin 3 (mobile_malware.rules)
2849294 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.t
Checkin 4 (mobile_malware.rules)
2849295 - ETPRO TROJAN BazaLoader CnC Activity (trojan.rules)
[+++] Enabled and modified rules: [+++]
2033254 - ET POLICY [MS-PAR] Windows Printer Spooler Activity -
RpcAsyncEnumPrinterDrivers (policy.rules)
2033256 - ET POLICY [MS-PAR] Windows Printer Spooler Activity -
RpcAsyncGetPrinterDriver (policy.rules)
2033257 - ET POLICY [MS-PAR] Windows Printer Spooler Activity -
RpcAsyncGetPrinterDriverDirectory (policy.rules)
2033258 - ET POLICY [MS-PAR] Windows Printer Spooler Activity -
RpcAsyncDeletePrinterDriver (policy.rules)
2033259 - ET POLICY [MS-PAR] Windows Printer Spooler Activity -
RpcAsyncDeletePrinterDriverEx (policy.rules)
2033260 - ET POLICY [MS-PAR] Windows Printer Spooler Activity -
RpcAsyncInstallPrinterDriverFromPackage (policy.rules)
2033261 - ET POLICY [MS-PAR] Windows Printer Spooler Activity -
RpcAsyncUploadPrinterDriverPackage (policy.rules)
2033262 - ET POLICY [MS-PAR] Windows Printer Spooler Activity -
RpcAsyncGetCorePrinterDrivers (policy.rules)
2033263 - ET POLICY [MS-PAR] Windows Printer Spooler Activity -
RpcAsyncCorePrinterDriverInstalled (policy.rules)
2033264 - ET POLICY [MS-PAR] Windows Printer Spooler Activity -
RpcAsyncGetPrinterDriverPackagePath (policy.rules)
2033265 - ET POLICY [MS-PAR] Windows Printer Spooler Activity -
RpcAsyncDeletePrinterDriverPackage (policy.rules)
[///] Modified active rules: [///]
2001702 - ET MALWARE Shop at Home Select Spyware User-Agent (Bundle)
(malware.rules)
2001707 - ET MALWARE Shop at Home Select Spyware User-Agent (SAH)
(malware.rules)
2002038 - ET MALWARE Shopathomeselect.com Spyware User-Agent
(WebDownloader) (malware.rules)
2008243 - ET MALWARE my247eshop.com User-Agent (malware.rules)
2008594 - ET MALWARE ezday.co.kr Related Spyware User-Agent (Ezshop)
(malware.rules)
2016917 - ET MALWARE Adware pricepeep Adware.Shopper.297 (malware.rules)
2033246 - ET POLICY [MS-RPRN] Windows Printer Spooler Activity -
AddPrinterDriverEx with Suspicious Filepath (policy.rules)
2033255 - ET POLICY [MS-PAR] Windows Printer Spooler Activity -
RpcAsyncAddPrinterDriver (policy.rules)
2804433 - ETPRO MALWARE AdWare.Win32.ShopNav.k Install (malware.rules)
2806052 - ETPRO MALWARE Adware.Shopper.323 Checkin (malware.rules)
2806413 - ETPRO MALWARE Adware.Shopper.Q Checking 2 (malware.rules)
2809218 - ETPRO MALWARE PUP Win32/AdWare.Loadshop Checkin (malware.rules)
2809279 - ETPRO MALWARE PUA Win32/ShopperPro.A Checkin (malware.rules)
2814069 - ETPRO MALWARE PUP.Adware.Shopro Checkin (malware.rules)
2843729 - ETPRO TROJAN Win32/Fsysna.hlwd CnC Checkin (trojan.rules)
[///] Modified inactive rules: [///]
2000580 - ET MALWARE Shop At Home Select.com Install Attempt (malware.rules)
2000581 - ET MALWARE Shop At Home Select.com Install Download (malware.rules)
2001708 - ET MALWARE Shop at Home Select Spyware Heartbeat (malware.rules)
2002000 - ET MALWARE Shopnav Spyware Install (malware.rules)
2002037 - ET MALWARE Shop at Home Select Spyware Install (malware.rules)
2008370 - ET MALWARE Shopcenter.co.kr Spyware Install Report (malware.rules)
2033247 - ET POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcAddPrinterDriverEx with Possible UNC Path M1 (policy.rules)
2033274 - ET POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcAddPrinterDriverEx with Possible UNC Path M2 (policy.rules)
2033275 - ET POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcAddPrinterDriverEx with Possible UNC Path M3 (policy.rules)
2033276 - ET POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcAddPrinterDriverEx with Possible UNC Path M4 (policy.rules)
2800702 - ETPRO EXPLOIT Nullsoft Winamp Midi File Header Handling
Buffer Overflow (Published Exploit) (exploit.rules)
2849129 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcAddPrinterDriverEx (policy.rules)
2849173 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcAddPrinterDriver (policy.rules)
2849174 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcEnumPrinterDrivers (policy.rules)
2849175 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcGetPrinterDriver (policy.rules)
2849176 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcGetPrinterDriverDirectory (policy.rules)
2849177 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcDeletePrinterDriver (policy.rules)
2849178 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcGetPrinterDriver2 (policy.rules)
2849179 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcDeletePrinterDriverEx (policy.rules)
2849180 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcGetCorePrinterDrivers (policy.rules)
2849181 - ETPRO POLICY [MS-RPRN] Windows Printer Spooler Activity -
RpcGetPrinterDriverPackagePath (policy.rules)
[---] Removed rules: [---]
2809267 - ETPRO TROJAN W32/TinyZBot Fake Resume Upload GET Request
(Operation Cleaver) (trojan.rules)