Daily Ruleset Update Summary
Daily Ruleset Update Summary 2021/07/15

[***] Summary: [***]

14 new OPEN, 28 new PRO (14 + 14) Tofsee, ReverseRAT, Candiru,
MargulasRAT, and IE MSHTML Out-of-Bounds Write Inbound
(CVE-2021-33742).

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033324 - ET TROJAN Win32/Tofsee Connectivity Check M2 (trojan.rules)
2033325 - ET TROJAN Win32/Tofsee Connectivity Check M3 (trojan.rules)
2033326 - ET EXPLOIT IE MSHTML Out-of-Bounds Write Inbound
(CVE-2021-33742) (exploit.rules)
2033327 - ET TROJAN ReverseRAT Activity (POST) M5 (trojan.rules)
2033328 - ET TROJAN Candiru Spyware CnC Domain in DNS Lookup
(msstore .io) (trojan.rules)
2033329 - ET TROJAN Candiru Spyware CnC Domain in DNS Lookup
(adtracker .link) (trojan.rules)
2033330 - ET TROJAN Candiru Spyware CnC Domain in DNS Lookup
(cdnmobile .io) (trojan.rules)
2033331 - ET TROJAN Unk.DPRK MalDoc SysInfo CnC Exfil (trojan.rules)
2033332 - ET TROJAN MargulasRAT Checkin M1 (trojan.rules)
2033333 - ET TROJAN MargulasRAT Keep-Alive Outbound M1 (trojan.rules)
2033334 - ET TROJAN MargulasRAT Keep-Alive Inbound M1 (trojan.rules)
2033335 - ET TROJAN MargulasRAT Checkin M2 (trojan.rules)
2033336 - ET TROJAN MargulasRAT Keep-Alive Outbound M2 (trojan.rules)
2033337 - ET TROJAN MargulasRAT Keep-Alive Inbound M2 (trojan.rules)

Pro:

2849296 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-14 1) (trojan.rules)
2849297 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-14 2) (trojan.rules)
2849298 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-14 3) (trojan.rules)
2849299 - ETPRO MALWARE Win32/Occamy Variant Activity (GET) (malware.rules)
2849300 - ETPRO CURRENT_EVENTS Successful Generic Phish 2021-07-15
(current_events.rules)
2849301 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2849302 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2849303 - ETPRO POLICY [MS-SRVS] DCERPC Bind_ack (flowbit set) (policy.rules)
2849304 - ETPRO POLICY [MS-SRVS] Microsoft Server Service Remote
Protocol Activity - NetShareEnumAll (policy.rules)
2849305 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 165
(mobile_malware.rules)
2849306 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 166
(mobile_malware.rules)
2849307 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 167
(mobile_malware.rules)
2849308 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 168
(mobile_malware.rules)
2849309 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 169
(mobile_malware.rules)

[///] Modified active rules: [///]

2002038 - ET MALWARE Shopathomeselect .com Spyware User-Agent
(WebDownloader) (malware.rules)
2008243 - ET MALWARE my247eshop .com User-Agent (malware.rules)
2008594 - ET MALWARE ezday.co .kr Related Spyware User-Agent
(Ezshop) (malware.rules)
2028596 - ET TROJAN Observed Malicious SSL Cert (MalDoc DL
2019-09-17 1) (trojan.rules)
2029450 - ET TROJAN Kimsuky Related CnC (trojan.rules)
2029451 - ET TROJAN Possible Kimsuky Related Exfil (trojan.rules)
2029452 - ET TROJAN Possible Kimsuky Related Download (trojan.rules)
2029453 - ET TROJAN Kimsuky Related CnC (trojan.rules)
2029529 - ET TROJAN ObliqueRAT CnC Heartbeat Packet (trojan.rules)
2029530 - ET TROJAN ObliqueRAT CnC Checkin (trojan.rules)
2029583 - ET TROJAN Kimsuky Related Host Data Exfil (trojan.rules)
2029636 - ET WEB_SPECIFIC_APPS Possible CVE-2020-8518 (Horde
Groupware RCE) (web_specific_apps.rules)
2029765 - ET MOBILE_MALWARE Android Lightspy Implant CnC
(mobile_malware.rules)
2029794 - ET TROJAN Suspected Stitch Variant Backdoor CnC (trojan.rules)
2030485 - ET TROJAN Hakbit/Thanos Ransomware BMP Download (trojan.rules)
2030516 - ET TROJAN Supercharge Component Download (ps1) (trojan.rules)
2030517 - ET TROJAN Supercharge Component Download (exe) (trojan.rules)
2030994 - ET TROJAN MontysThree HTTPTransport Module Activity (trojan.rules)
2031492 - ET CURRENT_EVENTS Suspicious TikTok Domain Request -
Possible Phishing or Scam (current_events.rules)
2031546 - ET EXPLOIT Suspected SAP EEM SOLMAN RCE (CVE-2020-6207)
(exploit.rules)
2032525 - ET TROJAN Pult Downloader Activity (trojan.rules)
2033066 - ET TROJAN Vidar Stealer - FaceIt Checkin Response (trojan.rules)
2033071 - ET TROJAN Evilnum Activity (GET) (trojan.rules)
2033293 - ET TROJAN BIOPASS RAT Python Activity (GET) (trojan.rules)
2033310 - ET TROJAN BIOPASS RAT Go Activity (GET) (trojan.rules)
2840688 - ETPRO TROJAN Possibly Malicious Doc Requesting Known VBS
Template (trojan.rules)
2842556 - ETPRO TROJAN VB.Trojan.Valyri CnC Activity M2 (trojan.rules)
2846731 - ETPRO TROJAN Win32/Spy.Vadokrist.AH CnC Activity (trojan.rules)
2847674 - ETPRO TROJAN Blue Eagle XPR RAT Checkin (Java) (trojan.rules)
2847675 - ETPRO MALWARE Blue Eagle XPR RAT Checkin (VB) (malware.rules)
2849072 - ETPRO TROJAN DetaRAT Initial Checkin (trojan.rules)
2849073 - ETPRO TROJAN MSIL/DetaRAT KeepAlive (trojan.rules)

[///] Modified inactive rules: [///]

2008370 - ET MALWARE Shopcenter.co .kr Spyware Install Report (malware.rules)

[---] Removed rules: [---]

2849198 - ETPRO TROJAN Win32/Remcos RAT Checkin 728 (trojan.rules)

Date:
Summary title:
14 new OPEN, 28 new PRO (14 + 14) Tofsee, ReverseRAT, Candiru, MargulasRAT, and IE MSHTML Out-of-Bounds Write Inbound (CVE-2021-33742).