Daily Ruleset Update Summary
Daily Ruleset Update Summary 2021/07/26

[***] Summary: [***]

36 new OPEN, 53 new PRO (36 + 17) W32/Echmark/MarkiRAT, Dmechant,
RustyBuer, Gamaredon, and Various exploits.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033383 - ET MALWARE Win32/TrojanDownloader.Agent.BXA CnC Activity
(malware.rules)
2033400 - ET TROJAN W32/Echmark/MarkiRAT CnC Host Checkin (trojan.rules)
2033401 - ET TROJAN W32/Echmark/MarkiRAT CnC Request (trojan.rules)
2033402 - ET TROJAN W32/Echmark/MarkiRAT CnC Response (trojan.rules)
2033403 - ET WEB_SPECIFIC_APPS Apache SkyWalking GraphQL SQL
Injection Inbound (CVE-2020-13921) (web_specific_apps.rules)
2033404 - ET WEB_SPECIFIC_APPS Apache Kylin REST API
DiagnosisService Command Injection Inbound (CVE-2020-13925)
(web_specific_apps.rules)
2033405 - ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Remote
Code Execution Inbound (CVE-2019-0230) (web_specific_apps.rules)
2033408 - ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Remote
Code Execution Inbound (CVE-2020-17530) (web_specific_apps.rules)
2033409 - ET EXPLOIT Cisco Data Center Network Manager
Authentication Bypass Inbound (CVE-2019-15976) (exploit.rules)
2033410 - ET EXPLOIT Cisco Data Center Network Manager Information
Disclosure Inbound (exploit.rules)
2033411 - ET EXPLOIT Cisco Data Center Network Manager SQL Injection
Inbound (CVE-2019-15984) (exploit.rules)
2033412 - ET EXPLOIT Cisco Data Center Network Manager Directory
Traversal Inbound (CVE-2019-15980) (exploit.rules)
2033413 - ET TROJAN Dmechant Exfil Cryptowallets via SMTP (trojan.rules)
2033414 - ET TROJAN Dmechant Exfil Passwords via SMTP (trojan.rules)
2033415 - ET TROJAN RustyBuer CnC Domain in SNI (trojan.rules)
2033416 - ET CURRENT_EVENTS Webshell Landing Outbound - Possibly
Iran-based (current_events.rules)
2033417 - ET CURRENT_EVENTS Webshell Upload Command Inbound -
Possibly Iran-based (current_events.rules)
2033418 - ET CURRENT_EVENTS Webshell Access with Known Password
Inbound - Possibly Iran-based (current_events.rules)
2033419 - ET CURRENT_EVENTS Webshell Execute Command Inbound -
Possibly Iran-based M1 (current_events.rules)
2033420 - ET TROJAN Anchor_DNS stickseed Variant CnC Checkin (trojan.rules)
2033421 - ET TROJAN Observed Malsmoke Staging Domain in SNI (trojan.rules)
2033422 - ET MALWARE Observed ZLoader CnC Domain in SNI (malware.rules)
2033423 - ET MALWARE Observed ZLoader CnC Domain in SNI (malware.rules)
2033424 - ET WEB_SPECIFIC_APPS rConfig ajaxArchiveFiles.php Command
Injection Inbound (CVE-2019-19509) (web_specific_apps.rules)
2033425 - ET WEB_SPECIFIC_APPS Solr DataImport Handler Disclose
Admin Cores (web_specific_apps.rules)
2033426 - ET WEB_SPECIFIC_APPS Solr DataImport Handler Disclose
Config (web_specific_apps.rules)
2033427 - ET WEB_SPECIFIC_APPS Solr DataImport Handler Disclose
Config URL (web_specific_apps.rules)
2033428 - ET WEB_SPECIFIC_APPS rConfig search.crud.php Command
Injection (CVE-2019-16663) (web_specific_apps.rules)
2033429 - ET TROJAN W32/Echmark/MarkiRAT CnC Activity M3 (trojan.rules)
2033432 - ET TROJAN Gamaredon CnC Domain in DNS Lookup (clank
.hazari .ru) (trojan.rules)
2033433 - ET TROJAN Gamaredon CnC Domain in DNS Lookup (lump .semara
.ru) (trojan.rules)
2033434 - ET TROJAN Gamaredon CnC Domain in DNS Lookup (lovers
.semara .ru) (trojan.rules)
2033435 - ET TROJAN Gamaredon CnC Domain in DNS Lookup (aconitum
.xyz) (trojan.rules)
2033436 - ET TROJAN Gamaredon CnC Domain in DNS Lookup (blattodea
.ru) (trojan.rules)
2033437 - ET TROJAN Gamaredon CnC Domain in DNS Lookup (hierodula
.online) (trojan.rules)
2033438 - ET TROJAN Gamaredon CnC Domain in DNS Lookup (tomond .ru)
(trojan.rules)

Pro:

2849404 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-24 1) (trojan.rules)
2849405 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-24 2) (trojan.rules)
2849406 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-24 3) (trojan.rules)
2849407 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-24 4) (trojan.rules)
2849408 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-24 5) (trojan.rules)
2849409 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-24 6) (trojan.rules)
2849410 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-24 7) (trojan.rules)
2849411 - ETPRO WEB_CLIENT IE JScript Use-After-Free Inbound
(CVE-2019-1429) (web_client.rules)
2849412 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-26 1) (trojan.rules)
2849413 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-26 2) (trojan.rules)
2849414 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-26 3) (trojan.rules)
2849415 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-26 4) (trojan.rules)
2849416 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-26 5) (trojan.rules)
2849417 - ETPRO MOBILE_MALWARE Android.Trojan.SmsSpy.ABD Checkin
(mobile_malware.rules)
2849418 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish
2021-07-26 (current_events.rules)
2849419 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 172
(mobile_malware.rules)
2849420 - ETPRO CURRENT_EVENTS Successful Generic Phish 2021-07-26
(current_events.rules)

[///] Modified active rules: [///]

2022818 - ET TROJAN Generic gate .php GET with minimal headers (trojan.rules)
2028933 - ET EXPLOIT Possible rConfig 3.9.2 Remote Code Execution
PoC M1 (CVE-2019-16662) (exploit.rules)
2033114 - ET EXPLOIT Solr DataImport Handler RCE (CVE-2019-0193)
(exploit.rules)

[---] Removed rules: [---]

2843336 - ETPRO TROJAN W32/Echmark CnC Host Checkin (trojan.rules)
2843338 - ETPRO TROJAN W32/Echmark CnC Request (trojan.rules)
2843339 - ETPRO TROJAN W32/Echmark CnC Response (trojan.rules)

Date:
Summary title:
36 new OPEN, 53 new PRO (36 + 17) W32/Echmark/MarkiRAT, Dmechant, RustyBuer, Gamaredon, and Various exploits.