Daily Ruleset Update Summary 2021/07/27

Daily Ruleset Update Summary

[***] Summary: [***]

25 new OPEN, 32 new PRO (25 + 7). ClipBanker, Lunar Builder,
Multiple Exploit/CVE, BazaLoader, Remcos.

Thanks @ShadowChasing1 and @mojoesec

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033439 - ET TROJAN ClipBanker Variant Activity (POST) (trojan.rules)
2033440 - ET TROJAN Lunar Builder Exfil via Discord M2 (trojan.rules)
2033441 - ET POLICY Cisco Data Center Network Manager Version Check
Inbound (flowbit set) (policy.rules)
2033442 - ET POLICY Cisco Data Center Network Manager - Vulnerable
Version Detected 11.1 (policy.rules)
2033443 - ET POLICY Cisco Data Center Network Manager - Vulnerable
Version Detected 10.4 (policy.rules)
2033444 - ET EXPLOIT Possible Cisco Data Center Network Manager -
Log Retrieval (CVE-2019-1622) (exploit.rules)
2033445 - ET EXPLOIT Possible Cisco Data Center Network Manager -
Authenticated File Upload (CVE-2019-1620) (exploit.rules)
2033446 - ET EXPLOIT Possible Cisco Data Center Network Manager -
Unauthenticated File Upload (CVE-2019-1620) (exploit.rules)
2033447 - ET INFO Screenshot Uploaded to Discord (info.rules)
2033448 - ET EXPLOIT Possible CloudMe Sync Stack-based Buffer
Overflow Inbound (CVE-2018-6892) (exploit.rules)
2033449 - ET TROJAN Lunar Builder Exfil Response (trojan.rules)
2033450 - ET TROJAN Lazarus APT Related CnC Domain in DNS Lookup
(page .googledocpage .com) (trojan.rules)
2033451 - ET EXPLOIT Possible Dovecot Memory Corruption Inbound
(CVE-2019-11500) (exploit.rules)
2033452 - ET WEB_SPECIFIC_APPS Kibana Prototype Pollution RCE
Inbound (CVE-2019-7609) (web_specific_apps.rules)
2033453 - ET WEB_SPECIFIC_APPS Kibana Path Traversal Inbound
(CVE-2018-17246) (web_specific_apps.rules)
2033454 - ET TROJAN Maldoc Activity Sending Windows User Info (GET)
(trojan.rules)
2033455 - ET TROJAN 44Calibar Variant Exfil via Telegram (trojan.rules)
2033456 - ET EXPLOIT LibreOffice pydoc RCE Inbound (CVE-2018-16858)
(exploit.rules)
2033457 - ET TROJAN Maldoc Activity Sending Windows User Info (GET)
(trojan.rules)
2033458 - ET TROJAN Observed CobaltStrike CnC Domain (stg .pesrado
.com in TLS SNI) (trojan.rules)
2033459 - ET EXPLOIT Sunhillo SureLine Unauthenticated OS Command
Injection Inbound (CVE-2021-36380) (exploit.rules)
2033460 - ET WEB_SPECIFIC_APPS Jetty WEB-INF Information Leak
Attempt Inbound (CVE-2021-34429) (web_specific_apps.rules)
2033461 - ET WEB_SPECIFIC_APPS Jetty WEB-INF Information Leak
Successful Exploitation (CVE-2021-34429) (web_specific_apps.rules)
2033462 - ET WEB_SPECIFIC_APPS PHP-Fusion Downloads.php Command
Injection (CVE-2020-24949) (web_specific_apps.rules)
2033463 - ET CURRENT_EVENTS Observed DNS Query to Known
Scam/Phishing Domain (current_events.rules)

Pro:

2849421 - ETPRO MALWARE BazaLoader CnC Activity 2021-07-27 (malware.rules)
2849422 - ETPRO TROJAN Win32/Remcos RAT Checkin 735 (trojan.rules)
2849423 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-27 1) (trojan.rules)
2849424 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-27 2) (trojan.rules)
2849425 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-07-27 3) (trojan.rules)
2849426 - ETPRO CURRENT_EVENTS Successful Huntington Bank Phish
2021-07-27 (current_events.rules)
2849427 - ETPRO CURRENT_EVENTS Successful Instagram Phish 2021-07-27
(current_events.rules)

[///] Modified active rules: [///]

2032804 - ET TROJAN Lunar Builder Exfil via Discord M1 (trojan.rules)
2032879 - ET TELNET Lunar Builder CnC Activity (telnet.rules)
2845544 - ETPRO TROJAN Observed Possible Malicious SSL Cert
(AsyncRAT) (trojan.rules)

Date:

Tuesday, July 27, 2021

Summary title:

25 new OPEN, 32 new PRO (25 + 7). ClipBanker, Lunar Builder, Multiple Exploit/CVE, BazaLoader, Remcos.