Daily Ruleset Update Summary 2021/07/28

[***] Summary: [***]

145 new OPEN, 149 new PRO (145 + 4). Multiple Exploit, Remcos, Kimsuky, DCRAT.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033464 - ET EXPLOIT ysoserial Payload in HTTP URI
(BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M1
(exploit.rules)
2033465 - ET EXPLOIT ysoserial Payload in HTTP URI
(BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M2
(exploit.rules)
2033466 - ET EXPLOIT ysoserial Payload in HTTP URI
(BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M3
(exploit.rules)
2033467 - ET EXPLOIT ysoserial Payload in HTTP URI (Clojure1) M1
(exploit.rules)
2033468 - ET EXPLOIT ysoserial Payload in HTTP URI (Clojure1) M2
(exploit.rules)
2033469 - ET EXPLOIT ysoserial Payload in HTTP URI (Clojure1) M3
(exploit.rules)
2033470 - ET EXPLOIT ysoserial Payload in HTTP URI
(CommonsCollections1/CommonsCollections3) M1 (exploit.rules)
2033471 - ET EXPLOIT ysoserial Payload in HTTP URI
(CommonsCollections1/CommonsCollections3) M2 (exploit.rules)
2033472 - ET EXPLOIT ysoserial Payload in HTTP URI
(CommonsCollections1/CommonsCollections3) M3 (exploit.rules)
2033473 - ET EXPLOIT ysoserial Payload in HTTP URI
(CommonsCollections5/MozillaRhino1/Vaadin) M1 (exploit.rules)
2033474 - ET EXPLOIT ysoserial Payload in HTTP URI
(CommonsCollections5/MozillaRhino1/Vaadin) M2 (exploit.rules)
2033475 - ET EXPLOIT ysoserial Payload in HTTP URI
(CommonsCollections5/MozillaRhino1/Vaadin) M3 (exploit.rules)
2033476 - ET EXPLOIT ysoserial Payload in HTTP URI
(CommonsCollections6) M1 (exploit.rules)
2033477 - ET EXPLOIT ysoserial Payload in HTTP URI
(CommonsCollections6) M2 (exploit.rules)
2033478 - ET EXPLOIT ysoserial Payload in HTTP URI
(CommonsCollections6) M3 (exploit.rules)
2033479 - ET EXPLOIT ysoserial Payload in HTTP URI
(CommonsCollections7) M1 (exploit.rules)
2033480 - ET EXPLOIT ysoserial Payload in HTTP URI
(CommonsCollections7) M2 (exploit.rules)
2033481 - ET EXPLOIT ysoserial Payload in HTTP URI
(CommonsCollections7) M3 (exploit.rules)
2033482 - ET EXPLOIT ysoserial Payload in HTTP URI (Groovy1) M1
(exploit.rules)
2033483 - ET EXPLOIT ysoserial Payload in HTTP URI (Groovy1) M2
(exploit.rules)
2033484 - ET EXPLOIT ysoserial Payload in HTTP URI (Groovy1) M3
(exploit.rules)
2033485 - ET EXPLOIT ysoserial Payload in HTTP URI
(Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M1 (exploit.rules)
2033486 - ET EXPLOIT ysoserial Payload in HTTP URI
(Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M2 (exploit.rules)
2033487 - ET EXPLOIT ysoserial Payload in HTTP URI
(Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M3 (exploit.rules)
2033488 - ET EXPLOIT ysoserial Payload in HTTP URI (JavassistWeld1)
M1 (exploit.rules)
2033489 - ET EXPLOIT ysoserial Payload in HTTP URI (JavassistWeld1)
M2 (exploit.rules)
2033490 - ET EXPLOIT ysoserial Payload in HTTP URI (JavassistWeld1)
M3 (exploit.rules)
2033491 - ET EXPLOIT ysoserial Payload in HTTP URI
(JBossInterceptors1) M1 (exploit.rules)
2033492 - ET EXPLOIT ysoserial Payload in HTTP URI
(JBossInterceptors1) M2 (exploit.rules)
2033493 - ET EXPLOIT ysoserial Payload in HTTP URI
(JBossInterceptors1) M3 (exploit.rules)
2033494 - ET EXPLOIT ysoserial Payload in HTTP URI (Jdk7u21) M1
(exploit.rules)
2033495 - ET EXPLOIT ysoserial Payload in HTTP URI (Jdk7u21) M2
(exploit.rules)
2033496 - ET EXPLOIT ysoserial Payload in HTTP URI (Jdk7u21) M3
(exploit.rules)
2033497 - ET EXPLOIT ysoserial Payload in HTTP URI (JRMPClient) M1
(exploit.rules)
2033498 - ET EXPLOIT ysoserial Payload in HTTP URI (JRMPClient) M2
(exploit.rules)
2033499 - ET EXPLOIT ysoserial Payload in HTTP URI (JRMPClient) M3
(exploit.rules)
2033500 - ET EXPLOIT ysoserial Payload in HTTP URI (MozillaRhino2)
M1 (exploit.rules)
2033501 - ET EXPLOIT ysoserial Payload in HTTP URI (MozillaRhino2)
M2 (exploit.rules)
2033502 - ET EXPLOIT ysoserial Payload in HTTP URI (MozillaRhino2)
M3 (exploit.rules)
2033503 - ET EXPLOIT ysoserial Payload in HTTP URI (Spring1/Spring2)
M1 (exploit.rules)
2033504 - ET EXPLOIT ysoserial Payload in HTTP URI (Spring1/Spring2)
M2 (exploit.rules)
2033505 - ET EXPLOIT ysoserial Payload in HTTP URI (Spring1/Spring2)
M3 (exploit.rules)
2033506 - ET EXPLOIT ysoserial Payload in HTTP Header
(BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M1
(exploit.rules)
2033507 - ET EXPLOIT ysoserial Payload in HTTP Header
(BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M2
(exploit.rules)
2033508 - ET EXPLOIT ysoserial Payload in HTTP Header
(BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M3
(exploit.rules)
2033509 - ET EXPLOIT ysoserial Payload in HTTP Header (Clojure1) M1
(exploit.rules)
2033510 - ET EXPLOIT ysoserial Payload in HTTP Header (Clojure1) M3
(exploit.rules)
2033511 - ET EXPLOIT ysoserial Payload in HTTP Header (Clojure1) M2
(exploit.rules)
2033512 - ET EXPLOIT ysoserial Payload in HTTP Header
(CommonsCollections1/CommonsCollections3) M1 (exploit.rules)
2033513 - ET EXPLOIT ysoserial Payload in HTTP Header
(CommonsCollections1/CommonsCollections3) M2 (exploit.rules)
2033514 - ET EXPLOIT ysoserial Payload in HTTP Header
(CommonsCollections1/CommonsCollections3) M3 (exploit.rules)
2033515 - ET EXPLOIT ysoserial Payload in HTTP Header
(CommonsCollections5/MozillaRhino1/Vaadin) M1 (exploit.rules)
2033516 - ET EXPLOIT ysoserial Payload in HTTP Header
(CommonsCollections5/MozillaRhino1/Vaadin) M2 (exploit.rules)
2033517 - ET EXPLOIT ysoserial Payload in HTTP Header
(CommonsCollections5/MozillaRhino1/Vaadin) M3 (exploit.rules)
2033518 - ET EXPLOIT ysoserial Payload in HTTP Header
(CommonsCollections6) M1 (exploit.rules)
2033519 - ET EXPLOIT ysoserial Payload in HTTP Header
(CommonsCollections6) M2 (exploit.rules)
2033520 - ET EXPLOIT ysoserial Payload in HTTP Header
(CommonsCollections6) M3 (exploit.rules)
2033521 - ET EXPLOIT ysoserial Payload in HTTP Header
(CommonsCollections7) M1 (exploit.rules)
2033522 - ET EXPLOIT ysoserial Payload in HTTP Header
(CommonsCollections7) M2 (exploit.rules)
2033523 - ET EXPLOIT ysoserial Payload in HTTP Header
(CommonsCollections7) M3 (exploit.rules)
2033524 - ET EXPLOIT ysoserial Payload in HTTP Header (Groovy1) M1
(exploit.rules)
2033525 - ET EXPLOIT ysoserial Payload in HTTP Header (Groovy1) M2
(exploit.rules)
2033526 - ET EXPLOIT ysoserial Payload in HTTP Header (Groovy1) M3
(exploit.rules)
2033527 - ET EXPLOIT ysoserial Payload in HTTP Header
(Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M1 (exploit.rules)
2033528 - ET EXPLOIT ysoserial Payload in HTTP Header
(Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M2 (exploit.rules)
2033529 - ET EXPLOIT ysoserial Payload in HTTP Header
(Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M3 (exploit.rules)
2033530 - ET EXPLOIT ysoserial Payload in HTTP Header
(JavassistWeld1) M1 (exploit.rules)
2033531 - ET EXPLOIT ysoserial Payload in HTTP Header
(JavassistWeld1) M2 (exploit.rules)
2033532 - ET EXPLOIT ysoserial Payload in HTTP Header
(JavassistWeld1) M3 (exploit.rules)
2033533 - ET EXPLOIT ysoserial Payload in HTTP Header
(JBossInterceptors1) M1 (exploit.rules)
2033534 - ET EXPLOIT ysoserial Payload in HTTP Header
(JBossInterceptors1) M2 (exploit.rules)
2033535 - ET EXPLOIT ysoserial Payload in HTTP Header
(JBossInterceptors1) M3 (exploit.rules)
2033536 - ET EXPLOIT ysoserial Payload in HTTP Header (Jdk7u21) M1
(exploit.rules)
2033537 - ET EXPLOIT ysoserial Payload in HTTP Header (Jdk7u21) M2
(exploit.rules)
2033538 - ET EXPLOIT ysoserial Payload in HTTP Header (Jdk7u21) M3
(exploit.rules)
2033539 - ET EXPLOIT ysoserial Payload in HTTP Header (JRMPClient)
M1 (exploit.rules)
2033540 - ET EXPLOIT ysoserial Payload in HTTP Header (JRMPClient)
M2 (exploit.rules)
2033541 - ET EXPLOIT ysoserial Payload in HTTP Header (JRMPClient)
M3 (exploit.rules)
2033542 - ET EXPLOIT ysoserial Payload in HTTP Header
(MozillaRhino2) M1 (exploit.rules)
2033543 - ET EXPLOIT ysoserial Payload in HTTP Header
(MozillaRhino2) M2 (exploit.rules)
2033544 - ET EXPLOIT ysoserial Payload in HTTP Header
(MozillaRhino2) M3 (exploit.rules)
2033545 - ET EXPLOIT ysoserial Payload in HTTP Header
(Spring1/Spring2) M1 (exploit.rules)
2033546 - ET EXPLOIT ysoserial Payload in HTTP Header
(Spring1/Spring2) M2 (exploit.rules)
2033547 - ET EXPLOIT ysoserial Payload in HTTP Header
(Spring1/Spring2) M3 (exploit.rules)
2033548 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M1
(exploit.rules)
2033549 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M2
(exploit.rules)
2033550 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M3
(exploit.rules)
2033551 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (Clojure1) M1 (exploit.rules)
2033552 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (Clojure1) M2 (exploit.rules)
2033553 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (Clojure1) M3 (exploit.rules)
2033554 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (CommonsCollections1/CommonsCollections3) M1 (exploit.rules)
2033555 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (CommonsCollections1/CommonsCollections3) M2 (exploit.rules)
2033556 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (CommonsCollections1/CommonsCollections3) M3 (exploit.rules)
2033557 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (CommonsCollections5/MozillaRhino1/Vaadin) M1 (exploit.rules)
2033558 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (CommonsCollections5/MozillaRhino1/Vaadin) M2 (exploit.rules)
2033559 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (CommonsCollections5/MozillaRhino1/Vaadin) M3 (exploit.rules)
2033560 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (CommonsCollections6) M1 (exploit.rules)
2033561 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (CommonsCollections6) M2 (exploit.rules)
2033562 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (CommonsCollections6) M3 (exploit.rules)
2033563 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (CommonsCollections7) M1 (exploit.rules)
2033564 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (CommonsCollections7) M2 (exploit.rules)
2033565 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (CommonsCollections7) M3 (exploit.rules)
2033566 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (Groovy1) M1 (exploit.rules)
2033567 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (Groovy1) M2 (exploit.rules)
2033568 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (Groovy1) M3 (exploit.rules)
2033569 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M1
(exploit.rules)
2033570 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M2
(exploit.rules)
2033571 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M3
(exploit.rules)
2033572 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (JavassistWeld1) M1 (exploit.rules)
2033573 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (JavassistWeld1) M2 (exploit.rules)
2033574 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (JavassistWeld1) M3 (exploit.rules)
2033575 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (JBossInterceptors1) M1 (exploit.rules)
2033576 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (JBossInterceptors1) M2 (exploit.rules)
2033577 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (JBossInterceptors1) M3 (exploit.rules)
2033578 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (Jdk7u21) M1 (exploit.rules)
2033579 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (Jdk7u21) M2 (exploit.rules)
2033580 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (Jdk7u21) M3 (exploit.rules)
2033581 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (JRMPClient) M1 (exploit.rules)
2033582 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (JRMPClient) M2 (exploit.rules)
2033583 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (JRMPClient) M3 (exploit.rules)
2033584 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (MozillaRhino2) M1 (exploit.rules)
2033585 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (MozillaRhino2) M2 (exploit.rules)
2033586 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (MozillaRhino2) M3 (exploit.rules)
2033587 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (Spring1/Spring2) M1 (exploit.rules)
2033588 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (Spring1/Spring2) M2 (exploit.rules)
2033589 - ET EXPLOIT HTTP POST Request With ysoserial In Request
Body (Spring1/Spring2) M3 (exploit.rules)
2033590 - ET TROJAN Kimsuky Related Activity (GET) (trojan.rules)
2033591 - ET TROJAN Kimsuky Related Activity (GET) (trojan.rules)
2033592 - ET TROJAN MSIL/Heracles Variant CnC Activity (trojan.rules)
2033593 - ET TROJAN Observed MSIL/Heracles Variant CnC Domain
(stainless .fun in TLS SNI) (trojan.rules)
2033594 - ET TROJAN Kimsuky Related Activity (GET) (trojan.rules)
2033595 - ET TROJAN Kimsuky Related Maldoc Activity (POST) (trojan.rules)
2033596 - ET TROJAN Kimsuky Related Maldoc Activity (GET) (trojan.rules)
2033597 - ET TROJAN Kimsuky Related Script Activity (GET) (trojan.rules)
2033598 - ET TROJAN Kimsuky Related Maldoc Activity (HEAD) (trojan.rules)
2033599 - ET EXPLOIT Monitorr 1.7.6m RCE Exploit Attempt (exploit.rules)
2033600 - ET EXPLOIT Jenkins Plugin Script RCE Exploit Attempt
(CVE-2019-1003001) (exploit.rules)
2033601 - ET EXPLOIT Apache Ambari Default Credentials Attempt (exploit.rules)
2033602 - ET EXPLOIT Jitsi Meet Plugin XSS Attempt (CVE-2021-26812)
(exploit.rules)
2033603 - ET EXPLOIT GraphQL Introspection Query Attempt (exploit.rules)
2033604 - ET EXPLOIT JCK Editor 6.4.4 SQLi Attempt (CVE-2018-17254)
(exploit.rules)
2033605 - ET EXPLOIT TIBCO Data Virtualization <= 8.3 RCE Attempt
(CVE-2016-2510) (exploit.rules)
2033606 - ET WEB_SPECIFIC_APPS Possible MobileIron MDM RCE Inbound
(CVE-2020-15505) (web_specific_apps.rules)
2033607 - ET MALWARE Socelars Related Domain in DNS Lookup (malware.rules)
2033608 - ET TROJAN Observed DCRat CnC Domain (dud-shotline
.000webhostapp .com in TLS SNI) (trojan.rules)

Pro:

2849429 - ETPRO EXPLOIT Possible dhcpcd IPv6 IA/NA Buffer Overflow
[Advertise 0x02] Inbound (CVE-2019-11577) (exploit.rules)
2849430 - ETPRO MALWARE DCRat Screenshot Upload via Telegram (malware.rules)
2849431 - ETPRO TROJAN Win32/Remcos RAT Checkin 736 (trojan.rules)

[///] Modified active rules: [///]

2843864 - ETPRO TROJAN Suspicious Zipped Filename in Outbound POST
Request (screen.) M2 (trojan.rules)
2846800 - ETPRO TROJAN DCRat Initial Checkin Server Response M3 (trojan.rules)

[---] Disabled and modified rules: [---]

2833190 - ETPRO TROJAN Observed Malicious SSL Cert (MalDoc DL
2018-10-18 2) (trojan.rules)

Date:

Wednesday, July 28, 2021

Summary title:

145 new OPEN, 149 new PRO (145 + 4). Multiple Exploit, Remcos, Kimsuky, DCRAT.