Daily Ruleset Update Summary
Daily Ruleset Update Summary 2021/08/04

[***] Summary: [***]

14 new OPEN, 18 new PRO (14 + 4) PwnedPiper, Thallium, Raccoon, and
TrickBot.

Thanks @James_inthe_box and @JAMESWT_MHT

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033658 - ET TROJAN Cobalt Strike Malleable C2 JQuery Custom Profile M2
(trojan.rules)
2033659 - ET TROJAN Win32/TrickBot CnC Initial Checkin M2 (trojan.rules)
2033660 - ET TROJAN TrickBot Related Activity (GET) (trojan.rules)
2033661 - ET EXPLOIT [PwnedPiper] Exploitation Attempt - Small Malformed
Translogic Packet (Multiple CVEs) (exploit.rules)
2033662 - ET EXPLOIT [PwnedPiper] Exploitation Attempt - Large Malformed
Translogic Packet (CVE-2021-37164) (exploit.rules)
2033663 - ET TROJAN Maldoc CnC Domain in DNS Lookup (trojan.rules)
2033664 - ET TROJAN Observed Maldoc CnC Domain (cloud-documents .com in
TLS SNI) (trojan.rules)
2033665 - ET USER_AGENTS sysWeb User-Agent (user_agents.rules)
2033666 - ET POLICY Observed URL Shortening Service Domain (longurl .in
in TLS SNI) (policy.rules)
2033667 - ET TROJAN Observed Win32.Raccoon Stealer CnC Domain
(gopstoporchestra .top in TLS SNI) (trojan.rules)
2033668 - ET TROJAN Observed Cobalt Strike CnC Domain (onlineworkercz
.com in TLS SNI) (trojan.rules)
2033669 - ET TROJAN Cobalt Strike Beacon Activity (GET) (trojan.rules)
2033670 - ET TROJAN Thallium CnC Domain in DNS Lookup (trojan.rules)
2033671 - ET TROJAN Quasar CnC Domain in DNS Lookup (societyf500 .ddns
.net) (trojan.rules)

Pro:

2849549 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-02 1) (trojan.rules)
2849550 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-02 2) (trojan.rules)
2849551 - ETPRO TROJAN DNS Query to DNS Changer Host (trojan.rules)
2849552 - ETPRO TROJAN Trojan.MSOffice.SAgent.gen CnC Response
(trojan.rules)

[///] Modified active rules: [///]

2840018 - ETPRO TROJAN Powershell.WC/Octopus Backdoor CnC - Heartbeat
(trojan.rules)
2844081 - ETPRO TROJAN GoldenDragon/FlowerPower CnC Activity
(trojan.rules)
2844082 - ETPRO TROJAN GoldenDragon/FlowerPower Retrieving Payload
(trojan.rules)

[///] Modified inactive rules: [///]

2825413 - ETPRO WEB_CLIENT Scripting Engine Memory Corruption
Vulnerability (CVE-2017-0071) (web_client.rules)

[---] Removed rules: [---]

2844588 - ETPRO TROJAN Cobalt Strike Malleable C2 JQuery Custom Profile
M2 (trojan.rules)
2845394 - ETPRO TROJAN Win32/TrickBot CnC Initial Checkin M2
(trojan.rules)
2849312 - ETPRO TROJAN TrickBot Related Activity (GET) (trojan.rules)

Date:
Summary title:
14 new OPEN, 18 new PRO (14 + 4) PwnedPiper, Thallium, Raccoon, and TrickBot.