[***] Summary: [***]

7 new OPEN, 25 new PRO (7 + 18). Cobalt Strike, BazaLoader, Mirai,
AZORult, Others.

Thanks @Unit42_Intel.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033698 - ET INFO Possible Sharepoint Resource Infection (info.rules)
2033699 - ET TROJAN Observed Cobalt Strike CnC Domain (yuxicu .com in TLS
SNI) (trojan.rules)
2033700 - ET TROJAN Observed Cobalt Strike CnC Domain (gojihu .com in TLS
SNI) (trojan.rules)
2033701 - ET EXPLOIT Microsoft Exchange SUID Disclosure via SSRF Inbound
(CVE-2021-31207) (exploit.rules)
2033702 - ET TROJAN Suspected TeamTNT Linux Miner Activity (trojan.rules)
2033703 - ET TROJAN Observed Malicious SSL Cert (Ursnif Injects)
(trojan.rules)
2033704 - ET TROJAN Suspected Malicious VBS Script Activity (trojan.rules)

Pro:

2849567 - ETPRO CURRENT_EVENTS Successful Suntrust Phish 2021-08-10
(current_events.rules)
2849568 - ETPRO TROJAN BazaLoader CnC Activity M6 (trojan.rules)
2849569 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
2849570 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT CnC)
(trojan.rules)
2849571 - ETPRO TROJAN BazaBackdoor Variant CnC Activity M6 (trojan.rules)
2849572 - ETPRO EXPLOIT Seagate BlackArmor NAS - Command Injection
Attempt Inbound (exploit.rules)
2849573 - ETPRO EXPLOIT Buffalo WSR-2533DHPL2/WSR-2533DHP3 Path Traversal
Attempt Inbound (CVE-2021-20090) (exploit.rules)
2849574 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
2849575 - ETPRO TROJAN ELF/Mirai User-Agent Observed (Outbound)
(trojan.rules)
2849576 - ETPRO TROJAN ELF/Mirai Variant CnC Checkin (trojan.rules)
2849577 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-10 1) (trojan.rules)
2849578 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-10 2) (trojan.rules)
2849579 - ETPRO TROJAN Win32/DelfInject.PNH!MTB Activity M2 (trojan.rules)
2849580 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-10 3) (trojan.rules)
2849581 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-10 4) (trojan.rules)
2849582 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-10 5) (trojan.rules)
2849583 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-10 6) (trojan.rules)
2849584 - ETPRO TROJAN Observed AZORult Domain (seriousratnik
.000webhostapp .com in TLS SNI) (trojan.rules)

[///] Modified active rules: [///]

2032352 - ET TROJAN Campo Loader Activity (GET) (trojan.rules)
2033684 - ET EXPLOIT Possible Microsoft Exchange RCE Inbound
(CVE-2021-34473) (exploit.rules)
2844246 - ETPRO TROJAN BazarBackdoor CnC Activity (trojan.rules)
2844765 - ETPRO TROJAN Possible Bazaloader CnC Activity M5 (trojan.rules)
2848148 - ETPRO TROJAN Possible BazaLoader OpenNIC Request (trojan.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
7 new OPEN, 25 new PRO (7 + 18). Cobalt Strike, BazaLoader, Mirai, AZORult, Others.