Daily Ruleset Update Summary 2021/08/27

Daily Ruleset Update Summary

[***] Summary: [***]

17 new OPEN, 22 new PRO (17 + 5). Cobalt Strike, MAIL/Document
Stealer, HCRootkit, MSIL/CNO DotNetRAT.

Thanks @AvastThreatLabs and @TheDFIRReport

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033810 - ET TROJAN Cobalt Strike Beacon (Custom Wordpress Profile)
(trojan.rules)
2033817 - ET TROJAN Suspected Cobalt Strike Beacon Activity (DNS)
(trojan.rules)
2033818 - ET TROJAN MSIL/Document Stealer Exfil (trojan.rules)
2033819 - ET TROJAN Win32/GenCBL.XS CnC Activity (trojan.rules)
2033820 - ET TROJAN Cobalt Strike Activity (GET) (trojan.rules)
2033821 - ET TROJAN Cobalt Strike Activity (GET) (trojan.rules)
2033822 - ET TROJAN HCRootkit CnC Domain in DNS Lookup
(ywbgrcrupasdiqxknwgceatlnbvmezti .com) (trojan.rules)
2033823 - ET TROJAN HCRootkit CnC Domain in DNS Lookup
(yhgrffndvzbtoilmundkmvbaxrjtqsew .com) (trojan.rules)
2033824 - ET TROJAN HCRootkit CnC Domain in DNS Lookup
(wcmbqxzeuopnvyfmhkstaretfciywdrl .name) (trojan.rules)
2033825 - ET TROJAN HCRootkit CnC Domain in DNS Lookup
(ruciplbrxwjscyhtapvlfskoqqgnxevw .name) (trojan.rules)
2033826 - ET EXPLOIT Prestashop Orderfiles Module Arbitrary File
Upload (exploit.rules)
2033827 - ET EXPLOIT Prestashop Supercheckout Module Arbitrary File
Upload (exploit.rules)
2033828 - ET TROJAN HCRootkit CnC Domain in DNS Lookup
(pdjwebrfgdyzljmwtxcoyomapxtzchvn .com) (trojan.rules)
2033829 - ET TROJAN HCRootkit CnC Domain in DNS Lookup
(nfcomizsdseqiomzqrxwvtprxbljkpgd .name) (trojan.rules)
2033830 - ET TROJAN HCRootkit CnC Domain in DNS Lookup
(hkxpqdtgsucylodaejmzmtnkpfvojabe .com) (trojan.rules)
2033831 - ET TROJAN HCRootkit CnC Domain in DNS Lookup
(etzndtcvqvyxajpcgwkzsoweaubilflh .com) (trojan.rules)
2033832 - ET TROJAN HCRootkit CnC Domain in DNS Lookup
(esnoptdkkiirzewlpgmccbwuynvxjumf .name) (trojan.rules)

Pro:

2849774 - ETPRO TROJAN MSIL/CNO DotNetRAT CnC Activity (trojan.rules)
2849775 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-27 1) (trojan.rules)
2849776 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-27 2) (trojan.rules)
2849777 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2849778 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)

[///] Modified active rules: [///]

2020716 - ET POLICY External IP Lookup ipinfo.io (policy.rules)
2811359 - ETPRO WEB_CLIENT Internet Explorer Memory Corruption
Vulnerability (CVE-2015-1750) (web_client.rules)
2811534 - ETPRO TROJAN Linux/Agent.X Checkin (trojan.rules)
2814057 - ETPRO TROJAN W32/njRAT Variant CnC (WinTitles command)
(trojan.rules)
2814797 - ETPRO TROJAN Win32.Maica.A Checkin (trojan.rules)
2816800 - ETPRO CURRENT_EVENTS Magnitude EK Landing Mar 29 2016
(current_events.rules)
2821149 - ETPRO TROJAN Linux.ELF.Camplz Checkin (trojan.rules)
2825696 - ETPRO TROJAN W32/Unknown Coinminer Module DL (trojan.rules)

[///] Modified inactive rules: [///]

2800941 - ETPRO ACTIVEX Novell iPrint Client GetDriverSettings Stack
Buffer Overflow 2 (activex.rules)

[---] Removed rules: [---]

2033810 - ET MALWARE Cobalt Strike Beacon (Custom Wordpress Profile)
(malware.rules)
2849207 - ETPRO TROJAN Unknown Middle East Threat Group Activity
(DNS) (trojan.rules)

Date:

Friday, August 27, 2021

Summary title:

17 new OPEN, 22 new PRO (17 + 5). Cobalt Strike, MAIL/Document Stealer, HCRootkit, MSIL/CNO DotNetRAT.