Daily Ruleset Update Summary 2021/09/02

[***] Summary: [***]

25 new OPEN, 39 new PRO (25 + 14). MageCart, FIN7, CVE-2021-35211,
AsyncRAT, Others.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033870 - ET TROJAN Magecart CnC Domain in DNS Lookup (trojan.rules)
2033871 - ET TROJAN Magecart CnC Domain in DNS Lookup (trojan.rules)
2033872 - ET TROJAN Magecart CnC Domain in DNS Lookup (trojan.rules)
2033873 - ET TROJAN Magecart CnC Domain in DNS Lookup (trojan.rules)
2033874 - ET TROJAN Magecart CnC Domain in DNS Lookup (trojan.rules)
2033875 - ET TROJAN Magecart CnC Domain in DNS Lookup (trojan.rules)
2033876 - ET TROJAN Magecart CnC Domain in DNS Lookup (trojan.rules)
2033877 - ET INFO Observed Blockchain Domain (api .blockcypher .com in
TLS SNI) (info.rules)
2033878 - ET TROJAN Magecart CnC Domain in DNS Lookup (trojan.rules)
2033879 - ET TROJAN Magecart CnC Domain in DNS Lookup (trojan.rules)
2033880 - ET TROJAN Magecart CnC Domain in DNS Lookup (trojan.rules)
2033881 - ET TROJAN Magecart CnC Domain in DNS Lookup (trojan.rules)
2033882 - ET TROJAN Magecart CnC Domain in DNS Lookup (trojan.rules)
2033883 - ET TROJAN Magecart CnC Domain in DNS Lookup (trojan.rules)
2033884 - ET TROJAN Magecart CnC Domain in DNS Lookup (trojan.rules)
2033885 - ET TROJAN Magecart CnC Domain in DNS Lookup (trojan.rules)
2033886 - ET INFO Suspicious Zipped Filename in Outbound POST Request
(Chrome_Default.txt) (info.rules)
2033887 - ET INFO Suspicious Zipped Filename in Outbound POST Request
(Cookies/Firefox_) (info.rules)
2033888 - ET INFO Suspicious Zipped Filename in Outbound POST Request
(History/Firefox_) (info.rules)
2033889 - ET TROJAN FIN7 JSSLoader Variant Activity (GET) (trojan.rules)
2033890 - ET POLICY Observed nc (netcat) EXE Inbound (policy.rules)
2033891 - ET INFO Observed Suspicious Request nc.exe in URI (info.rules)
2033892 - ET TROJAN BlackMatter CnC Domain in DNS Lookup (nowautomation
.com) (trojan.rules)
2033893 - ET EXPLOIT Possible SolarWinds Serv-U SSH RCE Inbound M1
(CVE-2021-35211) (exploit.rules)
2033894 - ET EXPLOIT Possible SolarWinds Serv-U SSH RCE Inbound M2
(CVE-2021-35211) (exploit.rules)

Pro:

2849818 - ETPRO CURRENT_EVENTS Successful Generic Phish 2021-09-02
(current_events.rules)
2849819 - ETPRO CURRENT_EVENTS Successful Generic Phish 2021-09-02
(current_events.rules)
2849820 - ETPRO TROJAN Win32/Sanwai Variant Ransomware Performing Bitcoin
Wallet Check (GET) (trojan.rules)
2849821 - ETPRO CURRENT_EVENTS Successful Chase Bank Phish 2021-09-02
(current_events.rules)
2849822 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2849823 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-31 1) (trojan.rules)
2849824 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-31 2) (trojan.rules)
2849825 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-31 3) (trojan.rules)
2849826 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-08-31 4) (trojan.rules)
2849827 - ETPRO TROJAN MageCart Skimmer Redirect Observed - Base64
data.php in GA isogram Function (trojan.rules)
2849828 - ETPRO TROJAN MageCart Skimmer Redirect Observed - Base64
checkout in GA isogram Function (trojan.rules)
2849831 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2021-09-01
(current_events.rules)
2849832 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2849833 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)

[///] Modified active rules: [///]

2002790 - ET TROJAN Haxdoor Reporting User Activity (trojan.rules)
2030489 - ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
(trojan.rules)
2031004 - ET CURRENT_EVENTS Amazon Phishing Landing 2020-10-13
(current_events.rules)
2033163 - ET TROJAN Win32/Vidar Variant Stealer CnC Exfil (trojan.rules)
2846941 - ETPRO CURRENT_EVENTS Successful Generic Secure Message Center
Phish 2021-02-05 (current_events.rules)

[---] Disabled and modified rules: [---]

2017913 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 7
(trojan.rules)
2020606 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 47
(trojan.rules)
2020764 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 63
(trojan.rules)
2020767 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 66
(trojan.rules)
2020769 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 68
(trojan.rules)
2020771 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 70
(trojan.rules)
2020779 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 78
(trojan.rules)
2021716 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)
102 (trojan.rules)
2022885 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)
106 (trojan.rules)
2023611 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)
107 (trojan.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Thursday, September 2, 2021

Summary title:

25 new OPEN, 39 new PRO (25 + 14). MageCart, FIN7, CVE-2021-35211, AsyncRAT, Others.