[***] Summary: [***]

3 new OPEN, 8 new PRO (3 + 5). Muhstik Botnet, Win32/PSW.WOW.NLZ,
Trojan-Spy.AndroidOS.Agent.rz, and Remcos.

Mass updates to PCRat/Gh0st sigs to reduce False Positive rates.
Mass updates to multiple rules to resolve formatting errors related
to references (more of these updates will continue.)

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033916 - ET ATTACK_RESPONSE Muhstik Botnet Download Activity (GET)
(attack_response.rules)
2033917 - ET POLICY Seetrol Software Download (GET) (policy.rules)
2033918 - ET TROJAN Win32/PSW.WOW.NLZ CnC Activity (trojan.rules)

Pro:

2849885 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin
(mobile_malware.rules)
2849886 - ETPRO TROJAN Win32/Spy.Bancos Checkin (trojan.rules)
2849887 - ETPRO CURRENT_EVENTS Successful SMBC Phish 2021-09-09
(current_events.rules)
2849888 - ETPRO TROJAN Win32/Remcos RAT Checkin 747 (trojan.rules)
2849889 - ETPRO TROJAN MSIL/Heracles.25677 Variant CnC Activity (trojan.rules)

[///] Modified active rules: [///]

2010768 - ET SCAN Open-Proxy ScannerBot (webcollage-UA) (scan.rules)
2012113 - ET TROJAN Trojan.BackDoor-DRV.gen.c Reporting-1 (trojan.rules)
2013105 - ET WEB_SPECIFIC_APPS Apache Archive addRepository script
Cross Site Scripting Attempt (web_specific_apps.rules)
2013106 - ET WEB_SPECIFIC_APPS Apache Archive
confirmDeleteRepository script Cross Site Scripting Attempt
(web_specific_apps.rules)
2013345 - ET TROJAN Win32.Pamesg/ArchSMS.HL CnC Checkin (trojan.rules)
2016922 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (trojan.rules)
2017876 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 5 (trojan.rules)
2017877 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 6 (trojan.rules)
2017914 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 8 (trojan.rules)
2017915 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 9 (trojan.rules)
2017938 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 13 (trojan.rules)
2017944 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 14 (trojan.rules)
2017974 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 15 (trojan.rules)
2017988 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 16 (trojan.rules)
2017992 - ET MALWARE Win32/OutBrowse.G Variant Checkin (malware.rules)
2018013 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 18 (trojan.rules)
2018054 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 20 (trojan.rules)
2018057 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 21 (trojan.rules)
2018069 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 22 (trojan.rules)
2018075 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 23 (trojan.rules)
2018076 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 24 (trojan.rules)
2018077 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 25 (trojan.rules)
2018142 - ET TROJAN MSIL.Zapchast Checkin (trojan.rules)
2018181 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 29 (trojan.rules)
2018202 - ET WEB_SERVER log4jAdmin access from non-local network
(can modify logging levels) (web_server.rules)
2018203 - ET WEB_SERVER log4jAdmin access from non-local network
Page Body (can modify logging levels) (web_server.rules)
2018486 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 33 (trojan.rules)
2018487 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 34 (trojan.rules)
2018488 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 35 (trojan.rules)
2018636 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 36 (trojan.rules)
2018637 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 37 (trojan.rules)
2018639 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 39 (trojan.rules)
2018666 - ET TROJAN Possible Zeus P2P Variant DGA NXDOMAIN Responses
July 11 2014 (trojan.rules)
2019602 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 43 (trojan.rules)
2020214 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 44 (trojan.rules)
2020371 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 45 (trojan.rules)
2020586 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 46 (trojan.rules)
2020608 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 49 (trojan.rules)
2020609 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 50 (trojan.rules)
2020610 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 51 (trojan.rules)
2020612 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 53 (trojan.rules)
2020613 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 54 (trojan.rules)
2020691 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 56 (trojan.rules)
2020692 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 57 (trojan.rules)
2020693 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 58 (trojan.rules)
2020694 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 59 (trojan.rules)
2020695 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 60 (trojan.rules)
2020763 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 62 (trojan.rules)
2020765 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 64 (trojan.rules)
2020766 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 65 (trojan.rules)
2020768 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 67 (trojan.rules)
2020772 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 71 (trojan.rules)
2020774 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 73 (trojan.rules)
2020776 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 75 (trojan.rules)
2020777 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 76 (trojan.rules)
2020778 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 77 (trojan.rules)
2020781 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 80 (trojan.rules)
2020782 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 81 (trojan.rules)
2020783 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 82 (trojan.rules)
2020784 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 83 (trojan.rules)
2020785 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 84 (trojan.rules)
2020787 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 86 (trojan.rules)
2020790 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 89 (trojan.rules)
2020793 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 92 (trojan.rules)
2020795 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 94 (trojan.rules)
2020796 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 95 (trojan.rules)
2020797 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 96 (trojan.rules)
2020798 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 97 (trojan.rules)
2020800 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 99 (trojan.rules)
2021012 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 100 (trojan.rules)
2021065 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 101 (trojan.rules)
2021753 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 103 (trojan.rules)
2022343 - ET TROJAN DustySky Payload Link Request (trojan.rules)
2022401 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 104 (trojan.rules)
2022586 - ET POLICY Possible SSLv2 Negotiation in Progress Client
Master Key SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 (policy.rules)
2022773 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 105 (trojan.rules)
2024509 - ET MOBILE_MALWARE ANDROIDOS_LEAKERLOCKER.HRX DNS Lookup
(mobile_malware.rules)
2025790 - ET NETBIOS PolarisOffice Insecure Library Loading - SMB
ASCII (netbios.rules)
2025791 - ET NETBIOS PolarisOffice Insecure Library Loading - SMB
Unicode (netbios.rules)
2029794 - ET TROJAN Suspected Stitch Variant Backdoor CnC (trojan.rules)
2029816 - ET TROJAN Sarwent CnC Response (cmd_exec) (trojan.rules)
2029818 - ET TROJAN Sarwent CnC Response (rdp_exec) (trojan.rules)
2029819 - ET TROJAN Sarwent CnC Response (update_exec) (trojan.rules)
2029822 - ET TROJAN Sarwent CnC Command (download) (trojan.rules)
2029823 - ET TROJAN Sarwent CnC Command (powershell) (trojan.rules)
2029824 - ET TROJAN Sarwent CnC Command (rdp) (trojan.rules)
2030822 - ET MOBILE_MALWARE Backdoor.AndroidOS.Ahmyth.f (DNS Lookup)
(mobile_malware.rules)
2031459 - ET EXPLOIT Possible SolarWinds Orion API Local File
Disclosure (web.config) (CVE-2020-10148) (exploit.rules)
2031460 - ET EXPLOIT Possible SolarWinds Orion API Local File
Disclosure (SWNetPerfMon.db) (CVE-2020-10148) (exploit.rules)
2031485 - ET TROJAN Possible IceRat CnC Acitivty (trojan.rules)
2032806 - ET TROJAN Observed DNS Query to MoserPass Download Domain
(passwordstate-18ed2 .kxcdn .com) (trojan.rules)
2806298 - ETPRO MALWARE Descarga Segura Install (malware.rules)
2806785 - ETPRO MALWARE PUP DomainIQ Bundler 1 (malware.rules)
2808022 - ETPRO WEB_SERVER PHP Open Flash Charts File Upload
Attempt (web_server.rules)
2809041 - ETPRO TROJAN Win32/CoinMiner.SO .exe download (trojan.rules)
2812621 - ETPRO TROJAN Win32/Ixeshe HTTP CnC Beacon (trojan.rules)
2838512 - ETPRO MOBILE_MALWARE Android Trickbot 2fa app Checkin
(mobile_malware.rules)
2841774 - ETPRO TROJAN W32/Injector.jwcqy CnC Activity M1 (trojan.rules)
2841775 - ETPRO TROJAN W32/Injector.jwcqy CnC Activity M2 (trojan.rules)
2841915 - ETPRO MOBILE_MALWARE Android/Hiddad.AIO Checkin
(mobile_malware.rules)
2845166 - ETPRO CURRENT_EVENTS Successful Generic Credential Phish
2020-10-26 (current_events.rules)
2845918 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Hiddad.pac Checkin
(mobile_malware.rules)
2846728 - ETPRO TROJAN MSIL/Agent.RMW Variant CnC Host Checkin (trojan.rules)
2849034 - ETPRO TROJAN Unk Rootkit CnC Activity M2 (trojan.rules)
2849880 - ETPRO ATTACK_RESPONSE JavaScript Array Index Obfuscation
Technique Inbound (attack_response.rules)

[///] Modified inactive rules: [///]

2003103 - ET ACTIVEX Microsoft Multimedia Controls - ActiveX
control's spline function call Object (activex.rules)
2003110 - ET WEB_CLIENT MSIE WebViewFolderIcon setSlice invalid
memory copy (web_client.rules)
2003231 - ET ACTIVEX ACTIVEX Possible Microsoft IE Install Engine
Inseng.dll Arbitrary Code Execution (activex.rules)
2003232 - ET ACTIVEX Possible Microsoft IE Install Engine Inseng.dll
Arbitrary Code Execution (2) (activex.rules)
2003233 - ET ACTIVEX Possible Microsoft IE Shell.Application ActiveX
Arbitrary Command Execution (activex.rules)
2003234 - ET ACTIVEX ACTIVEX Possible Microsoft IE Shell.Application
ActiveX Arbitrary Command Execution (2) (activex.rules)
2003751 - ET EXPLOIT CA Brightstor ARCServe Mediasvr DoS (exploit.rules)
2009973 - ET P2P eMule KAD Network Send Username (p2p.rules)
2010510 - ET WEB_SPECIFIC_APPS Possible OSSIM uniqueid Parameter
Remote Command Execution Attempt (web_specific_apps.rules)
2010554 - ET DOS Netgear DG632 Web Management Denial Of Service
Attempt (dos.rules)
2011994 - ET FTP ProFTPD Backdoor Inbound Backdoor Open Request
(ACIDBITCHEZ) (ftp.rules)
2012938 - ET DOS IBM Tivoli Endpoint Buffer Overflow Attempt (dos.rules)
2014663 - ET DOS Microsoft Remote Desktop Protocol (RDP)
maxChannelIds Negative Integer indef DoS Attempt (dos.rules)
2016511 - ET CURRENT_EVENTS Successful Compromise svchost.jpg Beacon
- Java Zeroday (current_events.rules)
2018143 - ET TROJAN Backdoor.Win32.Popwin Checkin (trojan.rules)
2019194 - ET CURRENT_EVENTS Nuclear EK Redirect Sept 18 2014
(current_events.rules)
2802195 - ETPRO TROJAN Backdoor.Win32.Muhaltick.A Checkin (trojan.rules)