Daily Ruleset Update Summary 2021/09/10

Daily Ruleset Update Summary

[***] Summary: [***]

8 new OPEN, 19 new PRO (8 + 11) ELF/HabitsRAT, MSIL/Small.FU,
VARIOUS PHISHING and COINMINERS.

Thanks @michalmalik

Continued mass updated to reference format corrections

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033919 - ET TROJAN Observed ELF/HabitsRAT CnC Domain in TLS SNI
(trojan.rules)
2033920 - ET TROJAN Observed ELF/HabitsRAT CnC Domain in TLS SNI
(trojan.rules)
2033921 - ET TROJAN Observed ELF/HabitsRAT CnC Domain in TLS SNI
(trojan.rules)
2033922 - ET TROJAN Observed ELF/HabitsRAT CnC Domain in TLS SNI
(trojan.rules)
2033923 - ET TROJAN Observed ELF/HabitsRAT CnC Domain in TLS SNI
(trojan.rules)
2033924 - ET TROJAN MSIL/Small.FU Variant CnC Activity M1 (trojan.rules)
2033925 - ET TROJAN MSIL/Small.FU Variant CnC Activity M2 (trojan.rules)
2033926 - ET TROJAN MSIL/Small.FU Variant CnC Activity M3 (trojan.rules)

Pro:

2849890 - ETPRO CURRENT_EVENTS Successful Gibraltar International
Bank Phish 2021-09-10 (current_events.rules)
2849891 - ETPRO CURRENT_EVENTS Successful Generic Phish 2021-09-10
(current_events.rules)
2849892 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish
2021-09-10 (current_events.rules)
2849893 - ETPRO INFO Windows Username/Computername Sent in URI (info.rules)
2849894 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 186
(mobile_malware.rules)
2849895 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 187
(mobile_malware.rules)
2849896 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-09-08 1) (trojan.rules)
2849897 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-09-08 2) (trojan.rules)
2849898 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-09-08 3) (trojan.rules)
2849899 - ETPRO TROJAN MirrorBlast Checkin (trojan.rules)
2849900 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC) (trojan.rules)

[///] Modified active rules: [///]

2012533 - ET TROJAN Win32/Virut.BN Checkin (trojan.rules)
2016986 - ET TROJAN KeyBoy Backdoor Login (trojan.rules)
2020303 - ET TROJAN W32/AGENT.NXNX Checkin 2 (trojan.rules)
2029817 - ET TROJAN Sarwent CnC Response (powershell_exec) (trojan.rules)
2029820 - ET TROJAN Sarwent CnC Response (download_exec) (trojan.rules)
2029821 - ET TROJAN Sarwent CnC Command (update) (trojan.rules)
2801788 - ETPRO SCADA IGSS SCADA system Directory Traversal Upload
and Overwrite (scada.rules)
2805369 - ETPRO TROJAN Porn-Dialer.Win32.PluginAccess.s Checkin (trojan.rules)
2807021 - ETPRO TROJAN CVE-2012-0158 related C&C beacon (trojan.rules)

[///] Modified inactive rules: [///]

2011235 - ET EXPLOIT Possible Novell Groupwise Internet Agent CREATE
Verb Stack Overflow Attempt (exploit.rules)
2012114 - ET TROJAN Trojan.BackDoor-DRV.gen.c Reporting-2 (trojan.rules)
2012440 - ET TROJAN Downloader.Win32.Agent.bqkb Reporting (trojan.rules)
2013755 - ET TROJAN Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-1
(trojan.rules)
2014662 - ET DOS Microsoft Remote Desktop Protocol (RDP)
maxChannelIds Integer indef DoS Attempt (dos.rules)
2014663 - ET DOS Microsoft Remote Desktop Protocol (RDP)
maxChannelIds Negative Integer indef DoS Attempt (dos.rules)
2014710 - ET ACTIVEX Possible Samsung NET-i Viewer Active-X SEH
Overwrite (activex.rules)
2015669 - ET CURRENT_EVENTS Malicious Redirect n.php h=*&s=*
(current_events.rules)
2016987 - ET TROJAN KeyBoy Backdoor SysInfo Response header (trojan.rules)
2016988 - ET TROJAN KeyBoy Backdoor File Manager Response Header
(trojan.rules)
2016989 - ET TROJAN KeyBoy Backdoor File Download Response Header
(trojan.rules)
2016990 - ET TROJAN KeyBoy Backdoor File Upload Response Header (trojan.rules)
2017250 - ET CURRENT_EVENTS %Hex Encoded jnlp_embedded (Observed in
Sakura) (current_events.rules)
2800884 - ETPRO POP3 Pegasus Mail error overflow attempt (pop3.rules)
2801270 - ETPRO WEB_CLIENT Microsoft Windows Kodak Image Viewer
Flowbit Set Little Endian (web_client.rules)
2801724 - ETPRO SCADA WonderWare SuiteLink DOS Attempt (scada.rules)
2801725 - ETPRO SCADA RealWin INFOTAG/SET_CONTROL Packet Processing
Buffer Overflow (scada.rules)
2801727 - ETPRO SCADA Wonderware InBatch Buffer Overflow Attempt (scada.rules)
2801728 - ETPRO SCADA Sielco Sistemi WinLog Stack Overflow Attempt
(scada.rules)
2801730 - ETPRO SCADA RealWin HMI Service Buffer Overflow Attempt 1
(scada.rules)
2801731 - ETPRO SCADA RealWin HMI Service Buffer Overflow Attempt 2
(scada.rules)
2801732 - ETPRO SCADA RealWin HMI Service Buffer Overflow Attempt 3
(scada.rules)
2801733 - ETPRO SCADA NetBiter Config HICP Hostname Buffer Overflow
(scada.rules)
2801734 - ETPRO SCADA WellinTech KingView Remote Heap Overflow
Attempt (scada.rules)
2805152 - ETPRO TROJAN HackTool.MSIL.Flooder.gen Checkin (trojan.rules)
2805423 - ETPRO TROJAN Worm.Win32.Flame.a Checkin (trojan.rules)
2805459 - ETPRO TROJAN Win32/Punad.G infected system ad retrieve
(trojan.rules)
2805735 - ETPRO TROJAN Backdoor Boomie.A Checkin Command 2 (trojan.rules)

Date:

Friday, September 10, 2021

Summary title:

8 new OPEN, 19 new PRO (8 + 11) ELF/HabitsRAT, MSIL/Small.FU, VARIOUS PHISHING and COINMINERS.