Daily Ruleset Update Summary 2021/09/16

[***] Summary: [***]

17 new OPEN, 22 new PRO (17 + 5). TransparentTribe, Win32/Bisonal,
OSX/ZuRu, Win32.Raccoon Stealer, Go/Kryptik.H CnC, MSIL/Agent.CFW.

Thanks: @nao_sec, @malwrhunterteam, @AuCyble, and @s1ckb017

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033958 - ET MALWARE Win32/TrojanDownloader.Adload.NSD Variant Checkin
(malware.rules)
2033959 - ET INFO DNS Lookup for 8+ hexadecimal only duckdns domain
(info.rules)
2033960 - ET POLICY [@Silv0123] Possible Fake Microsoft Office User-Agent
Observed (policy.rules)
2033961 - ET TROJAN Fake Software Download Redirect Leading to Malware M3
(trojan.rules)
2033962 - ET TROJAN TransparentTribe Related CnC Activity (trojan.rules)
2033963 - ET TROJAN Win32/Bisonal Backdoor CnC Domain in DNS Lookup
(trojan.rules)
2033964 - ET TROJAN Win32/Bisonal Backdoor CnC Activity (POST)
(trojan.rules)
2033965 - ET TROJAN OSX/ZuRu Activity (POST) (trojan.rules)
2033966 - ET INFO Telegram API Domain in DNS Lookup (info.rules)
2033967 - ET INFO Observed Telegram API Domain (api .telegram .org in TLS
SNI) (info.rules)
2033968 - ET EXPLOIT Microsoft OMI RCE Exploit Attempt (CVE-2021-38647)
M2 (exploit.rules)
2033969 - ET EXPLOIT Netgear Seventh Inferno Vulnerability (new line
injection) (exploit.rules)
2033970 - ET EXPLOIT Netgear Seventh Inferno Vulnerability (fake packet
upload) (exploit.rules)
2033971 - ET EXPLOIT Netgear Seventh Inferno Vulnerability (post-auth
shell injection) (exploit.rules)
2033972 - ET TROJAN Observed Elysium Stealer Domain (phonefix .bar in TLS
SNI) (trojan.rules)
2033973 - ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency
download) (trojan.rules)
2033974 - ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt
(trojan.rules)

Pro:

2849985 - ETPRO TROJAN Go/Kryptik.H CnC Activity (trojan.rules)
2849986 - ETPRO CURRENT_EVENTS Successful Generic Phish 2021-09-16
(current_events.rules)
2849987 - ETPRO TROJAN Win32/Remcos RAT Checkin 749 (trojan.rules)
2849988 - ETPRO TROJAN MSIL/Agent.CFW CnC Exfil via Telegram M2
(trojan.rules)
2849989 - ETPRO INFO Observed ZIP Inbound with Content-Type Mismatch
(image/png) (info.rules)

[///] Modified active rules: [///]

2033249 - ET TROJAN Kaseya VSA Exploit Activity M2 (SET) (trojan.rules)
2033939 - ET TROJAN SQUIRRELWAFFLE Loader Activity (POST) (trojan.rules)
2033952 - ET EXPLOIT Microsoft OMI RCE Exploit Attempt (CVE-2021-38647)
M1 (exploit.rules)
2821409 - ETPRO MALWARE Various Adware/PUA Client Checkin (malware.rules)

Date:

Thursday, September 16, 2021

Summary title:

17 new OPEN, 22 new PRO (17 + 5). TransparentTribe, Win32/Bisonal, OSX/ZuRu, Win32.Raccoon Stealer, Go/Kryptik.H CnC, MSIL/Agent.CFW.