Daily Ruleset Update Summary 2021/09/22

[***] Summary: [***]

9 new OPEN, 15 new PRO (9 + 6). Multiple CVE, Android Tanglebot,
RedLine Stealer.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2033856 - ET EXPLOIT Possible Mirai Infection Attempt via OS Command
Injection Outbound (CVE-2021-32305) (exploit.rules)
2033857 - ET EXPLOIT Possible Mirai Infection Attempt via OS Command
Injection Inbound (CVE-2021-32305) (exploit.rules)
2034005 - ET EXPLOIT Fortinet FortiOS/FortiProxy SSL VPN Web Portal
Path Traversal (CVE-2018-13379) (exploit.rules)
2034006 - ET WEB_SERVER Possible WebShell Access Inbound [exec] M1
(CISA AA21-259A) (web_server.rules)
2034007 - ET WEB_SERVER Possible WebShell Access Inbound [exec] M2
(CISA AA21-259A) (web_server.rules)
2034008 - ET WEB_SERVER Possible WebShell Access Inbound [exec] M3
(CISA AA21-259A) (web_server.rules)
2034009 - ET WEB_SERVER Possible WebShell Access Inbound [upload] M1
(CISA AA21-259A) (web_server.rules)
2034010 - ET WEB_SERVER Possible WebShell Access Inbound [upload] M2
(CISA AA21-259A) (web_server.rules)
2034011 - ET WEB_SERVER Possible WebShell Access Inbound [upload] M3
(CISA AA21-259A) (web_server.rules)

Pro:

2850020 - ETPRO MOBILE_MALWARE Android TangleBot Activity
(mobile_malware.rules)
2850021 - ETPRO MOBILE_MALWARE Android TangleBot CnC Response
(mobile_malware.rules)
2850024 - ETPRO TROJAN Powershell.WC Octopus Backdoor Sending
Windows Information M2 (POST) (trojan.rules)
2850025 - ETPRO MOBILE_MALWARE Monitor.AndroidOS.Pctt Checkin
(mobile_malware.rules)
2850026 - ETPRO TROJAN Powershell.WC Octopus Backdoor Activity
(POST) (trojan.rules)
2850027 - ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init (trojan.rules)

[///] Modified active rules: [///]

2016067 - ET POLICY Possible BitCoin Miner User-Agent (miner) (policy.rules)
2033970 - ET EXPLOIT Netgear Seventh Inferno Vulnerability (fake
packet upload) (exploit.rules)
2033971 - ET EXPLOIT Netgear Seventh Inferno Vulnerability
(post-auth shell injection) (exploit.rules)
2033984 - ET TROJAN Possible SQUIRRELWAFFLE Server Response (trojan.rules)
2033996 - ET CURRENT_EVENTS Outdated Browser Lure Landing Page M1
(current_events.rules)
2033997 - ET CURRENT_EVENTS Outdated Browser Lure Landing Page M2
(current_events.rules)
2033998 - ET CURRENT_EVENTS Outdated Browser Lure Landing Page M3
(current_events.rules)
2033999 - ET CURRENT_EVENTS PerSwaysion Phishkit Javascript Checks
if New Visitor (current_events.rules)
2034000 - ET CURRENT_EVENTS PerSwaysion Phishkit Javascript Config
Variables (current_events.rules)
2034001 - ET CURRENT_EVENTS PerSwaysion Phishkit Javascript -
Observed Repetitive Custom CSS Components (current_events.rules)
2034003 - ET CURRENT_EVENTS Generic Phishkit Javascript Response
with Phishy Text (current_events.rules)
2811577 - ETPRO TROJAN Possible Virut DGA NXDOMAIN Responses (com)
(trojan.rules)
2849988 - ETPRO TROJAN MSIL/Agent.CFW CnC Exfil via Telegram M2 (trojan.rules)
2849997 - ETPRO TROJAN MSIL/ClipBanker.QS CnC Server Response (trojan.rules)
2849999 - ETPRO TROJAN MSIL/Agent.CFW CnC Exfil via Telegram M1 (trojan.rules)
2850006 - ETPRO TROJAN MSIL/ClipBanker.QS CnC Checkin (trojan.rules)
2850018 - ETPRO CURRENT_EVENTS ET INFO Observed HTTP GET to
outdatedbrowser .com (current_events.rules)

[---] Removed rules: [---]

2033856 - ET TROJAN Possible Mirai Infection Attempt via OS Command
Injection Outbound (CVE-2021-32305) (trojan.rules)
2033857 - ET TROJAN Possible Mirai Infection Attempt via OS Command
Injection Inbound (CVE-2021-32305) (trojan.rules)

Date:

Wednesday, September 22, 2021

Summary title:

9 new OPEN, 15 new PRO (9 + 6). Multiple CVE, Android Tanglebot, RedLine Stealer.