[***] Summary: [***]
4 new OPEN, 21 new PRO (4 + 17). FoggyWeb Backdoor, BazaLoader,
additional CVE-2021-22005, Others.
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2034034 - ET TROJAN FoggyWeb Backdoor Incoming Request (GET)
(trojan.rules)
2034035 - ET TROJAN FoggyWeb Backdoor Incoming Request (POST)
(trojan.rules)
2034036 - ET TROJAN Possible FoggyWeb Backdoor Server Response
(trojan.rules)
2034037 - ET EXPLOIT VMware vCenter RCE Exploitation Attempt M2
(CVE-2021-22005) (exploit.rules)
Pro:
2850061 - ETPRO TROJAN Remcos RAT CnC Domain in DNS Lookup (trojan.rules)
2850062 - ETPRO TROJAN BazaLoader Activity (GET) (trojan.rules)
2850063 - ETPRO TROJAN BazaLoader Activity (POST) (trojan.rules)
2850064 - ETPRO TROJAN Win32/VERTEX Stealer CnC Activity (GET)
(trojan.rules)
2850065 - ETPRO MALWARE Possible ZuRu CnC Activity (malware.rules)
2850066 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-09-28 1) (trojan.rules)
2850067 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-09-28 2) (trojan.rules)
2850068 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-09-28 3) (trojan.rules)
2850069 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-09-28 4) (trojan.rules)
2850070 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-09-28 5) (trojan.rules)
2850071 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-09-28 6) (trojan.rules)
2850072 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-09-28 7) (trojan.rules)
2850073 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-09-28 8) (trojan.rules)
2850074 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-09-28 9) (trojan.rules)
2850075 - ETPRO TROJAN Win32/Unk.Wixshe CnC Activity (trojan.rules)
2850076 - ETPRO CURRENT_EVENTS Successful Generic Phish 2021-09-28
(current_events.rules)
2850077 - ETPRO CURRENT_EVENTS Successful Generic Phish 2021-09-28
(current_events.rules)
[///] Modified active rules: [///]
2034024 - ET TROJAN Jupyter Stealer CnC Checkin (trojan.rules)
2848075 - ETPRO TROJAN W32/PSWSteal.VBMT64/VERTEX Stealer CnC Activity
(trojan.rules)
2848076 - ETPRO TROJAN W32/PSWSteal.VBMT64/VERTEX Stealer CnC Activity
(trojan.rules)
2848215 - ETPRO TROJAN Win32/ArtraDownloader CnC Activity (GET)
(trojan.rules)
2850028 - ETPRO EXPLOIT VMware vCenter Vulnerable Path M1 flowbit set
(CVE-2021-22005) (exploit.rules)
2850029 - ETPRO EXPLOIT VMware vCenter Vulnerable Path M2 flowbit set
(CVE-2021-22005) (exploit.rules)
2850030 - ETPRO EXPLOIT VMware vCenter Vulnerable Path M3 flowbit set
(CVE-2021-22005) (exploit.rules)
2850055 - ETPRO EXPLOIT VMware vCenter RCE Exploitation Attempt M1
(CVE-2021-22005) (exploit.rules)
[///] Modified inactive rules: [///]
2850036 - ETPRO TROJAN BazaLoader Activity (GET) (trojan.rules)
2850038 - ETPRO TROJAN BazaLoader Activity M2 (GET) (trojan.rules)
2850039 - ETPRO TROJAN BazaLoader Activity (POST) (trojan.rules)
---------------------------------------
James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team