[***] Summary: [***]
16 new OPEN, 27 new PRO (16 + 11) Wintervivern, Elysium Stealer,
CVE-2021-41773, and W32.Tomiris C2.
Please share issues, feedback, and requests at
https://feedback.emergingthrea-ts.net/feedback
<https://feedback.emergingthreats.net/feedback>
[+++] Added rules: [+++]
Open:
2034111 - ET MALWARE Observed DNS Query to Known PUA Host Domain
(malware.rules)
2034112 - ET MALWARE Observed DNS Query to Known PUA Host Domain
(malware.rules)
2034113 - ET MALWARE Observed HTTP Request to Known PUA Host Domain
(malware.rules)
2034114 - ET MALWARE Observed HTTP Request to Known PUA Host Domain
(malware.rules)
2034115 - ET TROJAN Wintervivern Retrieving Commands (trojan.rules)
2034116 - ET TROJAN Wintervivern Activity M4 (GET) (trojan.rules)
2034117 - ET TROJAN Wintervivern Activity M5 (GET) (trojan.rules)
2034118 - ET POLICY AmeriTechnology Group - CHARM Client (policy.rules)
2034119 - ET TROJAN W32.Tomiris C2 (init) (trojan.rules)
2034120 - ET TROJAN Observed Elysium Stealer Domain in TLS SNI
(get-europe-group .bar) (trojan.rules)
2034121 - ET TROJAN Observed Elysium Stealer Domain in TLS SNI
(download-serv-234116 .xyz) (trojan.rules)
2034122 - ET TROJAN Observed Elysium Stealer Domain in TLS SNI (manholi
.xyz) (trojan.rules)
2034123 - ET TROJAN Observed Elysium Stealer Domain in TLS SNI (phonefix
.bar) (trojan.rules)
2034124 - ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt
(CVE-2021-41773) M1 (exploit.rules)
2034125 - ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt
(CVE-2021-41773) M2 (exploit.rules)
2034126 - ET POLICY Apache HTTP Server 2.4.49 Observed - Vulnerable to
CVE-2021-41773 (policy.rules)
Pro:
2850108 - ETPRO TROJAN Python-Backdoor Activity (POST) (trojan.rules)
2850109 - ETPRO TROJAN Python-Backdoor Sending Location/Host Information
(POST) (trojan.rules)
2850110 - ETPRO TROJAN Python-Backdoor Sending Instructions (POST)
(trojan.rules)
2850111 - ETPRO CURRENT_EVENTS Successful Generic Phish 2021-10-05
(current_events.rules)
2850112 - ETPRO TROJAN MSIL/CoinMiner.ACM CnC Commands Inbound
(trojan.rules)
2850113 - ETPRO INFO Suspicious POST to Mispelled php Resource
(info.rules)
2850114 - ETPRO TROJAN Win32/Elysium Stealer CnC Checkin (trojan.rules)
2850115 - ETPRO TROJAN Trojan:Script/Wacatac Download (trojan.rules)
2850116 - ETPRO TROJAN Trojan:Script/Wacatac Download (trojan.rules)
2850117 - ETPRO CURRENT_EVENTS Possible PancakeSwap Cred Phishing POST
(current_events.rules)
2850118 - ETPRO TROJAN Win32/Remcos RAT Checkin 756 (trojan.rules)
[///] Modified active rules: [///]
2034001 - ET CURRENT_EVENTS PerSwaysion Phishkit Javascript - Observed
Repetitive Custom CSS Components (current_events.rules)
2034026 - ET CURRENT_EVENTS PerSwaysion Phishkit Javascript Variable
(current_events.rules)
2034027 - ET CURRENT_EVENTS PerSwaysion Phishkit Landing Page
(current_events.rules)
2034028 - ET CURRENT_EVENTS PerSwaysion Phishkit Message Variables
(current_events.rules)
2034091 - ET TROJAN MirrorBlast KiXtart Downloader Client Request
(trojan.rules)
2034110 - ET TROJAN MirrorBlast KiXtart Downloader Server Response
(trojan.rules)
2850018 - ETPRO CURRENT_EVENTS ET INFO Observed HTTP GET to
outdatedbrowser .com (current_events.rules)