Daily Ruleset Update Summary 2021/10/06

[***] Summary: [***]

19 new OPEN, 25 new PRO (19 + 9) Lazarus APT, Ursnif and Cobalt Strike
CnC DNS sigs, Moar CVE-2021-41773, another MirrorBlast sig and ESPecter
Bootkit!

Thanks @JAMESWT_MHT and @welivesecurity

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2034127 - ET TROJAN Tordal/Hancitor/Chanitor Checkin (trojan.rules)
2034128 - ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt
(CVE-2021-41773) M3 (exploit.rules)
2034129 - ET WEB_SPECIFIC_APPS Possible Wordpress Plugin TheCartPress
Privilege Escalation Attempt Inbound (web_specific_apps.rules)
2034130 - ET INFO Suspicious POST to Axis OS (smtptest.cgi) (info.rules)
2034131 - ET TROJAN Lazarus APT Related CnC Domain in DNS Lookup
(sharemanage .elwoodasset .xyz) (trojan.rules)
2034132 - ET TROJAN Lazarus APT Related CnC Domain in DNS Lookup
(dshellelink .gcloud-share .com) (trojan.rules)
2034133 - ET TROJAN Lazarus APT Related CnC Domain in DNS Lookup (dev
.sslsharecloud .net) (trojan.rules)
2034134 - ET TROJAN Lazarus APT Related CnC Domain in DNS Lookup
(signverydn .sharebusiness .xyz) (trojan.rules)
2034135 - ET TROJAN Lazarus APT Related CnC Domain in DNS Lookup (gsheet
.gdocsdown .com) (trojan.rules)
2034136 - ET TROJAN MirrorBlast KiXtart Downloader Client Request M2
(trojan.rules)
2034137 - ET TROJAN Lazarus APT Related CnC Domain in DNS Lookup (share
.devprocloud .com) (trojan.rules)
2034138 - ET TROJAN Lazarus APT Related CnC Domain in DNS Lookup (product
.onlinedoc .dev) (trojan.rules)
2034139 - ET TROJAN Lazarus APT Related CnC Domain in DNS Lookup (www
.googlesheetpage .org) (trojan.rules)
2034140 - ET TROJAN Observed Ursnif CnC Domain (Gloderuniok .website in
TLS SNI) (trojan.rules)
2034141 - ET TROJAN Observed Ursnif CnC Domain (Vloderuniok .website in
TLS SNI) (trojan.rules)
2034142 - ET TROJAN Observed Cobalt Strike CnC Domain (Gojihu .com in TLS
SNI) (trojan.rules)
2034143 - ET TROJAN Observed Cobalt Strike CnC Domain (Yuxicu .com in TLS
SNI) (trojan.rules)
2034144 - ET POLICY NSecSoft Remote Monitoring Update/Download Activity
M1 (policy.rules)
2034145 - ET TROJAN ESPecter Bootkit Initialization Activity (GET)
(trojan.rules)

Pro:

2850123 - ETPRO TROJAN CobaltStrike Malleable C2 Beacon (Github Profile)
M1 (trojan.rules)
2850124 - ETPRO TROJAN CobaltStrike Malleable C2 Beacon (Github Profile)
M2 (trojan.rules)
2850125 - ETPRO EXPLOIT Possible XStream Library ReflectionConverter
Insecure Deserialization Inbound (CVE-2019-10173) (exploit.rules)
2850126 - ETPRO TROJAN CobaltStrike Payload Inbound M1 (trojan.rules)
2850127 - ETPRO TROJAN CobaltStrike Payload Inbound M2 (trojan.rules)
2850128 - ETPRO EXPLOIT Possible Microsoft Windows DHCPv6 Client
ParseDhcpv6Options Code Execution (CVE-2019-0698) (exploit.rules)

[///] Modified active rules: [///]

2033243 - ET TROJAN Mirai pTea Variant - Attack Command Inbound
(trojan.rules)
2033960 - ET POLICY [@Silv0123] Possible Fake Microsoft Office User-Agent
Observed (policy.rules)
2034124 - ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt
(CVE-2021-41773) M1 (exploit.rules)
2034125 - ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt
(CVE-2021-41773) M2 (exploit.rules)
2849913 - ETPRO TROJAN Generic AsyncRAT Style SSL Cert (trojan.rules)
2850113 - ETPRO INFO Suspicious POST to Misspelled php Resource
(info.rules)

[---] Removed rules: [---]

2819978 - ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin (trojan.rules)

Date:

Wednesday, October 6, 2021

Summary title:

19 new OPEN, 25 new PRO (19 + 9) Lazarus APT, Ursnif and Cobalt Strike CnC DNS sigs, Moar CVE-2021-41773, another MirrorBlast sig and ESPecter Bootkit!