Daily Ruleset Update Summary 2021/10/19

[***] Summary: [***]

7 new OPEN, 13 new PRO (7 + 6). BlackMatter, JSTORM, MagnitudeEK, Sabsik, Remcos, Various Phishing.

Thanks: @USCERT_gov, @CISAInfraSec

Proofpoint is looking to hire a Product Manager to oversee the Emerging Threats products group. Interested? Check out the posting here<https://proofpoint.wd5.myworkdayjobs.com/ProofpointCareers/job/Sunnyval…;, and reach out with any questions.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2034225 - ET TROJAN [CISA AA21-291A] Possible BlackMatter Ransomware Lateral Movement (trojan.rules)

2034226 - ET CURRENT_EVENTS Observed Malicious SSL/TLS Certificate (MagnitudeEK Associated) (current_events.rules)

2034227 - ET TROJAN Observed Malicious SSL/TLS Certificate (MagnitudeEK Associated) (trojan.rules)

2034228 - ET INFO Fake AppleWebKit User-Agent Version Number Observed (info.rules)

2034229 - ET TROJAN Trojan:Win32/Sabsik.FL.B!ml CnC Activity (trojan.rules)

2034230 - ET TROJAN Win32/JSWORM Ransomware Style Geo IP Check M1 (trojan.rules)

2034231 - ET TROJAN Win32/JSWORM Ransomware Style Geo IP Check M2 (trojan.rules)

Pro:

2850243 - ETPRO TROJAN Win32/CoinMiner.ESFJ!tr Config Inbound (trojan.rules)

2850244 - ETPRO WEB_CLIENT Possible V8 Engine Type Confusion Exploit Inbound - POC Based (CVE-2021-21224) (web_client.rules)

2850245 - ETPRO TROJAN Win32/Remcos RAT Checkin 759 (trojan.rules)

2850246 - ETPRO CURRENT_EVENTS Successful Generic Phish 2021-10-19 (current_events.rules)

2850247 - ETPRO CURRENT_EVENTS Possible Generic Phishing Directory Path M1 (current_events.rules)

2850248 - ETPRO CURRENT_EVENTS Possible Generic Phishing Directory Path M2 (current_events.rules)

[///] Modified active rules: [///]

2030309 - ET EXPLOIT Wireless IP Camera (P2) WIFICAM Remote Code Execution (exploit.rules)

2839790 - ETPRO INFO Windows BITS UA Retrieving EXE (info.rules)

2842588 - ETPRO INFO Windows BITS UA Retrieving EXE M2 (info.rules)

[---] Disabled rules: [---]

2017064 - ET CURRENT_EVENTS Cool/BHEK/Goon Applet with Alpha-Numeric Encoded HTML entity (current_events.rules)

[---] Removed rules: [---]

2034213 - ET TROJAN Possible BlackByte Ransomware Encryption Key Inbound (fake .png) (trojan.rules)

Date:

Tuesday, October 19, 2021

Summary title:

7 new OPEN, 13 new PRO (7 + 6). BlackMatter, JSTORM, MagnitudeEK, Sabsik, Remcos, Various Phishing.