Daily Ruleset Update Summary 2021/11/02

[***] Summary: [***]

14 new OPEN, 27 new PRO (14 + 13) MSIL/Agent.DPU Reverse Shell,
CollectorStealer, CobaltStrike, Redline and Various CoinMiner

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2034320 - ET TROJAN Win32/CollectorStealer - Returning Client GeoIP
Information (trojan.rules)
2034321 - ET TROJAN Observed Win32/CollectorStealer User-Agent M2
(trojan.rules)
2034322 - ET TROJAN Observed Win32/CollectorStealer User-Agent M1
(trojan.rules)
2034323 - ET TROJAN Win32/CollectorStealer - Uploading System Information
(trojan.rules)
2034324 - ET TROJAN Win32/CollectorStealer CnC Exfil M3 (trojan.rules)
2034325 - ET TROJAN TA450 Nagual CnC Activity (trojan.rules)
2034326 - ET CURRENT_EVENTS IRS Payment Credential Phish Form
(current_events.rules)
2034327 - ET CURRENT_EVENTS IRS Credential Phish Direct Deposit Payment
Data Exfil (current_events.rules)
2034328 - ET CURRENT_EVENTS IRS Credential Phish Credit Card Payment Data
Exfil (current_events.rules)
2034329 - ET CURRENT_EVENTS IRS Payment Credential Phish Debit Card or
Check Data Exfil (current_events.rules)
2034330 - ET INFO Possible GoCD Authentication Bypass URI Path - add-on
(info.rules)
2034331 - ET EXPLOIT GoCD Authentication Bypass URI Path - add-on
(exploit.rules)
2034332 - ET INFO Possible GoCD Authentication Bypass URI Path -
cruise_config (info.rules)
2034333 - ET EXPLOIT GoCD Authentication Bypass Successful Leak
(exploit.rules)

Pro:

2850337 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-11-01 1) (trojan.rules)
2850338 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-11-01 2) (trojan.rules)
2850339 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-11-01 3) (trojan.rules)
2850340 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-11-01 4) (trojan.rules)
2850341 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-11-01 5) (trojan.rules)
2850342 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-11-01 6) (trojan.rules)
2850347 - ETPRO TROJAN Possible MalDoc Retrieving Payload 2021-11-01
(trojan.rules)
2850348 - ETPRO TROJAN MSIL/Agent.DPU Reverse Shell M1 (trojan.rules)
2850349 - ETPRO TROJAN MSIL/Agent.DPU Reverse Shell M2 (trojan.rules)
2850350 - ETPRO TROJAN MSIL/Agent.DPU Reverse Shell M3 (trojan.rules)
2850351 - ETPRO MALWARE CobaltStrike Malleable C2 Beacon (Unk Profile)
(malware.rules)
2850352 - ETPRO MALWARE CobaltStrike Malleable C2 Beacon (Unk Profile)
(malware.rules)
2850353 - ETPRO MALWARE Redline Stealer TCP CnC - Id1Response
(malware.rules)

[///] Modified active rules: [///]

2030231 - ET TROJAN SHLAYER CnC (trojan.rules)
2031198 - ET TROJAN Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC
Exfil (trojan.rules)
2033203 - ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
(trojan.rules)
2033204 - ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
(trojan.rules)
2837164 - ETPRO TROJAN MSIL/Agent.DPU RAT Reporting System Details
(trojan.rules)
2850316 - ETPRO MALWARE Observed SmokeLoader CnC Activity (malware.rules)

[---] Removed rules: [---]

2841213 - ETPRO TROJAN Win32/Babulya Stealer Uploading System Information
(trojan.rules)
2841214 - ETPRO TROJAN Win32/Babulya Stealer Returning Client GeoIP
Information (trojan.rules)
2842589 - ETPRO TROJAN Observed Win32/Babulya User-Agent (trojan.rules)
2843121 - ETPRO TROJAN Observed Babulya/CollectorStealer User-Agent
(trojan.rules)
2843697 - ETPRO TROJAN Win32/Spy.Agent.PYU Variant CnC Exfil
(trojan.rules)

Date:

Tuesday, November 2, 2021

Summary title:

14 new OPEN, 27 new PRO (14 + 13) MSIL/Agent.DPU Reverse Shell, CollectorStealer, CobaltStrike, Redline and Various CoinMiner