Daily Ruleset Update Summary 2021/11/15

[***] Summary: [***]

13 new OPEN, 29 new PRO (13 + 16). Multiple CVE, Cobalt Strike,
DTLoader, Raccoon Stealer, Various Phish and Emotet (because what's
Monday without a little Emotet).

Thanks @Max_Mal_, @Cynet360 and @fr0s7_

We are hiring a Threat Detection Engineer (Remote),
https://proofpoint.wd5.myworkdayjobs.com/ProofpointCareers/job/Illinois…

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2034452 - ET TROJAN Possible MalDoc Retrieving Payload 2021-07-19
(trojan.rules)
2034453 - ET EXPLOIT Possible Engineers Online Portal System
Webshell Upload (CVE-2021-42669) (exploit.rules)
2034454 - ET EXPLOIT Possible Engineers Online Portal System Access
Control Bypass (CVE-2021-42671) (exploit.rules)
2034455 - ET EXPLOIT Possible Gitlab CE/EE Image Parser RCE Inbound
(CVE-2021-22205) (exploit.rules)
2034456 - ET TROJAN Observed Malicious SSL Cert (BitRAT) (trojan.rules)
2034457 - ET POLICY Observed DNS Query to DynDNS Domain (publicvm
.com) (policy.rules)
2034458 - ET POLICY Observed DNS Query to DynDNS Domain (linkpc
.net) (policy.rules)
2034459 - ET TROJAN W32/Emotet CnC Beacon 3 (trojan.rules)
2034460 - ET TROJAN MalDoc Retrieving Payload 2021-06-15 (trojan.rules)
2034461 - ET INFO Suspicious Terse HTTP Request to textbin (info.rules)
2034462 - ET TROJAN Cobalt Strike CnC Domain in DNS Lookup
(awsmcafee .com) (trojan.rules)
2034463 - ET TROJAN Cobalt Strike Malleable C2 JQuery Custom Profile
M5 (trojan.rules)
2034464 - ET TROJAN Possible MalDoc Retrieving Payload 2021-11-01
(trojan.rules)

Pro:

2850451 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-11-13 1) (trojan.rules)
2850452 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-11-13 2) (trojan.rules)
2850453 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2850454 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2850455 - ETPRO INFO URL Shortener Service Domain in DNS Lookup
(linkiti .com) (info.rules)
2850456 - ETPRO CURRENT_EVENTS Generic Credential Phish Activity GET
2021-11-15 (current_events.rules)
2850457 - ETPRO CURRENT_EVENTS Generic Credential Phish Landing Page
2021-11-15 (current_events.rules)
2850458 - ETPRO CURRENT_EVENTS Successful Generic Credential Phish
Activity 2021-11-15 (current_events.rules)
2850459 - ETPRO CURRENT_EVENTS Successful Generic Credential Phish
Activity 2021-11-15 (current_events.rules)
2850460 - ETPRO CURRENT_EVENTS Paypal Phish 2021-11-15 (current_events.rules)
2850461 - ETPRO TROJAN DTLoader Retrieving Encoded Payload (trojan.rules)
2850462 - ETPRO TROJAN Win32.Raccoon Stealer - Telegram Mirror
Checkin (IP based) M1 (trojan.rules)
2850463 - ETPRO TROJAN Win32.Raccoon Stealer - Telegram Mirror
Checkin (IP based) M2 (trojan.rules)
2850464 - ETPRO TROJAN Win32.Raccoon Stealer - Telegram Mirror
Checkin (IP based) M3 (trojan.rules)
2850465 - ETPRO TROJAN Win32.Raccoon Stealer - Telegram Mirror
Checkin (IP based) M4 (trojan.rules)
2850466 - ETPRO TROJAN Win32.Raccoon Stealer - Telegram Mirror
Checkin (IP based) M5 (trojan.rules)

[///] Modified active rules: [///]

2016067 - ET POLICY Possible BitCoin Miner User-Agent (miner) (policy.rules)
2838435 - ETPRO POLICY Observed DNS Query to DynDNS Domain (myddns
.rocks) (policy.rules)

[---] Removed rules: [---]

2848957 - ETPRO TROJAN Likely MalDoc Retrieving Payload 2021-06-15
(trojan.rules)
2849334 - ETPRO TROJAN Possible MalDoc Retrieving Payload 2021-07-19
(trojan.rules)
2850347 - ETPRO TROJAN Possible MalDoc Retrieving Payload 2021-11-01
(trojan.rules)

Date:

Monday, November 15, 2021

Summary title:

13 new OPEN, 29 new PRO (13 + 16). Multiple CVE, Cobalt Strike, DTLoader, Raccoon Stealer, Various Phish and Emotet (because what's Monday without a little Emotet).