[***] Summary: [***]

20 new OPEN, 35 new PRO (20 + 15). Multiple CVE, TA408, ELF/AbcBot,
Cobalt Strike, GuLoader.

Thanks @AhnLab_SecuInfo

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

We are hiring a Threat Detection Engineer!
https://proofpoint.wd5.myworkdayjobs.com/ProofpointCareers/job/Illinois…

[+++] Added rules: [+++]

Open:

2034493 - ET EXPLOIT UPnP UUID Password Change Exploit Attempt
Inbound - XR300 PoC Gadgets (CVE-2021-34991) (exploit.rules)
2034494 - ET EXPLOIT UPnP UUID Password Change Exploit Attempt
Inbound - R6700V3 PoC Gadgets (CVE-2021-34991) (exploit.rules)
2034495 - ET INFO Possible UPnP UUID Overflow Exploit Attempt from
External Host - SUBSCRIBE/UNSUBSCRIBE (info.rules)
2034496 - ET INFO Possible UPnP UUID Overflow Exploit Attempt from
Internal Host - SUBSCRIBE/UNSUBSCRIBE (info.rules)
2034497 - ET INFO Possible UPnP UUID Overflow Exploit Attempt from
External Host - NOTIFY (info.rules)
2034498 - ET INFO Possible UPnP UUID Overflow Exploit Attempt from
Internal Host - NOTIFY (info.rules)
2034499 - ET ATTACK_RESPONSE Obfuscated VBS Inbound - Underscore
Var/Chr/math (attack_response.rules)
2034500 - ET MALWARE Unattributed WebShell Access - File Upload
(malware.rules)
2034501 - ET MALWARE Unattributed WebShell Access - Command
Execution (malware.rules)
2034502 - ET TROJAN ELF/AbcBot CnC Checkin (trojan.rules)
2034503 - ET TROJAN ELF/AbcBot Requesting Commands from CnC (trojan.rules)
2034504 - ET ATTACK_RESPONSE Bash Script Inbound - Kill Coin Mining
Related Processes (attack_response.rules)
2034505 - ET POLICY Burp Collaborator Domain in DNS Query (policy.rules)
2034506 - ET POLICY Burp Collaborator Domain in TLS SNI (policy.rules)
2034507 - ET POLICY Burp Collaborator Certificate Inbound (policy.rules)
2034508 - ET SCAN Laravel Debug Mode Information Disclosure Probe
Inbound (scan.rules)
2034509 - ET EXPLOIT .NET Framework Remote Code Execution Injection
(CVE-2020-0646) (exploit.rules)
2034510 - ET EXPLOIT .NET Framework Remote Code Execution Injection
(CVE-2020-1147) (exploit.rules)
2034511 - ET TROJAN TA408 Related Activity (GET) (trojan.rules)
2034512 - ET MOBILE_MALWARE Kimsuky AppleSeed CnC Checkin M2
(mobile_malware.rules)

Pro:

2850486 - ETPRO TROJAN Observed Malicious SSL/TLS Certificate
(CobaltStrike CnC) (trojan.rules)
2850487 - ETPRO TROJAN Observed Malicious SSL/TLS Certificate
(CobaltStrike CnC) (trojan.rules)
2850488 - ETPRO INFO V8 JavaScript Engine JIT Forcing Observed -
Investigate Possible Exploitation M1 (info.rules)
2850489 - ETPRO INFO V8 JavaScript Engine JIT Forcing Observed -
Investigate Possible Exploitation M2 (info.rules)
2850490 - ETPRO INFO V8 JavaScript Engine JIT Forcing Observed -
Investigate Possible Exploitation M3 (info.rules)
2850491 - ETPRO INFO Chakra JavaScript Engine JIT Forcing Observed -
Investigate Possible Exploitation M1 (info.rules)
2850492 - ETPRO INFO Chakra JavaScript Engine JIT Forcing Observed -
Investigate Possible Exploitation M2 (info.rules)
2850493 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-11-16 1) (trojan.rules)
2850494 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-11-16 2) (trojan.rules)
2850495 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-11-16 3) (trojan.rules)
2850496 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-11-16 4) (trojan.rules)
2850497 - ETPRO TROJAN Dridex CnC Activity (trojan.rules)
2850498 - ETPRO POLICY Observed Anonymous File Share Domain in TLS
SNI (policy.rules)
2850499 - ETPRO POLICY Anonymous File Sharing DNS Lookup (policy.rules)
2850500 - ETPRO TROJAN GuLoader Retrieving Payload (trojan.rules)

[///] Modified active rules: [///]

2000418 - ET POLICY Executable and linking format (ELF) file
download (policy.rules)
2012801 - ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup (trojan.rules)
2031535 - ET EXPLOIT Possible TerraMaster TOS RCE Inbound
(CVE-2020-28188 CVE-2020-35665) (exploit.rules)
2815142 - ETPRO TROJAN Bergard Checkin 1 (trojan.rules)