Daily Ruleset Update Summary 2022/01/20

[***] Summary: [***]

6 new OPEN, 16 new PRO (6 + 10) Donot APT, MoonBounce and Microcin
Backdoor DNS sigs, OnionRAT Checkin, Win32/ModernLoader.

Thanks @welivesecurity and @kaspersky.

Also a shout out to @dougburks for pointing out a leading space in
many of the rule's messages, these have been corrected in today's
release.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2034950 - ET INFO URL Shortening Service Domain in DNS Lookup (s3r
.io) (info.rules)
2034951 - ET TROJAN Donot APT Related Domain in DNS Lookup
(dataupdates .live) (trojan.rules)
2034952 - ET TROJAN MoonBounce Backdoor Related Domain in DNS Lookup
(kinopoisksu .com) (trojan.rules)
2034953 - ET TROJAN MoonBounce Backdoor Related Domain in DNS Lookup
(glbaitech .com) (trojan.rules)
2034954 - ET TROJAN Microcin Backdoor Related Domain in DNS Lookup
(m .necemarket .com) (trojan.rules)
2034955 - ET TROJAN Microcin Backdoor Related Domain in DNS Lookup
(holdmem .dbhubspi .com) (trojan.rules)

Pro:

2850888 - ETPRO TROJAN OnionRAT Checkin via Telegram (trojan.rules)
2850889 - ETPRO TROJAN Possible Win32/Yax.Mole Variant Activity
(GET) (trojan.rules)
2850890 - ETPRO TROJAN Win32/ModernLoader Activity (POST) (trojan.rules)
2850891 - ETPRO INFO Suspicious Reversed String Inbound
(mscoree.dll) (info.rules)
2850892 - ETPRO CURRENT_EVENTS Cloned email.gov.in Landing Page M1
(current_events.rules)
2850893 - ETPRO CURRENT_EVENTS Cloned email.gov.in Landing Page M2
(current_events.rules)
2850894 - ETPRO CURRENT_EVENTS Cloned email.gov.in Landing Page M3
(current_events.rules)
2850895 - ETPRO CURRENT_EVENTS Successful gov.in Phish 2022-01-20
(current_events.rules)
2850896 - ETPRO CURRENT_EVENTS Successful nic.in Phish 2022-01-20
(current_events.rules)
2850897 - ETPRO INFO Possible email.gov.in Phish (info.rules)

[///] Modified active rules: [///]

2006375 - ET P2P Bittorrent P2P Client HTTP Request (p2p.rules)
2006379 - ET P2P BearShare P2P Gnutella Client HTTP Request (p2p.rules)
2009526 - ET MALWARE Downloader Checkin - Downloads Rogue Adware
(malware.rules)
2009527 - ET TROJAN Generic Downloader Checkin - HTTP GET (trojan.rules)
2009887 - ET WEB_SPECIFIC_APPS ProjectButler RFI attempt
(web_specific_apps.rules)
2009892 - ET WEB_SPECIFIC_APPS PHP-Paid4Mail RFI attempt
(web_specific_apps.rules)
2011494 - ET WEB_SPECIFIC_APPS OpenX OpenFlashChart Remote Exploit -
possible Access to uploaded Files (web_specific_apps.rules)
2014067 - ET WEB_SPECIFIC_APPS PHP Booking Calendar
page_info_message parameter Cross-Site Scripting Vulnerability
(web_specific_apps.rules)
2014911 - ET WEB_CLIENT Microsoft Internet Explorer SameID
Use-After-Free (web_client.rules)
2016477 - ET TROJAN CommentCrew Possible APT c2 communications html
return 1 (trojan.rules)
2016811 - ET CURRENT_EVENTS - Possible Redkit 1-4 char JNLP request
(current_events.rules)
2017283 - ET TROJAN ATTACKER IRCBot - net user - PRIVMSG Command
(trojan.rules)
2017285 - ET TROJAN ATTACKER IRCBot - net add PRIVMSG Command (trojan.rules)
2017286 - ET TROJAN ATTACKER IRCBot - netsh - PRIVMSG Command (trojan.rules)
2017287 - ET TROJAN ATTACKER IRCBot - ipconfig - PRIVMSG Command
(trojan.rules)
2017288 - ET TROJAN ATTACKER IRCBot - reg - PRIVMSG Command (trojan.rules)
2017558 - ET TROJAN Mevade Checkin (trojan.rules)
2019783 - ET CURRENT_EVENTS Successful Paypal Phish Nov 24 2014
(current_events.rules)
2020382 - ET TROJAN Skeleton Key Filename in SMB2 Traffic (trojan.rules)
2023254 - ET TROJAN Book of Eli CnC Checkin (trojan.rules)
2023548 - ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE (exploit.rules)
2024351 - ET TROJAN Executioner Ransomware Reporting Infection via
SMTP (trojan.rules)
2024503 - ET TROJAN ISMAgent Receiving Commands from CnC Server (trojan.rules)
2025007 - ET TROJAN Powershell commands sent when remote host claims
to send an image (trojan.rules)
2025794 - ET EXPLOIT xdebug OS Command Execution (exploit.rules)
2026724 - ET TROJAN RedControle Communicating with CnC (trojan.rules)
2029396 - ET TROJAN Patchwork Backdoor - Sending Task Results (trojan.rules)
2030214 - ET CURRENT_EVENTS Lucy Security Phishing Landing Page
(current_events.rules)
2034941 - ET TROJAN Cobalt Strike Activity (GET) (trojan.rules)
2034945 - ET TROJAN Win32/Suspected Reverse Shell Connection (trojan.rules)
2804217 - ETPRO POLICY Remote Access Tool crossloop (policy.rules)
2804657 - ETPRO WEB_CLIENT Adobe Flash Player file with Stage3D
Object being instantiated at ActionScript 3 (web_client.rules)
2805129 - ETPRO SCADA Sielco Sistemi Directory traversal opcode 78
(scada.rules)
2810649 - ETPRO TROJAN Win32/Bifrose Keepalive (Set) (trojan.rules)
2810650 - ETPRO TROJAN Win32/Bifrose Keepalive Outbound (trojan.rules)
2832539 - ETPRO CURRENT_EVENTS PowerShell EP Bypass and String
Download - Possible Stage 2 (current_events.rules)
2834165 - ETPRO EXPLOIT Hashicorp Consul RCE via Services API (exploit.rules)
2848227 - ETPRO TROJAN Observed Malicious AsyncRAT Style SSL Cert
(trojan.rules)
2848317 - ETPRO INFO Suspicious AppData Local Temp File Upload in
Outbound POST (info.rules)

[///] Modified inactive rules: [///]

2003067 - ET EXPLOIT DOS Microsoft Windows SRV.SYS MAILSLOT (exploit.rules)
2009693 - ET WEB_SPECIFIC_APPS Zen Cart Remote Code Execution
(web_specific_apps.rules)
2016061 - ET WEB_SPECIFIC_APPS Possible WordpressPingbackPortScanner
detected (web_specific_apps.rules)
2017113 - ET TROJAN VBulletin Backdoor C2 Domain (trojan.rules)
2017467 - ET CURRENT_EVENTS CottonCastle EK Java Jar (current_events.rules)
2019188 - ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 Sept 17 2014
(current_events.rules)
2024114 - ET TROJAN DeepEnd Research Ransomware CrypMIC Payment
Onion Domain (trojan.rules)
2028629 - ET WEB_SPECIFIC_APPS PHPStudy Remote Code Execution
Backdoor (web_specific_apps.rules)
2034857 - ET INFO RDP Authentication Bypass Attempt (info.rules)
2800224 - ETPRO WEB_CLIENT FLAC Project libFLAC Picture Metadata
MIME-Type Size Buffer Overflow 3 (web_client.rules)
2800574 - ETPRO ACTIVEX Microsoft Access ActiveX Control Code
Execution1 (activex.rules)
2800628 - ETPRO EXPLOIT 3Com TFTP Server Transporting Mode Remote
Buffer Overflow Metasploit Exploit Detected against XPSP2
(exploit.rules)
2800756 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object
Instantiation Memory Corruption - 1 (activex.rules)
2800757 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object
Instantiation Memory Corruption - 2 (activex.rules)
2800758 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object
Instantiation Memory Corruption - 3 (activex.rules)
2800759 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object
Instantiation Memory Corruption - 4 (activex.rules)
2800760 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object
Instantiation Memory Corruption - 5 (activex.rules)
2800761 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object
Instantiation Memory Corruption - 6 (activex.rules)
2800762 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object
Instantiation Memory Corruption - 7 (activex.rules)
2800763 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object
Instantiation Memory Corruption - 8 (activex.rules)
2800764 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object
Instantiation Memory Corruption - 9 (activex.rules)
2800765 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object
Instantiation Memory Corruption - 10 (activex.rules)
2801183 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory
Corruption byte 0x37 (exploit.rules)
2801184 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory
Corruption byte 0x38 (exploit.rules)
2801185 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory
Corruption byte 0x39 (exploit.rules)
2801186 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory
Corruption byte 0x3A (exploit.rules)
2801187 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory
Corruption byte 0x3B (exploit.rules)
2801188 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory
Corruption byte 0x3C (exploit.rules)
2801189 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory
Corruption byte 0x3D (exploit.rules)
2801190 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory
Corruption byte 0x3E (exploit.rules)
2801191 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory
Corruption byte 0x3F (exploit.rules)
2801192 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory
Corruption byte 0x40 (exploit.rules)
2801193 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory
Corruption byte 0x43 (exploit.rules)
2801194 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory
Corruption byte 0x35 (exploit.rules)
2801195 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory
Corruption byte 0x36 (exploit.rules)
2801196 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory
Corruption byte 0x41 (exploit.rules)
2801197 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory
Corruption byte 0x42 (exploit.rules)
2801198 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory
Corruption byte 0x44 (exploit.rules)
2801199 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory
Corruption byte 0x45 (exploit.rules)
2801200 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory
Corruption byte 0x46 (exploit.rules)
2801201 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory
Corruption byte 0x47 (exploit.rules)
2801202 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory
Corruption byte 0x48 (exploit.rules)
2801203 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory
Corruption byte 0x49 (exploit.rules)
2801256 - ETPRO ACTIVEX Microsoft Windows Data Access Components ADO
Record Code Execution (activex.rules)

Date:

Thursday, January 20, 2022

Summary title:

6 new OPEN, 16 new PRO (6 + 10) Donot APT, MoonBounce and Microcin Backdoor DNS sigs, OnionRAT Checkin, Win32/ModernLoader.