Daily Ruleset Update Summary
Daily Ruleset Update Summary 2022/03/29

[***] Summary: [***]

22 new OPEN, 29 new PRO (22 + 7). Various Exploit/CVE, FIN7, Remcos
and Miners.

Thanks to @Avast and @0xrb

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2035629 - ET EXPLOIT TerraMaster TOS Unauthenticated Command
Injection Inbound M1 (CVE-2022-24989) (exploit.rules)
2035630 - ET EXPLOIT TerraMaster TOS Unauthenticated Command
Injection Inbound M2 (CVE-2022-24989) (exploit.rules)
2035631 - ET EXPLOIT TerraMaster TOS Information Leak Inbound
(CVE-2022-24990) (exploit.rules)
2035632 - ET MALWARE Win32/Farfli.CUY KeepAlive (malware.rules)
2035633 - ET EXPLOIT WatchGuard CVE-2022-26318 RCE Attempt M1 (exploit.rules)
2035634 - ET EXPLOIT WatchGuard CVE-2022-26318 RCE Attempt M2 (exploit.rules)
2035635 - ET EXPLOIT Possible WatchGuard CVE-2022-26318 RCE Attempt
M3 (exploit.rules)
2035636 - ET INFO Abused File Hosting Domain in DNS Lookup
(transferxl .com) (info.rules)
2035637 - ET INFO Observed Abused File Hosting Domain (transferxl
.com in TLS SNI) (info.rules)
2035638 - ET INFO Observed Abused File Hosting Domain
(transferxl-download .com in TLS SNI) (info.rules)
2035639 - ET INFO URL Shortening Service Domain in DNS Lookup (kutti
.co) (info.rules)
2035640 - ET INFO Observed URL Shortening Service Domain (kutti .co
in TLS SNI) (info.rules)
2035641 - ET MALWARE FIN7 Backdoor Checkin (POST) (malware.rules)
2035642 - ET MALWARE FIN7 Backdoor Retrieving Task (POST) (malware.rules)
2035643 - ET MALWARE FIN7 Backdoor Sending Task Status (POST) (malware.rules)
2035644 - ET MALWARE FIN7 Related Domain in DNS Lookup (swordoke
.com) (malware.rules)
2035645 - ET MALWARE Observed FIN7 Related Domain (swordoke .com in
TLS SNI) (malware.rules)
2035646 - ET MALWARE Win32/Warzone RAT Variant CnC Domain in DNS
Lookup (dost .igov-service .net) (malware.rules)
2035647 - ET PHISHING Generic Phish Landing Page 2022-03-29 (phishing.rules)
2035648 - ET EXPLOIT Microsoft Exchange SUID Disclosure via SSRF
Inbound M2 (CVE-2021-31207) (exploit.rules)
2035649 - ET EXPLOIT Possible Microsoft Exchange RCE Inbound M3
(CVE-2021-34473) (exploit.rules)
2035650 - ET EXPLOIT Possible Microsoft Exchange Mailbox Enumeration
Inbound (CVE-2021-34473) (exploit.rules)

Pro:

2851350 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-29 1) (coinminer.rules)
2851351 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-29 2) (coinminer.rules)
2851352 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-29 3) (coinminer.rules)
2851353 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-29 4) (coinminer.rules)
2851354 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-29 5) (coinminer.rules)
2851355 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-29 6) (coinminer.rules)
2851356 - ETPRO MALWARE Win32/Remcos RAT Checkin 786 (malware.rules)

[///] Modified active rules: [///]

2021419 - ET MALWARE APT CozyCar SSL Cert 2 (malware.rules)
2021420 - ET MALWARE APT CozyCar SSL Cert 3 (malware.rules)
2021422 - ET MALWARE APT CozyCar SSL Cert 5 (malware.rules)
2021423 - ET MALWARE APT CozyCar SSL Cert 6 (malware.rules)
2021424 - ET MALWARE APT CozyCar SSL Cert 7 (malware.rules)
2021425 - ET MALWARE APT CozyCar SSL Cert 8 (malware.rules)
2021591 - ET MALWARE APT CozyCar SSL Cert 1 (malware.rules)
2025438 - ET MALWARE Cobalt Group SSL Certificate Detected (malware.rules)
2033681 - ET EXPLOIT Microsoft Exchange Pre-Auth Path Confusion M1
(CVE-2021-31207) (exploit.rules)
2033701 - ET EXPLOIT Microsoft Exchange SUID Disclosure via SSRF
Inbound M1 (CVE-2021-31207) (exploit.rules)
2033711 - ET EXPLOIT Possible Microsoft Exchange RCE Inbound M2
(CVE-2021-34473) (exploit.rules)
2837072 - ETPRO MALWARE VOLTAICFISH Possible Handshake CnC Beacon
(malware.rules)
2851233 - ETPRO MALWARE YouTube Profile Exfil Via Telegram (malware.rules)
2851234 - ETPRO MALWARE Crypto Wallet Exfil Via Telegram (malware.rules)

[---] Disabled and modified rules: [---]

[---] Removed rules: [---]

2850472 - ETPRO MALWARE Win32/Farfli.CUY KeepAlive (malware.rules)

Date:
Summary title:
22 new OPEN, 29 new PRO (22 + 7). Various Exploit/CVE, FIN7, Remcos and Miners.