Daily Ruleset Update Summary 2022/04/20

Daily Ruleset Update Summary

[***] Summary: [***]

11 new OPEN, 26 new PRO (11 + 15). Various Exploits, Various APT,
Cobalt Strike, Various DCE/RPC and Miners.

Thanks @h2jazi, @_CERT_UA, @0xrb and Kevin Ross

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2036272 - ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded Credential
ConfigSyncProc Login Attempt (exploit.rules)
2036273 - ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded Credential
ConfigSyncProc System Details Request (exploit.rules)
2036274 - ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded WebUI Login
Attempt M2 (exploit.rules)
2036275 - ET EXPLOIT Shenzhen TVT DVR/NVR/IPC ConfigSyncProc RCE
Attempt (exploit.rules)
2036276 - ET MALWARE Win32/TrojanDownloader.Agent.RFS Variant
Checkin (malware.rules)
2036277 - ET MALWARE DPRK APT Related Maldoc Activity (POST) (malware.rules)
2036278 - ET MALWARE DPRK APT Related Domain in DNS Lookup
(beastmodser .club) (malware.rules)
2036279 - ET MALWARE DPRK APT Related Maldoc Activity (POST) M2
(malware.rules)
2036280 - ET MALWARE Win32/STEALBIT Data Exfiltration Tool Activity
(PUT) (malware.rules)
2036281 - ET MALWARE Win64/CobaltStrike.Beacon.J CnC Checkin (malware.rules)
2036282 - ET MALWARE Cobalt Strike X-Client Header (notevil) (malware.rules)

Pro:

2851480 - ETPRO INFO DCERPC Bind with Little-Endian (flowbit set) (info.rules)
2851481 - ETPRO INFO DCERPC Bind_ack with Endian Flipped (info.rules)
2851482 - ETPRO INFO DCERPC Bind_ack with Big-Endian Assoc Group (info.rules)
2851483 - ETPRO INFO SMB/DCERPC Bind with Little-Endian (flowbit
set) (info.rules)
2851484 - ETPRO INFO SMB/DCERPC Bind_ack with Endian Flipped (info.rules)
2851485 - ETPRO INFO SMB/DCERPC Bind_ack with Big-Endian Assoc Group
(info.rules)
2851486 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-19 1) (coinminer.rules)
2851487 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-19 2) (coinminer.rules)
2851488 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-19 3) (coinminer.rules)
2851489 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-19 4) (coinminer.rules)
2851490 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-19 5) (coinminer.rules)
2851491 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-19 6) (coinminer.rules)
2851492 - ETPRO MALWARE XMRig Variant CoinMiner Checkin (malware.rules)
2851493 - ETPRO MALWARE Suspected TA427 Activity (GET) (malware.rules)
2851494 - ETPRO MALWARE Suspected TA427 Activity (GET) (malware.rules)

[///] Modified active rules: [///]

2031071 - ET INFO Microsoft Connection Test (info.rules)
2035881 - ET MALWARE Base64 Encoded Stealer Config from Server -
APPDATA or USERPROFILE Environment Variable M1 (malware.rules)
2035882 - ET MALWARE Base64 Encoded Stealer Config from Server -
APPDATA or USERPROFILE Environment Variable M2 (malware.rules)
2035883 - ET MALWARE Base64 Encoded Stealer Config from Server -
APPDATA or USERPROFILE Environment Variable M3 (malware.rules)
2035884 - ET MALWARE Base64 Encoded Stealer Config from Server -
APPDATA or USERPROFILE Environment Variable M4 (malware.rules)
2036250 - ET MALWARE ZingoStealer Data Exfiltration M2 (malware.rules)

Date:

Wednesday, April 20, 2022

Summary title:

11 new OPEN, 26 new PRO (11 + 15). Various Exploits, Various APT, Cobalt Strike, Various DCE/RPC and Miners.