Daily Ruleset Update Summary
Daily Ruleset Update Summary 2022/05/02

[***] Summary: [***]

27 new OPEN, 39 new PRO (27 + 12) Win32/Farfli.BAL,
Win32/SpyEyes.bsro, MSIL.Cyfig, various SSRF sigs. Many DNS results
have been updated to reduce FNs.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2036428 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M1 (web_server.rules)
2036429 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M2 (web_server.rules)
2036430 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M3 (web_server.rules)
2036431 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M4 (web_server.rules)
2036432 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M5 (web_server.rules)
2036433 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M6 (web_server.rules)
2036434 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M7 (web_server.rules)
2036435 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M8 (web_server.rules)
2036436 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M9 (web_server.rules)
2036437 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M10 (web_server.rules)
2036438 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M11 (web_server.rules)
2036439 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M12 (web_server.rules)
2036440 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M13 (web_server.rules)
2036441 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M14 (web_server.rules)
2036442 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M15 (web_server.rules)
2036443 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M16 (web_server.rules)
2036444 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M17 (web_server.rules)
2036445 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M18 (web_server.rules)
2036446 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M19 (web_server.rules)
2036447 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M20 (web_server.rules)
2036448 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M21 (web_server.rules)
2036449 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M22 (web_server.rules)
2036450 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M23 (web_server.rules)
2036451 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M24 (web_server.rules)
2036452 - ET WEB_SERVER Possible SSRF Attempt Inbound Using Common
Dork M25 (web_server.rules)
2036453 - ET MALWARE Win32/Farfli.BAL CnC Activity (malware.rules)
2036454 - ET MALWARE Likely Mirai Related Outbound Shell Request
(malware.rules)

Pro:

2851551 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-04-30 1) (coinminer.rules)
2851552 - ETPRO MALWARE Win32/SpyEyes.bsro Checkin (malware.rules)
2851562 - ETPRO MALWARE MSIL.Cyfig CnC Activity (malware.rules)

[///] Modified active rules: [///]

2014451 - ET ACTIVEX Dell Webcam CrazyTalk ActiveX Control BackImage
Access Potential Buffer Overflow Attempt (activex.rules)
2031193 - ET MALWARE Suspected Snugy DNS Backdoor Initial Beacon
(malware.rules)
2031194 - ET MALWARE Suspected Snugy DNS Backdoor CnC Activity
(Hostname Send) (malware.rules)
2032763 - ET PHISHING Observed Phish Domain in DNS Query
(daviviendapersonalingresos .live) 2021-04-15 (phishing.rules)
2032764 - ET EXPLOIT_KIT Observed BottleEK Domain in DNS Lookup
2021-04-15 (exploit_kit.rules)
2032765 - ET PHISHING Observed Phish Domain in DNS Query
(daviviendapersonalingresos .xyz) 2021-04-15 (phishing.rules)
2032893 - ET MALWARE Observed DNS Query to Buer - DomainInfo Domain
(malware.rules)
2034201 - ET MALWARE Interactsh Control Panel (DNS) (malware.rules)
2035465 - ET INFO Observed Discord Domain in DNS Lookup (discord
.com) (info.rules)
2035466 - ET INFO Observed Discord Domain in DNS Lookup (discordapp
.com) (info.rules)
2035614 - ET MALWARE Win32/SodaMaster domain observed in DNS query
(www. rare-coisns. com) (malware.rules)
2035618 - ET PHISHING Generic Phishing Domain in DNS Lookup
(info-getting-eu. com) (phishing.rules)
2035660 - ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup
(gaymers .ax) (malware.rules)
2035662 - ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup
(jonathanhardwick .me) (malware.rules)
2035664 - ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup
(.verble .rocks) (malware.rules)
2035666 - ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup
(verble .software) (malware.rules)
2035668 - ET POLICY Pastebin-style service note .youdao .com in DNS
query (policy.rules)
2035704 - ET MALWARE Deep Panda Domain in DNS Lookup (vpn2
.smi1egate .com) (malware.rules)
2035705 - ET MALWARE Deep Panda Domain in DNS Lookup (svn1
.smi1egate .com) (malware.rules)
2035706 - ET MALWARE Deep Panda Domain in DNS Lookup (giga .gnisoft
.com) (malware.rules)
2035708 - ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup
(win .mirtonewbacker .com) (malware.rules)
2035710 - ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup
(umpulumpu .ru) (malware.rules)
2035712 - ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup
(greenblguard .shop) (malware.rules)
2035714 - ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup
(onetwostep .at) (malware.rules)
2035762 - ET INFO Splashtop Domain in DNS Lookup (splashtop .com) (info.rules)
2035764 - ET INFO Splashtop Domain in DNS Lookup (splashtop .eu) (info.rules)
2035771 - ET MALWARE Spytector Domain DNS Lookup (mail .spytector
.com) (malware.rules)
2035773 - ET MALWARE Pegasus Domain in DNS Lookup (akhbar-almasdar
.com) (malware.rules)
2035774 - ET MALWARE Pegasus Domain in DNS Lookup (akhbar-islamyah
.com) (malware.rules)
2035775 - ET MALWARE Pegasus Domain in DNS Lookup (akhbarnew .com)
(malware.rules)
2035776 - ET MALWARE Pegasus Domain in DNS Lookup (al-nusr .net)
(malware.rules)
2035777 - ET MALWARE Pegasus Domain in DNS Lookup (al-taleanews
.net) (malware.rules)
2035778 - ET MALWARE Pegasus Domain in DNS Lookup
(al-taleanewsonline .net) (malware.rules)
2035779 - ET MALWARE Pegasus Domain in DNS Lookup (al7erak247 .com)
(malware.rules)
2035781 - ET MALWARE Pegasus Domain in DNS Lookup (alrainew .com)
(malware.rules)
2035782 - ET MALWARE Pegasus Domain in DNS Lookup (arabia-islamion
.com) (malware.rules)
2035860 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
2035861 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
2035862 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
2035864 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
2035865 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
2035866 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
2035867 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
2035868 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
2035869 - ET MALWARE Pegasus Domain in DNS Lookup (malware.rules)
2035870 - ET INFO ET INFO URL Shortening Service Domain in DNS
Lookup (s59 .site) (info.rules)
2035944 - ET MALWARE Observed DNS Query to VBS/Agent.PUK Domain
(malware.rules)
2035945 - ET MALWARE Observed DNS Query to VBS/Agent.PUK Domain
(malware.rules)
2102650 - GPL SQL user name buffer overflow attempt (sql.rules)
2832413 - ETPRO MALWARE W32.Helminth Checkin via DNS (malware.rules)
2838302 - ETPRO EXPLOIT Cisco UCS Director - Attempted Web Interface
Authentication Bypass (CVE-2019-1937) (exploit.rules)
2844189 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
2844190 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
2844191 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
2844192 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
2844193 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
2844194 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
2844195 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
2844196 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
2844197 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
2844198 - ETPRO MALWARE CaptainCha CnC in DNS Lookup (malware.rules)
2845024 - ETPRO HUNTING Unusually Long ydns DynDNS Domain (hunting.rules)
2845062 - ETPRO POLICY Observed DNS Query to Dynamic DNS Service
(policy.rules)
2845064 - ETPRO MALWARE Possible DNSCat2 Powershell Client Activity
(malware.rules)
2845198 - ETPRO HUNTING Unusually Long freeddns DynDNS Domain (hunting.rules)
2845199 - ETPRO HUNTING Unusually Long mywire DynDNS Domain (hunting.rules)
2846402 - ETPRO HUNTING Unusually Long dns .army Domain (hunting.rules)
2846617 - ETPRO HUNTING Unusually Long dns .navy Domain (hunting.rules)
2847004 - ETPRO HUNTING Unusually Long dns .me Domain (hunting.rules)
2848472 - ETPRO HUNTING Unusually Long mangospot .net Domain (hunting.rules)
2850158 - ETPRO HUNTING Unusually Long loseyourip .com Domain (hunting.rules)
2850479 - ETPRO POLICY Your Freedom VPN - CGI Relay Server Lookup
(policy.rules)
2851442 - ETPRO INFO URL Shortener Service Domain in DNS Lookup
(littleurls .com) (info.rules)

[---] Removed rules: [---]

2019236 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP
Version Number (web_server.rules)

Date:
Summary title:
27 new OPEN, 39 new PRO (27 + 12) Win32/Farfli.BAL, Win32/SpyEyes.bsro, MSIL.Cyfig, various SSRF sigs. Many DNS results have been updated to reduce FNs.