Daily Ruleset Update Summary 2022/06/09

Daily Ruleset Update Summary

[***] Summary: [***]

24 new OPEN, 28 new PRO (24 + 4). RecordBreaker, Symbiote, APT-Q-37,
Others.

Thanks @lacework, @intezerlabs, @james_inthe_box, @blackberry

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2009303 - ET INFO MediaFire file download service access (info.rules)
2030680 - ET HUNTING Cloned Page Hosted on Microsoft Hosting
(hunting.rules)
2036935 - ET MALWARE APT-Q-37/Manling Flower Payload - CnC Checkin
(malware.rules)
2036936 - ET HUNTING File Sharing Related Domain in DNS Lookup (download
.mediafire .com) (hunting.rules)
2036937 - ET HUNTING File Sharing Related Domain in DNS Lookup (filesend
.jp) (hunting.rules)
2036938 - ET INFO Self-Hosted Git Service Domain in DNS Lookup (gitea
.com) (info.rules)
2036939 - ET INFO Observed Self-Hosted Git Service Domain (gitea .com in
TLS SNI) (info.rules)
2036940 - ET MALWARE ELF/Mirai Variant Activity (Outbound) (malware.rules)
2036941 - ET MALWARE Kinsing Botnet Related Domain in DNS Lookup
(blacknurse .lib) (malware.rules)
2036942 - ET MALWARE Kinsing Botnet Related Domain in DNS Lookup (dragon
.lib) (malware.rules)
2036943 - ET MALWARE Kinsing Botnet Related Domain in DNS Lookup
(babaroga .lib) (malware.rules)
2036944 - ET MALWARE Kinsing Botnet Related Domain in DNS Lookup (tempest
.lib) (malware.rules)
2036945 - ET MALWARE Suspected APT-Q-37 Related Activity (Outbound)
(malware.rules)
2036946 - ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
(malware.rules)
2036947 - ET PHISHING DHL Credential Phish Landing Page 2022-06-09
(phishing.rules)
2036948 - ET PHISHING Successful DHL Credential Phish M1 2022-06-09
(phishing.rules)
2036949 - ET PHISHING Successful DHL Credential Phish M2 2022-06-09
(phishing.rules)
2036950 - ET MALWARE Symbiote CnC Domain in DNS Lookup (assets .fans)
(malware.rules)
2036951 - ET MALWARE Symbiote CnC Domain in DNS Lookup (dpf .fm)
(malware.rules)
2036952 - ET MALWARE Symbiote CnC Domain in DNS Lookup (bancodobrasil
.dev) (malware.rules)
2036953 - ET MALWARE Symbiote CnC Domain in DNS Lookup (caixa .cx)
(malware.rules)
2036954 - ET MALWARE Symbiote CnC Domain in DNS Lookup (caixa .wf)
(malware.rules)
2036955 - ET MALWARE RecordBreaker Stealer CnC Checkin - Server Response
(malware.rules)
2036956 - ET HUNTING Suspicious User-Agent (record) (hunting.rules)

Pro:

2851764 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-06-09 1) (coinminer.rules)
2851765 - ETPRO ATTACK_RESPONSE Powershell Obfuscation Using Character
Code Subtraction/Addition (attack_response.rules)
2851766 - ETPRO MALWARE njRAT Variant Checkin (malware.rules)
2851767 - ETPRO ADWARE_PUP FlyStudio SMTP Checkin (adware_pup.rules)

[///] Modified active rules: [///]

2036685 - ET INFO External IP Lookup Domain in DNS Lookup (ip .bablosoft
.com) (info.rules)
2036703 - ET MALWARE Observed DNS Query to bablosoft Domain (downloads
.bablosoft .com) (malware.rules)
2036934 - ET MALWARE Recordbreaker Stealer CnC Checkin (malware.rules)

[---] Disabled and modified rules: [---]

2012158 - ET ACTIVEX Possible Microsoft WMI Administration Tools
WEBSingleView.ocx ActiveX Buffer Overflow Attempt (CVE-2010-3973)
(activex.rules)
2013250 - ET WEB_CLIENT Microsoft Word RTF pFragments Stack Buffer
Overflow Attempt (CVE-2010-3333) (web_client.rules)
2013280 - ET WEB_CLIENT Microsoft Word RTF pFragments Stack Overflow
Attempt (CVE-2010-3333) (web_client.rules)
2801230 - ETPRO WEB_CLIENT Microsoft Graphics Rendering Engine Thumbnail
Image Stack Buffer Overflow Public Exploit (CVE-2010-3970)
(web_client.rules)
2801314 - ETPRO WEB_CLIENT Microsoft Internet Explorer MHTML Cross Site
Scripting src (CVE-2011-0096) (web_client.rules)
2801321 - ETPRO WEB_CLIENT MHTML Attempted Script Execution
(CVE-2011-0096) (web_client.rules)
2801373 - ETPRO NETBIOS Microsoft Windows Active Directory BROWSER
ELECTION Buffer Overflow CIFS (CVE-2011-0654) (netbios.rules)
2801378 - ETPRO NETBIOS Microsoft Windows Active Directory BROWSER
ELECTION Buffer Overflow Internal CIFS (CVE-2011-0654) (netbios.rules)
2802025 - ETPRO ACTIVEX Vulnerable WBEM.SingleView.1 Object Access
(CVE-2010-3973) (activex.rules)
2802031 - ETPRO ACTIVEX Vulnerable Windows Messenger Service Object
Access (CVE-2011-1243) (activex.rules)
2802140 - ETPRO WEB_CLIENT Microsoft Internet Explorer HtmlDlgHelper
Memory Corruption via doc (CVE-2010-3329) (web_client.rules)
2802141 - ETPRO WEB_CLIENT Microsoft Internet Explorer HtmlDlgHelper
Memory Corruption via docx (CVE-2010-3329) (web_client.rules)
2802142 - ETPRO WEB_CLIENT Microsoft Internet Explorer HtmlDlgHelper
Memory Corruption via xls (CVE-2010-3329) (web_client.rules)
2802143 - ETPRO WEB_CLIENT Microsoft Internet Explorer HtmlDlgHelper
Memory Corruption via xlsx (CVE-2010-3329) (web_client.rules)
2802144 - ETPRO WEB_CLIENT Microsoft Internet Explorer HtmlDlgHelper
Memory Corruption via rtf (CVE-2010-3329) (web_client.rules)
2802145 - ETPRO WEB_CLIENT Microsoft Internet Explorer HtmlDlgHelper
Memory Corruption via xlt (CVE-2010-3329) (web_client.rules)
2802147 - ETPRO WEB_CLIENT Oracle Java Applet2ClassLoader Remote Code
Execution 3 (CVE-2010-4452) (web_client.rules)
2802148 - ETPRO WEB_CLIENT Oracle Java Applet2ClassLoader Remote Code
Execution 4 (CVE-2010-4452) (web_client.rules)
2802149 - ETPRO WEB_CLIENT Oracle Java Applet2ClassLoader Remote Code
Execution 5 (CVE-2010-4452) (web_client.rules)
2802837 - ETPRO SCADA 7T Interactive Graphical SCADA System File
Operations Buffer Overflow 1 (CVE-2011-1567) (scada.rules)
2802838 - ETPRO SCADA 7T Interactive Graphical SCADA System File
Operations Buffer Overflows 2 (CVE-2011-1567) (scada.rules)
2802999 - ETPRO WEB_CLIENT Adobe Reader language.engtesselate.ln flowbit
set (web_client.rules)
2803000 - ETPRO WEB_CLIENT Adobe Reader language.engtesselate.ln overflow
(CVE-2011-2095) (web_client.rules)
2803461 - ETPRO ACTIVEX HP Easy Printer Care Software HPTicketMgr.dll
ActiveX Control Directory Traversal 1 (CVE-2011-2404) (activex.rules)
2803462 - ETPRO ACTIVEX HP Easy Printer Care Software HPTicketMgr.dll
ActiveX Control Directory Traversal 2 (CVE-2011-2404) (activex.rules)
2803612 - ETPRO ACTIVEX Citrix Access Gateway Plug-in ActiveX Code
Execution (CVE-2011-2882) (activex.rules)
2803850 - ETPRO ACTIVEX Microsoft Internet Explorer htmlfile ActiveX
control instantiation (CVE-2011-1995) (activex.rules)
2803854 - ETPRO WEB_CLIENT Microsoft Internet Explorer remote code
execution via marquee element (CVE-2011-2001) (web_client.rules)

[---] Removed rules: [---]

2009303 - ET POLICY MediaFire file download service access (policy.rules)
2013251 - ET WEB_CLIENT Known in Wild Microsoft Internet Explorer Time
Element Uninitialized Memory Remote Code Execution Attempt
(web_client.rules)
2013252 - ET WEB_CLIENT Microsoft Internet Explorer Time Element
Uninitialized Memory Remote Code Execution Attempt (web_client.rules)
2030680 - ET PHISHING Possible Generic Microsoft Hosted Phishing Landing
M1 (phishing.rules)
2801324 - ETPRO WEB_CLIENT Microsoft Internet Explorer insertBefore
Document Memory Corruption (web_client.rules)
2801369 - ETPRO NETBIOS Microsoft Windows Active Directory BROWSER
ELECTION Buffer Overflow Inbound Netbios 138 1 (netbios.rules)
2802587 - ETPRO WEB_SPECIFIC_APPS CA Total Defense Suite UNCWS
getDBConfigSettings Credential Information Disclosure
(web_specific_apps.rules)
2802822 - ETPRO TFTP HP Intelligent Management Center TFTP Server DATA
and ERROR Packets Buffer Overflow 1 (tftp.rules)
2802823 - ETPRO TFTP HP Intelligent Management Center TFTP Server DATA
and ERROR Packets Buffer Overflow 2 (tftp.rules)
2803139 - ETPRO WEB_CLIENT Microsoft Internet Explorer Time Element
Memory Corruption 2 (web_client.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Thursday, June 9, 2022

Summary title:

24 new OPEN, 28 new PRO (24 + 4). RecordBreaker, Symbiote, APT-Q-37, Others.