Daily Ruleset Update Summary 2022/06/10

Daily Ruleset Update Summary

[***] Summary: [***]

9 new OPEN, 11 new PRO (9 + 2). Win32/Agent.Fish, Win32/Gomorrah,
Win32/Agent.kawe, Others.

Thanks @500mk500

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2016132 - ET ATTACK_RESPONSE Obfuscated JS - Possible URL Encoded JS
Inbound (attack_response.rules)
2016134 - ET ATTACK_RESPONSE Obfuscated JS - URL Encoded Unescape
Function Call Inbound (attack_response.rules)
2036957 - ET PHISHING Sparkasse Credential Phish Landing Page 2022-06-10
(phishing.rules)
2036958 - ET MALWARE Win32/Gomorrah Stealer Data Exfiltration
(malware.rules)
2036959 - ET MALWARE Win32/Agent.Fish Data Exfiltration (malware.rules)
2036960 - ET MALWARE Win32.Stealer CnC Domain in DNS Lookup (kealkun
.16mb .com) (malware.rules)
2036961 - ET MALWARE Win32.Stealer CnC Domain in DNS Lookup (ping
.otwalkun .16mb .com) (malware.rules)
2036962 - ET MALWARE Trojan-PSW.Win32.Stealer.sb CnC (malware.rules)
2036963 - ET MALWARE Win32.Agent.kawe SMTP Stealer (malware.rules)

Pro:

2851768 - ETPRO WEB_CLIENT Microsoft DOC File download - ListView
Overflow 1 -SET (CVE-2012-0158) (web_client.rules)

[///] Modified active rules: [///]

2036955 - ET MALWARE Win32/RecordBreaker Stealer CnC Checkin - Server
Response (malware.rules)
2804305 - ETPRO WEB_CLIENT PDF File Containing Embedded BMP with invalid
number of colors 1 (web_client.rules)
2804306 - ETPRO WEB_CLIENT PDF File Containing Embedded BMP with invalid
number of colors 2 (web_client.rules)
2804307 - ETPRO WEB_CLIENT PDF File Containing Embedded BMP with invalid
number of colors 3 (web_client.rules)
2804308 - ETPRO WEB_CLIENT PDF File Containing Embedded BMP with invalid
number of colors 4 (web_client.rules)
2804309 - ETPRO WEB_CLIENT PDF File Containing Embedded BMP with invalid
number of colors 5 (web_client.rules)
2804310 - ETPRO WEB_CLIENT PDF File Containing Embedded BMP with invalid
number of colors 6 (web_client.rules)
2827278 - ETPRO MALWARE Imminent Monitor MainInformation Command
(malware.rules)

[---] Disabled and modified rules: [---]

2013408 - ET POLICY SSL MiTM Vulnerable iOS 4.x CDMA iPhone device
(CVE-2011-0228) (policy.rules)
2014335 - ET WEB_CLIENT Adobe Flash Player Malformed MP4 Remote Code
Execution Attempt (CVE-2012-0754) (web_client.rules)
2014461 - ET EXPLOIT Java Atomic Reference Exploit Attempt Metasploit
Specific (CVE-2012-0507) (exploit.rules)
2014633 - ET WEB_SPECIFIC_APPS phpMyAdmin setup.php Remote File inclusion
Attempt (CVE-2010-3055) (web_specific_apps.rules)
2014865 - ET WEB_CLIENT MP4 Embedded in PDF File - Potential Flash
Exploit (CVE-2012-0754) (web_client.rules)
2014911 - ET WEB_CLIENT Microsoft Internet Explorer SameID Use-After-Free
(CVE-2012-1875) (web_client.rules)
2014938 - ET WEB_CLIENT Potential MSXML2.DOMDocument Uninitialized Memory
Corruption (CVE-2012-1889) (web_client.rules)
2015554 - ET WEB_CLIENT Potential MSXML2.DOM Document.3.0 Uninitialized
Memory Corruption Attempt (CVE-2012-1889) (web_client.rules)
2015555 - ET WEB_CLIENT Potential MSXML2.DOMDocument.4-6.0 Uninitialized
Memory Corruption (CVE-2012-1889) (web_client.rules)
2015712 - ET WEB_CLIENT Internet Explorer execCommand function Use after
free Vulnerability (CVE-2012-4969) (web_client.rules)
2801240 - ETPRO WEB_CLIENT Internet Explorer Memory Corruption in
Microsoft Data Access Object (CVE-2011-0027) (web_client.rules)
2801313 - ETPRO WEB_CLIENT Microsoft Internet Explorer MHTML Cross Site
Scripting (CVE-2011-0096) (web_client.rules)
2802915 - ETPRO EXPLOIT Cisco Common Services Devices Center Cross Site
Scripting (CVE-2011-0962) (exploit.rules)
2803271 - ETPRO EXPLOIT Oracle GlassFish Server Malformed Username Cross
Site Scripting (exploit.rules)
2803611 - ETPRO ACTIVEX Citrix Access Gateway Plug-in ActiveX Code
Execution - SET (activex.rules)
2804857 - ETPRO WEB_CLIENT Microsoft DOC File download - ListView
Overflow 2 -SET (CVE-2012-0158) (web_client.rules)
2804858 - ETPRO WEB_CLIENT Microsoft DOC File download - ListView
Overflow (CVE-2012-0158) (web_client.rules)
2804859 - ETPRO WEB_CLIENT Microsoft DOC File download - TreeView
Overflow 1 -SET (CVE-2012-0158) (web_client.rules)
2804860 - ETPRO WEB_CLIENT Microsoft DOC File download - TreeView
Overflow 2 -SET (CVE-2012-0158) (web_client.rules)
2804861 - ETPRO WEB_CLIENT Microsoft DOC File download - TreeView
Overflow (CVE-2012-0158) (web_client.rules)
2805425 - ETPRO WEB_CLIENT Adobe Reader Free Text Annotation With Invalid
Intent 1 (CVE-2012-4149) (web_client.rules)
2805426 - ETPRO WEB_CLIENT Adobe Reader Free Text Annotation With Invalid
Intent 2 (CVE-2012-4149) (web_client.rules)
2805427 - ETPRO WEB_CLIENT Adobe Reader Free Text Annotation With Invalid
Intent 3 (CVE-2012-4149) (web_client.rules)
2805429 - ETPRO WEB_CLIENT Adobe Reader Free Text Annotation With Invalid
Intent 5 (CVE-2012-4149) (web_client.rules)
2805430 - ETPRO WEB_CLIENT Adobe Reader Free Text Annotation With Invalid
Intent 6 (CVE-2012-4149) (web_client.rules)
2805679 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(CVE-2012-1538) (web_client.rules)
2805680 - ETPRO WEB_CLIENT Microsoft Internet Explorer CTreePos Use After
Free (CVE-2012-1539) (web_client.rules)
2805681 - ETPRO WEB_CLIENT Microsoft Windows Explorer Briefcase Database
File Integer Underflow (CVE-2012-1527) (web_client.rules)
2805683 - ETPRO WEB_CLIENT Microsoft Windows Explorer Briefcase Integer
Overflow (CVE-2012-1528) (web_client.rules)

[---] Removed rules: [---]

2014704 - ET WEB_SPECIFIC_APPS PHP-CGI query string parameter
vulnerability (web_specific_apps.rules)
2015556 - ET WEB_CLIENT Potential MSXML2.DOMDocument ActiveXObject
Uninitialized Memory Corruption Attempt (web_client.rules)
2015711 - ET WEB_CLIENT Internet Explorer execCommand function Use after
free Vulnerability 0day (web_client.rules)
2015809 - ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Uncompressed)
Exploit Specific (web_client.rules)
2015810 - ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Uncompressed)
Exploit Specific (web_client.rules)
2015859 - ET EXPLOIT_KIT Metasploit CVE-2012-1723 Attacker.class (Seen in
Unknown EK) 11/01/12 (exploit_kit.rules)
2015887 - ET EXPLOIT_KIT Possible exploitation of CVE-2012-5076 by an
exploit kit Nov 13 2012 (exploit_kit.rules)
2016132 - ET EXPLOIT Escaped Unicode Char in Window Location
CVE-2012-4792 EIP (exploit.rules)
2016134 - ET EXPLOIT Escaped Unicode Char in Location CVE-2012-4792 EIP %
Hex Encode (exploit.rules)
2801325 - ETPRO WEB_CLIENT Microsoft Internet Explorer getElementByID
onCellChange Memory Corruption (web_client.rules)
2803851 - ETPRO WEB_CLIENT Microsoft Internet Explorer remote code
execution via option element (web_client.rules)
2804856 - ETPRO WEB_CLIENT Microsoft DOC File download CVE-2012-0158
ListView Overflow 1 -SET (web_client.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Friday, June 10, 2022

Summary title:

9 new OPEN, 11 new PRO (9 + 2). Win32/Agent.Fish, Win32/Gomorrah, Win32/Agent.kawe, Others.