[***] Summary: [***]

23 new OPEN, 27 new PRO (23 + 4). Various Webshell, Lyceum Backdoor.
Win32/MassLogger, Win32.Zegost and Miners.

Thanks @RedDrip7, @TheDFIRReport, @eliyastein

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2037004 - ET WEB_SERVER Suspected Webshell arp Command (Inbound)
(web_server.rules)
2037005 - ET WEB_SERVER Suspected Webshell del Command (Inbound)
(web_server.rules)
2037006 - ET WEB_SERVER Suspected Webshell systeminfo Command
(Inbound) (web_server.rules)
2037007 - ET WEB_SERVER Suspected Webshell tasklist Command
(Inbound) (web_server.rules)
2037008 - ET WEB_SERVER Suspected Webshell wmic Command (Inbound)
(web_server.rules)
2037009 - ET WEB_SERVER Suspected Webshell ipconfig Command
(Inbound) (web_server.rules)
2037010 - ET WEB_SERVER Suspected Webshell query Command (Inbound)
(web_server.rules)
2037011 - ET WEB_SERVER Suspected Webshell registry Command
(Inbound) (web_server.rules)
2037012 - ET WEB_SERVER Suspected Webshell net Command (Inbound)
(web_server.rules)
2037013 - ET WEB_SERVER Suspected Webshell netstat Command (Inbound)
(web_server.rules)
2037014 - ET WEB_SERVER Suspected Webshell directory listing Command
(Inbound) (web_server.rules)
2037015 - ET WEB_SERVER Suspected Webshell Activity (Inbound)
(web_server.rules)
2037016 - ET WEB_SERVER Suspected Webshell Activity (Inbound)
(web_server.rules)
2037017 - ET ATTACK_RESPONSE Lyceum Backdoor CnC Response
(attack_response.rules)
2037018 - ET MALWARE Base64 Encoded Windows Command Prompt
(Outbound) (malware.rules)
2037019 - ET MALWARE Lyceum Backdoor CnC Activity (malware.rules)
2037020 - ET MALWARE Suspected Cobalt Strike Beacon User-Agent
String (malware.rules)
2037021 - ET MALWARE Win32/MassLogger FTP Data Exfiltration (malware.rules)
2037022 - ET MALWARE Win32/Criminal RAT CnC Checkin (malware.rules)
2037023 - ET CURRENT_EVENTS Possible Crypto Drainer Fetch
(current_events.rules)
2037024 - ET CURRENT_EVENTS Possible Crypto Drainer Enumerate
(current_events.rules)
2037025 - ET MALWARE Win32.Zegost CnC Checkin (malware.rules)
2037026 - ET MALWARE Win32.Banker Trojan CnC Checkin (malware.rules)

Pro:

2851788 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-06-15 1) (coinminer.rules)
2851789 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-06-15 2) (coinminer.rules)
2851790 - ETPRO MALWARE Observed Win64/NukeSped.KP Variant CnC
Domain in TLS SNI (malware.rules)
2851791 - ETPRO MALWARE Win64/NukeSped.KP Variant CnC Activity (malware.rules)

[---] Disabled and modified rules: [---]

2017129 - ET WEB_CLIENT Potential Internet Explorer Use After Free
(CVE-2013-3163) (web_client.rules)
2017133 - ET WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(CVE-2013-3163) (web_client.rules)
2806641 - ETPRO WEB_CLIENT Microsoft Internet Explorer
Use-After-Free 2 (CVE-2013-3152) (web_client.rules)
2806642 - ETPRO WEB_CLIENT Microsoft Internet Explorer
Use-After-Free 3 (CVE-2013-3152) (web_client.rules)
2806643 - ETPRO WEB_CLIENT Microsoft Internet Explorer
Use-After-Free 4 (CVE-2013-3152) (web_client.rules)
2806817 - ETPRO WEB_CLIENT Microsoft Internet Explorer
Use-After-Free (CVE-2013-3184) (web_client.rules)
2806825 - ETPRO WEB_CLIENT Potential Microsoft Internet Explorer
Use-After-Free (CVE-2013-3193) (web_client.rules)
2806973 - ETPRO WEB_CLIENT Microsoft Internet Explorer
Use-After-Free (CVE-2013-3202) (web_client.rules)
2806974 - ETPRO WEB_CLIENT Microsoft Internet Explorer type
confusion 1 (CVE-2013-3203) (web_client.rules)
2806975 - ETPRO WEB_CLIENT Microsoft Internet Explorer type
confusion 2 (CVE-2013-3203) (web_client.rules)
2806980 - ETPRO WEB_CLIENT Microsoft Internet Explorer
Use-After-Free (CVE-2013-3209) (web_client.rules)

[---] Removed rules: [---]

2806982 - ETPRO EXPLOIT Microsoft .theme file Download with
malicious content CVE-2013-0810 (exploit.rules)