Daily Ruleset Update Summary 2022/07/01

Daily Ruleset Update Summary

[***] Summary: [***]

15 new OPEN, 15 new PRO (15 + 0). SilentLibrarian, GO/YamaBot, Remcos,
Others.

Thanks @securelist, @securechicken, @jpcert, @StopMalvertisin, @TeamDreier

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2037241 - ET MALWARE Golang/Kaos/YamaBot CnC Activity (malware.rules)
2037242 - ET MALWARE Observed Malicious SSL/TLS Certificate
(SilentLibrarian) (malware.rules)
2037243 - ET MALWARE Observed Malicious SSL/TLS Certificate
(SilentLibrarian) (malware.rules)
2037244 - ET MALWARE Observed Malicious SSL/TLS Certificate
(SilentLibrarian) (malware.rules)
2037245 - ET MALWARE Observed Malicious SSL/TLS Certificate
(SilentLibrarian) (malware.rules)
2037246 - ET MALWARE Observed Malicious SSL/TLS Certificate
(SilentLibrarian) (malware.rules)
2037247 - ET MALWARE Observed Malicious SSL/TLS Certificate
(SilentLibrarian) (malware.rules)
2037248 - ET MALWARE Observed Malicious SSL/TLS Certificate
(SilentLibrarian) (malware.rules)
2037249 - ET PHISHING Observed Malicious SSL/TLS Certificate (PayPal
Phish Landing) (phishing.rules)
2037250 - ET MALWARE Win32/Remcos RAT Checkin 809 (malware.rules)
2037251 - ET MALWARE Win32/Remcos RAT Checkin 810 (malware.rules)
2037252 - ET MALWARE Golang/Kaos/YamaBot CnC Activity M2 (POST)
(malware.rules)
2037253 - ET ATTACK_RESPONSE Poweshell Geo Check Before Execution
(attack_response.rules)
2037254 - ET PHISHING BT Group Credential Phish Landing Page 2022-07-01
(phishing.rules)
2037255 - ET MALWARE Generic CMD Remote Shell (malware.rules)

[---] Disabled and modified rules: [---]

2016204 - ET WEB_SERVER Possible CVE-2013-0156 Ruby On Rails XML YAML tag
with !ruby (web_server.rules)
2016322 - ET DOS LibuPnP CVE-2012-5958 ST DeviceType Buffer Overflow
(dos.rules)
2016324 - ET DOS LibuPnP CVE-2012-5964 ST URN ServiceType Buffer Overflow
(dos.rules)
2016325 - ET DOS LibuPnP CVE-2012-5965 ST URN DeviceType Buffer Overflow
(dos.rules)
2016326 - ET DOS LibuPnP CVE-2012-5961 ST UDN Buffer Overflow (dos.rules)
2016822 - ET WEB_CLIENT Possible Internet Explorer Use After Free Inbound
(CVE-2013-1347) (web_client.rules)
2017130 - ET WEB_CLIENT Potential Internet Explorer Use After Free
CVE-2013-3163 2 (web_client.rules)
2017409 - ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64
Office Doc Magic 1 (exploit.rules)
2017410 - ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64
Office Doc Magic 2 (exploit.rules)
2017411 - ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64
Office Doc Magic 3 (exploit.rules)
2017568 - ET EXPLOIT Possible Metasploit Java CVE-2013-2465 Class Name
Sub Algo (exploit.rules)
2017823 - ET EXPLOIT_KIT heapSpray in jjencode (exploit_kit.rules)
2017849 - ET EXPLOIT_KIT Possible CVE-2013-2551 As seen in SPL2 EK
(exploit_kit.rules)
2806113 - ETPRO WEB_CLIENT CVE-2013-0092 GetMarkUpPtr Use After free 2
(web_client.rules)
2806634 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free 1
(CVE-2013-1347) (web_client.rules)
2806635 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free 2
(CVE-2013-1347) (web_client.rules)
2806637 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free 2
(CVE-2013-1348) (web_client.rules)
2806818 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(CVE-2013-3187) (web_client.rules)
2806819 - ETPRO WEB_CLIENT Potential Internet Explorer Use After Free
CVE-2013-3188 1 (web_client.rules)
2806820 - ETPRO WEB_CLIENT Potential Internet Explorer Use After Free
CVE-2013-3188 2 (web_client.rules)
2806821 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
CVE-2013-3194 (web_client.rules)
2807298 - ETPRO WEB_CLIENT IE noembed user after free (CVE-2013-5049)
(web_client.rules)
2807300 - ETPRO WEB_CLIENT IE OnControlSelect Memory Corruption
(CVE-2013-5052) 1 (web_client.rules)
2807301 - ETPRO WEB_CLIENT IE OnControlSelect Memory Corruption
CVE-2013-5052 2 (web_client.rules)
2807302 - ETPRO WEB_CLIENT IE Scripting Dictionary User-After-Free
(CVE-2013-5056) (web_client.rules)

[---] Removed rules: [---]

2017008 - ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit Specific
(exploit.rules)
2017298 - ET WEB_CLIENT Possible Firefox CVE-2013-1690 (web_client.rules)
2017772 - ET EXPLOIT Java Request With Uncompressed JAR/Class Importing
Classe used in CVE-2013-2471/2472/2473 (exploit.rules)
2017773 - ET EXPLOIT Java Request With Uncompressed JAR/Class Importing
Classe used in CVE-2013-2465/2463 (exploit.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Friday, July 1, 2022

Summary title:

15 new OPEN, 15 new PRO (15 + 0). SilentLibrarian, GO/YamaBot, Remcos, Others.