Daily Ruleset Update Summary 2022/08/31

[***] Summary: [***]

17 new OPEN, 30 new PRO (17 + 13). PureCrypter, Various CVEs, Various
Android, Others.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2038688 - ET EXPLOIT PAN-OS OS Command Injecton Attempt Inbound
(CVE-2020-2038) (exploit.rules)
2038689 - ET MALWARE PureCrypter Requesting Injector M1 (malware.rules)
2038690 - ET MALWARE PureCrypter Requesting Injector M2 (malware.rules)
2038691 - ET MALWARE PureCrypter Requesting Injector - Known Campaign ID
M1 (malware.rules)
2038692 - ET MALWARE PureCrypter Requesting Injector - Known Campaign ID
M2 (malware.rules)
2038693 - ET MALWARE PureCrypter Requesting Injector - Known Campaign ID
M3 (malware.rules)
2038694 - ET MALWARE PureCrypter Requesting Injector - Known Campaign ID
M4 (malware.rules)
2038695 - ET MALWARE PureCrypter Requesting Injector - Known Campaign ID
M5 (malware.rules)
2038696 - ET EXPLOIT Possible SAP NetWeaver SQL Injection Attempt Inbound
(CVE-2016-2386) (exploit.rules)
2038697 - ET INFO Vulnerable SAP NetWeaver Path Observed - Information
Disclosure (CVE-2016-2388) (info.rules)
2038698 - ET EXPLOIT QNAP Photo Station Path Traversal Attempt Inbound
(CVE-2019-7195) (exploit.rules)
2038699 - ET INFO turbo.net SSL/TLS Certificate Observed (VDI and App
Virtualization Service) (info.rules)
2038700 - ET ADWARE_PUP Win32/ReImageRepair.T CnC Cookie Pattern
(adware_pup.rules)
2038701 - ET ADWARE_PUP Win32/ReImageRepair.T CnC Activity
(adware_pup.rules)
2038702 - ET USER_AGENTS Suspicious User-Agent (RestoroMainExe)
(user_agents.rules)
2038703 - ET ADWARE_PUP MuLauncher Telemetry Gathering Attempt
(adware_pup.rules)
2038704 - ET ADWARE_PUP Win32/Speedbit Variant Checkin (adware_pup.rules)

Pro:

2852265 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.SO CnC Domain in DNS
Lookup (mobile_malware.rules)
2852266 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Cebruser.san CnC
Domain in DNS Lookup (mobile_malware.rules)
2852267 - ETPRO MOBILE_MALWARE Android/Spy.Agent.BYH CnC Domain in DNS
Lookup (mobile_malware.rules)
2852268 - ETPRO MOBILE_MALWARE Trojan-Ransom.AndroidOS.Svpeng.z CnC
Domain in DNS Lookup (mobile_malware.rules)
2852269 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-08-31 1) (coinminer.rules)
2852270 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-08-31 2) (coinminer.rules)
2852271 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-08-31 3) (coinminer.rules)
2852272 - ETPRO HUNTING HTTP Request for BusinessICS Intl Limited Free
Trail Webhosting Domain (hunting.rules)
2852273 - ETPRO HUNTING Base64 Encoded ZIP containing VBS M1
(hunting.rules)
2852274 - ETPRO HUNTING Base64 Encoded ZIP containing VBS M2
(hunting.rules)
2852275 - ETPRO HUNTING Base64 Encoded ZIP containing VBS M3
(hunting.rules)
2852276 - ETPRO HUNTING Observed Base64 Encoding HTML ZIP Smuggling
Technique (hunting.rules)

[///] Modified active rules: [///]

2034200 - ET EXPLOIT TerraMaster TOS RCE via OS Command Injection Inbound
(CVE-2020-28188) (exploit.rules)
2850890 - ETPRO MALWARE Win32/ModernLoader Activity (POST) (malware.rules)

[---] Disabled and modified rules: [---]

2807659 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free
(CVE-2014-0288) (web_client.rules)
2807662 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free 2
(CVE-2014-0290) (web_client.rules)
2807800 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free
(CVE-2014-0297) (web_client.rules)
2807804 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free
(CVE-2014-0303) (web_client.rules)
2807805 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free
(CVE-2014-0304) (web_client.rules)
2807808 - ETPRO WEB_CLIENT Possible IE10 Memory Corruption Vulnerability
CVE-2014-0313 1 (web_client.rules)
2807809 - ETPRO WEB_CLIENT Possible IE10 Memory Corruption Vulnerability
CVE-2014-0313 2 (web_client.rules)

[---] Removed rules: [---]

2038668 - ET EXPLOIT dotCMS Unrestricted Upload of File Attempt Inbound
(CVE-2022-26352) (exploit.rules)
2852245 - ETPRO MOBILE_MALWARE Android/Spy.Agent.CIQ CnC Domain in DNS
Lookup (mobile_malware.rules)
2852246 - ETPRO MOBILE_MALWARE Observed Android/Spy.Agent.CIQ Domain in
TLS SNI (mobile_malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Wednesday, August 31, 2022

Summary title:

17 new OPEN, 30 new PRO (17 + 13). PureCrypter, Various CVEs, Various Android, Others.