[***] Summary: [***]

12 new OPEN, 33 new PRO (12 + 21). HyperBro, AsyncRAT Variant,
Saint Bot, Various Phish, Others.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2032746 - ET TROJAN Cobalt Strike Malleable C2 (QiHoo Profile) (trojan.rules)
2032747 - ET TROJAN Cobalt Strike Malleable C2 (MSDN Query Profile)
(trojan.rules)
2032748 - ET TROJAN Cobalt Strike Malleable C2 Webbug Profile (trojan.rules)
2032749 - ET TROJAN Cobalt Strike Malleable C2 Amazon Profile (trojan.rules)
2032750 - ET TROJAN Cobalt Strike Malleable C2 OCSP Profile (trojan.rules)
2032751 - ET TROJAN Cobalt Strike Malleable C2 (jquery Profile) (trojan.rules)
2032752 - ET TROJAN Cobalt Strike Malleable C2 (Microsoft Update
GET) (trojan.rules)
2032753 - ET TROJAN Saint Bot CnC Activity (trojan.rules)
2032754 - ET TROJAN Cobalt Strike Malleable C2 (TrevorForget
Profile) (trojan.rules)
2032755 - ET TROJAN Cobalt Strike Malleable C2 (Wordpress Profile)
(trojan.rules)
2032756 - ET TROJAN Cobalt Strike Malleable C2 (WooCommerce Profile)
(trojan.rules)
2032757 - ET TROJAN Cobalt Strike Malleable C2 (WooCommerce Profile)
(trojan.rules)

Pro:

2848150 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 16
(mobile_malware.rules)
2848151 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 17
(mobile_malware.rules)
2848152 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT
Variant) (trojan.rules)
2848153 - ETPRO CURRENT_EVENTS Successful Amazon Phish 2021-04-13
(current_events.rules)
2848154 - ETPRO CURRENT_EVENTS Successful Amazon Phish 2021-04-13
(current_events.rules)
2848155 - ETPRO CURRENT_EVENTS Successful Intesa Sanpaolo Phish
2021-04-13 (current_events.rules)
2848156 - ETPRO CURRENT_EVENTS Successful WeTransfer Phish
2021-04-13 (current_events.rules)
2848157 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish
2021-04-13 (current_events.rules)
2848158 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish
2021-04-13 (current_events.rules)
2848159 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-13 1) (trojan.rules)
2848160 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-13 2) (trojan.rules)
2848161 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-13 3) (trojan.rules)
2848162 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-13 4) (trojan.rules)
2848163 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-13 5) (trojan.rules)
2848164 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-13 6) (trojan.rules)
2848165 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-13 7) (trojan.rules)
2848166 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-13 8) (trojan.rules)
2848167 - ETPRO CURRENT_EVENTS Successful Bank of America Phish
2021-04-13 (current_events.rules)
2848168 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish
2021-04-13 (current_events.rules)
2848169 - ETPRO TROJAN HyperBro CnC Activity (trojan.rules)

[///] Modified active rules: [///]

2024981 - ET TROJAN DeepEnd Research Ransomware CrypMIC Payment
Onion Domain (trojan.rules)
2024982 - ET TROJAN DeepEnd Research Ransomware CrypMIC Payment
Onion Domain (trojan.rules)
2024983 - ET TROJAN DeepEnd Research Ransomware CrypMIC Payment
Onion Domain (trojan.rules)
2025121 - ET TROJAN MewsSpy.AE Onion Domain (cxkefbwo7qcmlelb in DNS
Lookup) (trojan.rules)
2828543 - ETPRO TROJAN APT28 Uploader DNS Lookup (trojan.rules)

[---] Removed rules: [---]

2826154 - ETPRO TROJAN Cobalt Strike Malleable C2 Webbug Profile
(trojan.rules)
2826178 - ETPRO TROJAN Cobalt Strike Malleable C2 Amazon Profile
(trojan.rules)
2826385 - ETPRO TROJAN Cobalt Strike Malleable C2 OCSP Profile (trojan.rules)
2834435 - ETPRO WEB_CLIENT Credential Phishing DNS Lookup Jan 17
2019 (web_client.rules)
2841779 - ETPRO TROJAN Cobalt Strike Malleable C2 (jquery Profile)
(trojan.rules)
2844368 - ETPRO TROJAN Cobalt Strike Malleable C2 (QiHoo Profile)
(trojan.rules)
2844507 - ETPRO TROJAN Cobalt Strike Malleable C2 (Microsoft Update
GET) (trojan.rules)
2844905 - ETPRO TROJAN Cobalt Strike Malleable C2 (MSDN Query
Profile) (trojan.rules)
2845604 - ETPRO TROJAN Cobalt Strike Malleable C2 (TrevorForget
Profile) (trojan.rules)
2847064 - ETPRO TROJAN Cobalt Strike Malleable C2 (WooCommerce
Profile) (trojan.rules)
2847065 - ETPRO TROJAN Cobalt Strike Malleable C2 (WooCommerce
Profile) (trojan.rules)
2847171 - ETPRO TROJAN Cobalt Strike Malleable C2 (Wordpress
Profile) (trojan.rules)
2847641 - ETPRO TROJAN Win32/Agent.ACUD Variant CnC Activity (trojan.rules)

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
12 new OPEN, 33 new PRO (12 + 21). HyperBro, AsyncRAT Variant, Saint Bot, Various Phish, Others.