[***] Summary: [***]
8 new OPEN, 38 new PRO (8 + 30) Cobalt Strike, PULSECHECK, SLIGHTPULSE,
Raccoon Stealer, and Android/Agent.BQX
Thanks @rootprivilege and Jason Reaves
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2032784 - ET TROJAN Cobalt Strike Stager Time Check M1 (trojan.rules)
2032785 - ET TROJAN Cobalt Strike Stager Time Check M2 (trojan.rules)
2032786 - ET TROJAN Suspected PULSECHECK Webshell Access Inbound
(trojan.rules)
2032787 - ET TROJAN Possibly SLIGHTPULSE Related - Suspicious POST to
Specific URI Path (trojan.rules)
2032788 - ET TROJAN Magecart/Skimmer - _try_action Exfil Attempt
(trojan.rules)
2032789 - ET TROJAN Observed Magecart/Skimmer - _try_action CnC Domain
(cdn-frontend .com in TLS SNI) (trojan.rules)
2032790 - ET TROJAN Observed Win32.Raccoon Stealer CnC Domain
(newageiscoming .top in TLS SNI) (trojan.rules)
2032791 - ET TROJAN HabitsRAT Checkin (trojan.rules)
Pro:
2848233 - ETPRO MOBILE_MALWARE Monitor.AndroidOS.Agent.af (TLS SNI)
(mobile_malware.rules)
2848234 - ETPRO MOBILE_MALWARE Android/HiddenApp.KA (TLS SNI)
(mobile_malware.rules)
2848235 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 18
(mobile_malware.rules)
2848236 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 19
(mobile_malware.rules)
2848237 - ETPRO TROJAN Observed Malicious Filename in Outbound POST
Request (ApocalypseStealer.) (trojan.rules)
2848238 - ETPRO TROJAN Observed Malicious Filename in Outbound POST
Request (Telegram - @) (trojan.rules)
2848239 - ETPRO TROJAN Observed Malicious Filename in Outbound POST
Request (Webcam.) (trojan.rules)
2848240 - ETPRO TROJAN Observed Malicious Filename in Outbound POST
Request ([Log] Information.txt) (trojan.rules)
2848241 - ETPRO TROJAN Observed Malicious Filename in Outbound POST
Request ([Detailed] Information.txt) (trojan.rules)
2848242 - ETPRO INFO Observed Suspicious Filename in Outbound POST Request
(PCInfo.txt) (info.rules)
2848243 - ETPRO INFO Observed Suspicious Filename in Outbound POST Request
(AboutPC.txt) (info.rules)
2848244 - ETPRO INFO Observed Suspicious Filename in Outbound POST Request
(ProcessList.txt) (info.rules)
2848245 - ETPRO TROJAN Observed Malicious Filename in Outbound POST
Request (Browsers/Cookies/Firefox_) (trojan.rules)
2848246 - ETPRO TROJAN Observed Malicious Filename in Outbound POST
Request (Browsers/Cookies/Google) (trojan.rules)
2848247 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-19 1) (trojan.rules)
2848248 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-19 2) (trojan.rules)
2848249 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-19 3) (trojan.rules)
2848250 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-19 4) (trojan.rules)
2848251 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-19 5) (trojan.rules)
2848252 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-19 6) (trojan.rules)
2848253 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-19 7) (trojan.rules)
2848254 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-19 8) (trojan.rules)
2848255 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-19 9) (trojan.rules)
2848256 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-19 10) (trojan.rules)
2848257 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-19 11) (trojan.rules)
2848258 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-19 12) (trojan.rules)
2848259 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-19 13) (trojan.rules)
2848260 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-19 14) (trojan.rules)
2848261 - ETPRO CURRENT_EVENTS Successful Chase Phish 2021-04-20
(current_events.rules)
2848262 - ETPRO CURRENT_EVENTS Successful RBC Royal Bank Phish 2021-04-20
(current_events.rules)
[///] Modified active rules: [///]
2834895 - ETPRO TROJAN Observed Qbot Style SSL Certificate (trojan.rules)
2845893 - ETPRO TROJAN MSIL/Apocalypse Stealer CnC Exfil (trojan.rules)
[---] Disabled rules: [---]
2846476 - ETPRO TROJAN Malicious SSL Certificate detected (PlugX CnC)
(trojan.rules)