Daily Ruleset Update Summary
Daily Ruleset Update Summary 2021/04/27

[***] Summary: [***]

53 new OPEN, 66 new PRO (53 + 13). Various Arid Viper
Domains, SharpNoPSExec, LunarBuilder, Win32.SpyEyes.bllwarious Coin Miners,
Phish.

Thanks: @DanielGallagher, @travisbgreen

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2032830 - ET MOBILE_MALWARE Arid Viper (dash-chat-c02b3 .firebaseio .com
in DNS Lookup) (mobile_malware.rules)
2032831 - ET MOBILE_MALWARE Arid Viper (dash-chat-c02b3 .appspot .com in
DNS Lookup) (mobile_malware.rules)
2032832 - ET MOBILE_MALWARE Arid Viper (hidden-chat-e58d7 .firebaseio
.com in DNS Lookup) (mobile_malware.rules)
2032833 - ET MOBILE_MALWARE Arid Viper (hidden-chat-e58d7 .appspot .com
in DNS Lookup) (mobile_malware.rules)
2032834 - ET MOBILE_MALWARE Arid Viper (calculator-1e016 .firebaseio .com
in DNS Lookup) (mobile_malware.rules)
2032835 - ET MOBILE_MALWARE Arid Viper (calculator-1e016 .appspot .com in
DNS Lookup) (mobile_malware.rules)
2032836 - ET MOBILE_MALWARE Arid Viper (samehnew-10a7c .firebaseio .com
in DNS Lookup) (mobile_malware.rules)
2032837 - ET MOBILE_MALWARE Arid Viper (samehnew-10a7c .appspot .com in
DNS Lookup) (mobile_malware.rules)
2032838 - ET MOBILE_MALWARE Arid Viper (play-store-51182 .firebaseio .com
in DNS Lookup) (mobile_malware.rules)
2032839 - ET MOBILE_MALWARE Arid Viper (play-store-51182 .appspot .com in
DNS Lookup) (mobile_malware.rules)
2032840 - ET MOBILE_MALWARE Arid Viper (stand-by-97c5c .firebaseio .com
in DNS Lookup) (mobile_malware.rules)
2032841 - ET MOBILE_MALWARE Arid Viper (stand-by-97c5c .appspot .com in
DNS Lookup) (mobile_malware.rules)
2032842 - ET MOBILE_MALWARE Arid Viper (es-last-telegram .firebaseio .com
in DNS Lookup) (mobile_malware.rules)
2032843 - ET MOBILE_MALWARE Arid Viper (es-last-telegram .appspot .com in
DNS Lookup) (mobile_malware.rules)
2032844 - ET MOBILE_MALWARE Arid Viper (margarita-smith .host in DNS
Lookup) (mobile_malware.rules)
2032845 - ET MOBILE_MALWARE Arid Viper (fasibauik .co in DNS Lookup)
(mobile_malware.rules)
2032846 - ET MOBILE_MALWARE Arid Viper (fasebcak .co in DNS Lookup)
(mobile_malware.rules)
2032847 - ET MOBILE_MALWARE Arid Viper (fasebcck .com in DNS Lookup)
(mobile_malware.rules)
2032848 - ET MOBILE_MALWARE Arid Viper (fasebcoki .com in DNS Lookup)
(mobile_malware.rules)
2032849 - ET MOBILE_MALWARE Arid Viper (fasebcak .com in DNS Lookup)
(mobile_malware.rules)
2032850 - ET MOBILE_MALWARE Arid Viper (fasbcaok .com in DNS Lookup)
(mobile_malware.rules)
2032851 - ET MOBILE_MALWARE Arid Viper (fasebaak .com in DNS Lookup)
(mobile_malware.rules)
2032852 - ET MOBILE_MALWARE Arid Viper (fasebaok .co in DNS Lookup)
(mobile_malware.rules)
2032853 - ET MOBILE_MALWARE Arid Viper (fasebaook .com in DNS Lookup)
(mobile_malware.rules)
2032854 - ET MOBILE_MALWARE Arid Viper (fasebaok .com in DNS Lookup)
(mobile_malware.rules)
2032855 - ET MOBILE_MALWARE Arid Viper (log-yoahao .co in DNS Lookup)
(mobile_malware.rules)
2032856 - ET MOBILE_MALWARE Arid Viper (log-yoheo .info in DNS Lookup)
(mobile_malware.rules)
2032857 - ET MOBILE_MALWARE Arid Viper (kevin-good .top in DNS Lookup)
(mobile_malware.rules)
2032858 - ET MOBILE_MALWARE Arid Viper (marty-colvard .top in DNS Lookup)
(mobile_malware.rules)
2032859 - ET MOBILE_MALWARE Arid Viper (anna-sanchez .online in DNS
Lookup) (mobile_malware.rules)
2032860 - ET MOBILE_MALWARE Arid Viper (wendy-johnston .pw in DNS Lookup)
(mobile_malware.rules)
2032861 - ET MOBILE_MALWARE Arid Viper (jennifer-marler .pw in DNS
Lookup) (mobile_malware.rules)
2032862 - ET MOBILE_MALWARE Arid Viper (goerge-amper .website in DNS
Lookup) (mobile_malware.rules)
2032863 - ET MOBILE_MALWARE Arid Viper (stacks-zadar .website in DNS
Lookup) (mobile_malware.rules)
2032864 - ET MOBILE_MALWARE Arid Viper (joe-rumley .pw in DNS Lookup)
(mobile_malware.rules)
2032865 - ET MOBILE_MALWARE Arid Viper (richardbeman .info in DNS Lookup)
(mobile_malware.rules)
2032866 - ET MOBILE_MALWARE Arid Viper (vickeryduncan .site in DNS
Lookup) (mobile_malware.rules)
2032867 - ET MOBILE_MALWARE Arid Viper (moggfelicio .info in DNS Lookup)
(mobile_malware.rules)
2032868 - ET MOBILE_MALWARE Arid Viper (stevensmalley .pro in DNS Lookup)
(mobile_malware.rules)
2032869 - ET MOBILE_MALWARE Arid Viper (kentporter .site in DNS Lookup)
(mobile_malware.rules)
2032870 - ET MOBILE_MALWARE Arid Viper (chad-jessie .info in DNS Lookup)
(mobile_malware.rules)
2032871 - ET MOBILE_MALWARE Arid Viper (lordblackwood .club in DNS
Lookup) (mobile_malware.rules)
2032872 - ET MOBILE_MALWARE Arid Viper (julie-parker .top in DNS Lookup)
(mobile_malware.rules)
2032873 - ET MOBILE_MALWARE Arid Viper (tim-jordan .info in DNS Lookup)
(mobile_malware.rules)
2032874 - ET MOBILE_MALWARE Arid Viper (hannah-parsons .info in DNS
Lookup) (mobile_malware.rules)
2032875 - ET TROJAN SharpNoPSExec EXE Lateral Movement Tool Downloaded
(trojan.rules)
2032876 - ET TROJAN Observed Win32.Raccoon Stealer CnC Domain
(blogsolutions .top in TLS SNI) (trojan.rules)
2032877 - ET TROJAN Observed Lunar Builder Domain (lunarbuilder
.000webhostapp .com in TLS SNI) (trojan.rules)
2032878 - ET TROJAN Lunar Builder Exfil Attempt (trojan.rules)
2032879 - ET TELNET Possible Lunar Builder CnC Activity (telnet.rules)
2032880 - ET INFO RDP Wrapper Download (bat) (info.rules)
2032881 - ET INFO RDP Wrapper Download (ini) (info.rules)
2032882 - ET TROJAN Win32/Koubbeh Sending Windows System Info
(trojan.rules)

Pro:

2848325 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)
(trojan.rules)
2848326 - ETPRO TROJAN Win32.SpyEyes.bllw CnC Checkin (trojan.rules)
2848327 - ETPRO TROJAN Win32.SpyEyes.bllw CnC Exfil (trojan.rules)
2848328 - ETPRO INFO Suspicious HTTP POST Boundary (qwerty) (info.rules)
2848329 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-26 1) (trojan.rules)
2848330 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-26 2) (trojan.rules)
2848331 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-26 3) (trojan.rules)
2848332 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-26 4) (trojan.rules)
2848333 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-26 5) (trojan.rules)
2848334 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-26 6) (trojan.rules)
2848335 - ETPRO TROJAN Observed DCRat Domain (vksticks4free .ru in TLS
SNI) (trojan.rules)
2848336 - ETPRO TROJAN Win32/Remcos RAT Checkin 707 (trojan.rules)
2848337 - ETPRO CURRENT_EVENTS Successful Citizens Bank Phish 2021-04-27
(current_events.rules)

[///] Modified active rules: [///]

2028611 - ET TROJAN Magecart CnC Domain Observed in DNS Query
(trojan.rules)
2029699 - ET TROJAN MSIL/Modi RAT CnC Command Inbound (plugin)
(trojan.rules)
2032804 - ET TROJAN Lunar Builder Exfil via Discord (trojan.rules)
2811176 - ETPRO TROJAN Luminosity Link RAT CnC Beacon Outbound
(trojan.rules)
2847389 - ETPRO TROJAN DTLoader CnC Activity (trojan.rules)

Date:
Summary title:
53 new OPEN, 66 new PRO (53 + 13). Various Arid Viper Domains, SharpNoPSExec, LunarBuilder, Win32.SpyEyes.bllwarious Coin Miners, Phish.