[***] Summary: [***]

4 new OPEN, 21 new PRO (4 + 17). Win32/XRat.AT Variant, PurpleFox
EK, MSIL/NM.Stealer CnC, ELF/Gafygt Variant, Coinminers, Phish.

Thanks: Josh Stroschein (@jstrosch)

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2032888 - ET TELNET Win32/XRat.AT Variant CnC Activity (telnet.rules)
2032889 - ET CURRENT_EVENTS PurpleFox EK Landing Page Domain in SNI
(current_events.rules)
2032890 - ET TROJAN Observed Win32.Raccoon Stealer CnC Domain
(realonlinetrend .top in TLS SNI) (trojan.rules)
2032891 - ET TROJAN Malicious lnk Activity (trojan.rules)

Pro:

2848344 - ETPRO TROJAN MSIL/NM.Stealer CnC Checkin (trojan.rules)
2848345 - ETPRO TROJAN MSIL/NM.Stealer CnC Data Exfil (trojan.rules)
2848346 - ETPRO INFO Suspicious Base64 Content in HTTP Header (Microsoft
Windows) (info.rules)
2848347 - ETPRO INFO Suspicious HTTP Header (Screen) (info.rules)
2848348 - ETPRO INFO Suspicious HTTP Header (AV) (info.rules)
2848349 - ETPRO INFO Suspicious HTTP Header (CPU) (info.rules)
2848350 - ETPRO INFO Suspicious HTTP Header (GPU) (info.rules)
2848351 - ETPRO INFO Suspicious HTTP Header (RAM) (info.rules)
2848352 - ETPRO INFO Suspicious HTTP Header (HWID) (info.rules)
2848353 - ETPRO TROJAN ELF/Gafygt Variant CnC Activity (trojan.rules)
2848354 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-28 1) (trojan.rules)
2848355 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-28 2) (trojan.rules)
2848356 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-28 3) (trojan.rules)
2848357 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-04-28 4) (trojan.rules)
2848358 - ETPRO CURRENT_EVENTS PurpleFox EK Landing Page Observed
(current_events.rules)
2848359 - ETPRO TROJAN RMS Checkin via SMTP (trojan.rules)
2848360 - ETPRO CURRENT_EVENTS Successful ICS Cards Phish (NL) 2021-04-29
(current_events.rules)