Daily Ruleset Update Summary
Daily Ruleset Update Summary 2021/05/13

[***] Summary: [***]

7 new OPEN, 33 new PRO (7 + 26). Cobalt Strike, Remcos,
Android/Agent.BQX, Others.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2032951 - ET TROJAN Observed Cobalt Strike User-Agent (trojan.rules)
2032952 - ET TROJAN Observed Malicious SSL Cert (Fake Gmail Self
Signed - Possible Cobalt Stirke) (trojan.rules)
2032953 - ET TROJAN Cobalt Strike Malleable C2 (Unknown Profile)
(trojan.rules)
2032955 - ET TROJAN Observed Cobalt Strike CnC Domain (security-desk
.com in TLS SNI) (trojan.rules)
2032956 - ET TROJAN Cobalt Strike Malleable C2 (Unknown Profile)
(trojan.rules)
2032957 - ET TROJAN Cobalt Strike Malleable C2 (Unknown Profile)
(trojan.rules)
2032958 - ET TROJAN Observed DarkSide Ransomware CnC Domain in TLS
SNI (trojan.rules)

Pro:

2848509 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 63
(mobile_malware.rules)
2848510 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 64
(mobile_malware.rules)
2848511 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 65
(mobile_malware.rules)
2848512 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 66
(mobile_malware.rules)
2848513 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 67
(mobile_malware.rules)
2848514 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 68
(mobile_malware.rules)
2848515 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 69
(mobile_malware.rules)
2848516 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2848517 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2848518 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2848519 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2848520 - ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) (trojan.rules)
2848521 - ETPRO TROJAN Cobalt Strike Malleable C2 (Unknown Profile)
(trojan.rules)
2848522 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-13 1) (trojan.rules)
2848523 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-13 2) (trojan.rules)
2848524 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-13 3) (trojan.rules)
2848525 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-13 4) (trojan.rules)
2848526 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-05-13 5) (trojan.rules)
2848527 - ETPRO POLICY Inbound Batch Script Setting System/Hidden
Files (policy.rules)
2848528 - ETPRO TROJAN Win32/Remcos RAT Checkin 709 (trojan.rules)
2848529 - ETPRO TROJAN Win32/Remcos RAT Checkin 710 (trojan.rules)
2848530 - ETPRO TROJAN Win32/Remcos RAT Checkin 711 (trojan.rules)
2848531 - ETPRO TROJAN Win32/Remcos RAT Checkin 712 (trojan.rules)
2848532 - ETPRO TROJAN Win32/Remcos RAT Checkin 713 (trojan.rules)
2848533 - ETPRO TROJAN Win32/Remcos RAT Checkin 714 (trojan.rules)
2848534 - ETPRO CURRENT_EVENTS Successful Citibank Phish 2021-05-13
(current_events.rules)

[///] Modified active rules: [///]

2028618 - ET TROJAN Tortoiseshell/SysKit CnC Activity (trojan.rules)
2838285 - ETPRO TROJAN Gh0stCringe/RunningRAT CnC Activity M4 (trojan.rules)

[///] Modified inactive rules: [///]

2810387 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(15md2Xg6ET82CJ2NBGMaUcK7c3jT38Tat2) (trojan.rules)

[---] Disabled rules: [---]

2814897 - ETPRO TROJAN W32.YoungLotus Checkin (trojan.rules)

[---] Removed rules: [---]

2846293 - ETPRO TROJAN Observed DarkSide Ransomware CnC Domain in
TLS SNI (trojan.rules)

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:
Summary title:
7 new OPEN, 33 new PRO (7 + 26). Cobalt Strike, Remcos, Android/Agent.BQX, Others.